Tangled in the Threads
Jon Udell, October 29, 2001Digital IDs, Privacy, and Freedom
The rules for a "certificate-rich" world aren't yet written
As Byte.com's editorial director Jonathan Erickson notes in his October 22 editorial, the post-September-11 reshuffling of U.S. priorities has revived interest in the idea of national identity cards for citizens. It was, of course, hardly surprising that Oracle's Larry Ellison and Sun's Scott McNealy would advocate a scheme that requires massive databases and ubiquitous Java ID cards. What was quite unexpected, though, was the position taken by famed civil libertarian Alan Dershowitz. In an Op-Ed piece published in the New York Times on October 13, Dershowitz argued that by helping security efforts focus on individuals rather than ethnic stereotypes, IDs could on the whole enhance rather than diminish civil liberties:
I prefer a system that takes a little bit of freedom from all to one that takes a great deal of freedom and dignity from the few -- especially since those few are usually from a racially or ethnically disfavored group. A national ID card would be much more effective in preventing terrorism than profiling millions of men simply because of their appearance.
If that's contrary to our instincts but true, maybe there are other unexpected benefits. Could IDs also enhance privacy? If they're smart devices with cryptographic tools onboard, the answer might be yes.
It's been twenty-five years since the discovery of public-key cryptography. Today it remains a little-used and deeply paradoxical technology. The National Security Agency, alluding darkly to hostile use of "encrypted products and services," reminds us why encryption tools were until recently classified as weapons. They can wrap conversations in an impenetrable cloak of privacy. When I digitally sign an email message, on the other hand, the aim is not to cloak it (though I may do that too), but rather to assert my authentic identity.
These differing goals, secrecy and identification, have so far appealed mainly to cryptographers and computer geeks. Now that terrorists are using encryption technologies too, we're seeing renewed efforts to limit the availability and strength of tools for cloaking confidential communications. But of course it's too late. The algorithms are well known, the software widely distributed. We can't, and shouldn't, try to outlaw encryption. We can, and should, popularize it -- in conjunction with tools for asserting identity.
Current ID cards, which rely on photos, signatures, or Social Security numbers, are easy to abuse. A chip-based card won't be tamperproof, as some advocates claim. But it could offer more resistance to identity theft, a nasty invasion of privacy that's trivial to accomplish today. What's more, it could redefine our concept of an ID card. A passive credential that we surrender at checkpoints in a "show your papers" kind of America is nobody's idea of freedom. Proposed schemes admit this and make the ID card optional. But the choice between privacy and convenience is not a happy one. A smart device, however, could open up new possibilities. Like the cell phone, it could be a tool that empowers and liberates.
Enjoying the benefits of digital IDs
The twin uses of crypto tools -- to sign documents and to encrypt them -- rely on pairs of digitally-represented cryptographic keys. For years now, it's been possible to acquire such keys freely or inexpensively, and to use them in popular applications including the Microsoft and Netscape browsers and email programs. Hardly anyone does, though. It hasn't been easy for most people to figure out how to acquire personal digital IDs. And those who do can't easily move them from one application to another, or from one computer to another. As a result, cyberspace is a lot less convenient, secure, and private than it ought to have been by now.
Lacking digital IDs, we forego the convenience of single sign-on -- swiping your card rather than trying to remember names and passwords. And we forego the security of knowing, with some degree of assurance, who sent a message. Now that attacks come in paper envelopes as well as virtual ones, IDs that authenticate senders of messages may take on new importance.
We also forego the privacy of encrypted communication. It's astonishing how much sensitive business and personal correspondence is sent in plaintext email messages. That's especially true since tools for strong end-to-end encryption are already so widely deployed. Recently a colleague, whom I would characterize as a power user, wanted to send me a secure message. It came as a complete surprise to him that his mailer, Outlook Express, and mine, Netscape Messenger, were natively equipped to exchange encrypted messages.
Now that the so-called USA-Patriot Act is signed into law, questions about the FBI's email-snooping system, Carnivore, will again arise. Among the Carnivore-related documents collected by the Electronic Privacy Information Center is a technical review of the system. The report implies but does not come out and state the obvious fact that Carnivore's appetite is finally constrained not by judicial oversight, but by use of widely-available encryption technologies.
We might, of course, prefer not to let the bad guys hide from Carnivore. Since they can, we ought to at least enjoy the same protection ourselves. Security does not, in any case require indiscriminate snooping. It does, however, arguably require more robust means of identification.
A platform for identity management
In his seminal book Code and Other Laws of Cyberspace, Lawrence Lessig argued that commerce was the primary force driving us toward "a certificate-rich Internet." There was no need for government to mandate a digital ID infrastructure, in his view, because the market would take care of that. People would voluntarily choose IDs, as they now accept cookies, because refusing them would become increasingly inconvenient.
Will government now jump into the driver's seat? If there is to be a national ID scheme -- and it is still a big if -- much depends on what new balance emerges between government regulation and market forces. The lessons we can draw from the 16-month-old E-SIGN Act are contradictory. On the one hand, Congress was arguably right not to mandate any specific digital ID technology, or even to define digital signatures in anything but the most general way. On the other hand, critics are right to point out that since the market hasn't produced clear standards, the E-SIGN act has yielded few its intended benefits.
Perhaps the urgency of the current situation will break the logjam. We have here, I think, an opportunity to deploy a new kind of computing platform, one that can support a wide range of identity-related applications. Here, for example, is how one developer described his use of the iButton to my newsgroup:
Rich Kilmer:
I've been messing with iButtons for 5 years now. I actually ported their C API to Java for them (way back when...before the Java iButton). The reader is cheap (a serial reader is $10 or so, USB $35). We used them for access control to our office in my last company.
I just picked up three new Java iButtons (yes...they actually run bytecode), and three USB readers that look to the OS like smart card readers. They have a Win2000 login integration, and a great Java API (to JavaCard 2.0).
The Java iButtons do 1024-bit RSA key generation/signing, SHA-1 hashing and triple-DES encryption. They can store 30 X.509v3 certs with 1024 bit keys (and/or hundreds of usernames and passwords). You can write apps that run on the iButtons (like wallets) and they can communication to a desktop (or PDA) app.
If I were AOL I'd send one of these to every one of my users and blow MS Passport away!
This is cool technology. Like a smart card, it can be used in a lot of different ways. A device that identifies you at the airport might also identify you to a corporate intranet, or to a PGP web of trust, or to a Groove shared space. The technology, in other words, is inherently policy-neutral. It can be used by others to track your movements through public spaces, or by you to gain access to private spaces and protect what you do in those spaces.
It was scary enough when Microsoft proposed to assign itself government-like power to manage our identities in a centralized way. It's even scarier to imagine government assigning itself such power. Fortunately, the means to these ends imply a broad-based and open technological platform. Microsoft finally had to admit that Passport would have to allow other identification and authentication services to federate with it. I'd expect the same outcome in the case of a national ID scheme. A proprietary fixed-function system is just going to fail. Only an open general-purpose system can hope to deliver the benefits (convenience, security) that commerce and government want us to have, and that in truth we want too. If, as a result, card and button readers become standard equipment, and cryptographic keys and apps are widely deployed and used, that would be great. We are now resetting a series of balance points -- between freedom and control, identity and anonymity, public space and private space. Crypto itself doesn't resolve any of these dilemmas. But crypto-capable devices and readers do represent a new kind of platform, one that's relevant both to cyberspace and to the real world. Given such a platform, innovative developers will find all sorts of ways to use it. Maybe, just maybe, we'll end up both safer and freer.
Jon Udell (http://udell.roninhouse.com/) was BYTE Magazine's executive editor for new media, the architect of the original www.byte.com, and author of BYTE's Web Project column. He is the author of Practical Internet Groupware, from O'Reilly and Associates. Jon now works as an independent Web/Internet consultant. His recent BYTE.com columns are archived at http://www.byte.com/tangled/
This work is licensed under a
Creative Commons License.