From: Robert Hettinga <rah@shipwright.com>
To: cypherpunks@cyberpass.net
Message Hash: 841df6f73a29cac559b463c63ee058da8adcc6d60f208bfdbc627d8ddabbf128
Message ID: <v04020a33b268cf3de214@[139.167.130.246]>
Reply To: N/A
UTC Datetime: 1998-11-06 16:57:16 UTC
Raw Date: Sat, 7 Nov 1998 00:57:16 +0800
From: Robert Hettinga <rah@shipwright.com>
Date: Sat, 7 Nov 1998 00:57:16 +0800
To: cypherpunks@cyberpass.net
Subject: Identification and Privacy are not Antinomies
Message-ID: <v04020a33b268cf3de214@[139.167.130.246]>
MIME-Version: 1.0
Content-Type: text/plain
--- begin forwarded text
Delivered-To: DIGSIG@LISTSERV.TEMPLE.EDU
MIME-Version: 1.0
Date: Fri, 6 Nov 1998 12:39:53 -0200
Reply-To: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU>
Sender: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU>
From: Ed Gerck <egerck@LASER.CPS.SOFTEX.BR>
Subject: Identification and Privacy are not Antinomies
To: DIGSIG@LISTSERV.TEMPLE.EDU
Identification and Privacy are not Antinomies
This is a comment to the article "Not for Identification Purposes" by
Richard Sobel, of 8/12/98, and a reply by Jorge Cortell-Albert, all
referenced at http://cyber.law.harvard.edu/filter/101598/letters.html
>From the inherent conflict seen in these articles, it is quite
apparent that one could profit from a new perspective when dealing
with identification issues today. Not only because of historical
examples of misuse or because the Clinton administration is proposing
a national ID card that may compromise privacy, but because we need
to harmonize needs with tools. Clearly, there is an escalating need
to identify -- likewise, there is an increasingly easy access to
information and massive cross-checking of data based on global
indexes.
Biometrics, contrary to expressed opinion such as Cortell-Albert's,
is not self-secure and cannot protect what it forthrightly denies:
privacy. One does not even have to recall the proverbial truck that
hits the subject, in order to realize that biometrics is also
perishable. In fact, biometrics just highlights the basic paradox of
privacy versus security -- where one is asked to forfeit privacy in a
rather permanent way in order to gain some transient level of
security.
Are identification and privacy antinomies, like freedom and slavery?
Is there an unresolvable conflict between both security and privacy?
Current expressed opinion, such as Sobel's and Cortell-Albert's, says
"yes" to both questions.
As we have no real solution within the current level of
understanding, one needs a fresh look into identification and
identity. To exercise the solution, Internet protocols can provide a
good practical arena accessible to all and truly international --
thus, I will use it in this exposition as an example. However, it
will be clear that I could likewise use anything else -- even the US
Government's current proposal for a national ID card.
Identification is often understood as an act of identifying, or of
establishing an identity. Identity is usually defined as "the
distinguishing character or personality of an individual" [1].
Of course, such definitions cannot be applied on the Internet. Any
mention to "identity" or "identity authentication" on the Internet is
a mere tag for something else, such as an individual's purported
attribute. Certainly, without any physical contact with an individual
or even without any way to directly verify it.
It is simply not possible to speak of "identity" or "identification"
as a dictionary defines it, over the Internet. All legal and
technical studies that call for or depend on such equivalence are
misleading. Any such "identity" or "identification" can be faked,
repudiated or are specifically unwarranted (e.g. by commercial CAs)
to relying-parties over the Internet.
That the US INS accepts UK birth (naming) certificates in order to
certify immigration status for its own policy of regulation, does not
mean that the INS is acting to "confirm" the legitimacy of the name,
or organise the UK namespace.
So, the first conclusion is that acceptance of an identity by a
recipient does not make that identification more veritable to others
... though it is often interpreted so, especially when a third
document is issued by the recipient and publicly known.
Sure, there is a bar on the standard of the {UK,...} authorities who
the INS respects sufficiently for its own activities. But INS
confirmation (or rather "use") confers no status on the original
document unless the INS policy wished to make such representation
explicit. Which would involve legal responsibilities that escalate
like those that would derive from a blank signed cheque.
Thus, this is also an unsolved problem in the 3D-world, outside the
Internet. On 15th April 1997, The Daily Telegraph, a UK quality
newspaper, reported on Alan Reeve [2] -- a convicted criminal and
triple killer who was described as "friendly, caring, dependable and
loving" by his fiance when he was arrested under false identity in
Ireland.
Clearly, the indeterminacy of "identity" on the 3D-world is itself a
reason to doubt any extension of such credentials to the Internet
[3,4]. Which is made worse by the often neglected fact that the
certificate user (e.g., "relying-party") is not privy to the contract
between the CA and the certificate subscriber [3]. Further, CAs
effectively contradict any possible public rights that
relying-parties might claim, by declaring in the CA's CPS (the
governing law) that a certificate has no warranted content to
relying-parties [3]. Moreover, on the Internet, we also need to
identify hosts, routing, software, etc. -- not just humans.
Thus, the basic Net disconnect is that the Internet is essentially
that wire that goes to your computer! Anything else that you imagine
is just this -- you imagine.
Even if you receive a message that looks like mine, from my address,
should you believe 100% it is mine? "Doubt until you have proof". Of
course, the degree of proof required depends on what is at stake and
what is your cost -- however, the best proof is to be considered the
one that leaves the concerned parties with no doubts [cf. 2]. Of
course, the law may require a higher degree of proof (eg, when buying
firearms you cannot just do it over e-mail -- you need to present a
legal identity, a legal connection to yourself and perhaps also an
address as a further legal connection).
The same disconnect happens in the 3D world, because who is to affirm
that the presented ID card is the "right one"? Or, that the person
depicted in the card is the "right one"? Who is Alan Reeve?
However, as given in [5,6], there is an answer to the
privacy/security paradox. And, practical tools that may help the
Clinton administration (or, any government, company or individual) to
decrease costs without resorting to privacy burdens over the
puported beneficiaries.
The answer begins by a question: What is "to identify"? The study
shows that "to identify" is to look for connections. Thus, in
identification we look for logical or natural connections -- we look
for coherence. The work shows that not identity but coherence is the
general metric for identification and deduces more than 64 basic
types of identification. More coherence and more identification types
mean stronger identification, even if anonymous.
Identification can thus be understood not only in the sense of an
"identity" connection, but in the wider sense of "any" connection.
Which one to use is just a matter of protocol expression, need, cost
and (very importantly) privacy concerns.
A further benefit is that it allows clear definitions for a large
number of new anonymous identification types, sorely needed on the
Internet, for e-commerce and to decrease costs inccurred with fraud,
in general, but without compromising one's privacy just to tank the
car or buy a lunch.
I note that even though motivated by the Internet, as a practical
arena, the concepts reported in [5,6] can be applied to improve any
identification method -- including the present proposal by the US
Government.
Cheers,
Ed Gerck
============================================
References:
[1] Merriam-Webster Dictionary, http:www.m-w.com
[2] http://www.mcg.org.br/auth_b1.htm
[3] http://www.mcg.org.br/certover.pdf
[4] http://www.mcg.org.br/cert.htm
[5] http://www.mcg.org.br/coherence.txt
[6] http://www.mcg.org.br/coherence2.txt
______________________________________________________________________
Dr.rer.nat. E. Gerck egerck@novaware.cps.softex.br
http://novaware.cps.softex.br
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Return to November 1998
Return to “Robert Hettinga <rah@shipwright.com>”
1998-11-06 (Sat, 7 Nov 1998 00:57:16 +0800) - Identification and Privacy are not Antinomies - Robert Hettinga <rah@shipwright.com>