Mr. Slippery

I always wish I could read Neuromancer for the first time again, because nothing before or since has given me the rush that it did. What I did come across, recently, was True Names: And The Opening of the Cyberspace Frontier . It's a combination of Vernor Vinge's True Names, which was published in 1981 and presaged Neuromancer, and a collection of mid-90's essays on crypto, identity, digital rights management, and related themes.

The protagonist of Vinge's story is Roger Pollack, but his True Name in "the Other Plane" (aka cyberspace) is Mr. Slippery. Strong pseudonymity is what protects and empowers Vinge's proto-hackers, and when Mr. Slippery's True Name becomes known to the authorities, he falls under their control.

Several of the accompanying essays amplify the theme, including Timothy May's 1996 True Nyms and Crypto Anarchy which says in part:

In the language of chaos theory, there are two "attractors." Each major terrorist or criminal "incident" -- Oklahoma City, TWA flight 800, pedophile rings on the Net, etc. -- jumps us forward toward a totalitarian surveillance state. However, each new anonymous remailer, each new Web site, each new T1 link, etc., moves us forward in the direction of crypto anarchy. Which side will win is unclear at this time, though my hunch is that we passed the point of no return some years ago and are now irreversibly on the road to crypto anarchy.

I wouldn't have said that in 1996. By then I had already concluded that we should in most cases strongly assert the binding between realworld identities (True Names) and cyberspace identities, rather than try to hide the connection. We should ensure that pseudonymity is available to whistle-blowers, abuse victims, or political dissidents who cannot publicly own their words, but in general, we should encourage and support transparency and accountability.

After 9/11 I'm even more convinced this is the correct approach, but the devil is always in the details. Identity is a slippery thing indeed. It is, writes Phil Becker, "different":

The level of concern people have about controlling their identity information has been repeatedly underestimated by many in the industry as they focus on technology. Microsoft is not alone in failing to realize that if you make an agreement to store identity data, everything you say about what you are doing with it and how you are protecting it will be examined under a microscope. What are sufficient best practices regarding data security, backup, etc. with sensitive company data are simply not good enough for identity data. [ Digital ID World ]

Those who would implement services that revolve around digital identity face a steep learning curve. Learning to manage this data in reliable, transparent, and accountable ways is one part of the challenge. Learning to decompose it into multiple facets used selectively for different purposes is another.

Users too will confront slippery new concepts. We'll need to learn how to project different facets of identity into different situations. In Groove, for example, your account is a container of identities, one (or more) of which represents you in a shared space. That's an idea that takes some getting used to.

We'll also need to learn, through trial and error, about the strange behaviors that digital identity can exhibit. For example, I've signed my email messages for years, but it wasn't until this week that I learned of a subtle "semantic attack" on this method of identity assertion. Mark O'Neill, writing in his blog about the UI problems that plague security software, comes to the tongue-in-cheek conclusion:

If a governmental wished to limit the use of strong encryption, a good approach would be to plant lousy UI engineers in the security departments of messaging companies, to ensure that the process of setting up encrypted and signed email is as confusing as possible. [ Mark O'Neill ]

Sadly that's not as facetious as Mark says, but here's the really interesting twist: sometimes, he notes, "signing everything is not a good idea." Here's why:

Don't sign a vague message like this:

Hash: SHA1

The deal's off

Version: PGP 6.5.2


because you'll be subject to retargeting. There is nothing a cryptographer
or engineer can do to protect such an easily misunderstood message.

The Cryptography Mailing List

In other words, lacking any reference in the signed message body to the sender, the recipient, or the subject, this message can be hijacked into an unintended context.

Slippery stuff indeed. But it's a greased pig that we will all, sooner or later, have to wrestle with.

Former URL: