--- begin forwarded text Delivered-To: DIGSIG@LISTSERV.TEMPLE.EDU MIME-Version: 1.0 Date: Fri, 6 Nov 1998 12:39:53 -0200 Reply-To: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU> Sender: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU> From: Ed Gerck <egerck@LASER.CPS.SOFTEX.BR> Subject: Identification and Privacy are not Antinomies To: DIGSIG@LISTSERV.TEMPLE.EDU Identification and Privacy are not Antinomies This is a comment to the article "Not for Identification Purposes" by Richard Sobel, of 8/12/98, and a reply by Jorge Cortell-Albert, all referenced at http://cyber.law.harvard.edu/filter/101598/letters.html
From the inherent conflict seen in these articles, it is quite apparent that one could profit from a new perspective when dealing with identification issues today. Not only because of historical examples of misuse or because the Clinton administration is proposing a national ID card that may compromise privacy, but because we need to harmonize needs with tools. Clearly, there is an escalating need to identify -- likewise, there is an increasingly easy access to information and massive cross-checking of data based on global indexes.
Biometrics, contrary to expressed opinion such as Cortell-Albert's, is not self-secure and cannot protect what it forthrightly denies: privacy. One does not even have to recall the proverbial truck that hits the subject, in order to realize that biometrics is also perishable. In fact, biometrics just highlights the basic paradox of privacy versus security -- where one is asked to forfeit privacy in a rather permanent way in order to gain some transient level of security. Are identification and privacy antinomies, like freedom and slavery? Is there an unresolvable conflict between both security and privacy? Current expressed opinion, such as Sobel's and Cortell-Albert's, says "yes" to both questions. As we have no real solution within the current level of understanding, one needs a fresh look into identification and identity. To exercise the solution, Internet protocols can provide a good practical arena accessible to all and truly international -- thus, I will use it in this exposition as an example. However, it will be clear that I could likewise use anything else -- even the US Government's current proposal for a national ID card. Identification is often understood as an act of identifying, or of establishing an identity. Identity is usually defined as "the distinguishing character or personality of an individual" [1]. Of course, such definitions cannot be applied on the Internet. Any mention to "identity" or "identity authentication" on the Internet is a mere tag for something else, such as an individual's purported attribute. Certainly, without any physical contact with an individual or even without any way to directly verify it. It is simply not possible to speak of "identity" or "identification" as a dictionary defines it, over the Internet. All legal and technical studies that call for or depend on such equivalence are misleading. Any such "identity" or "identification" can be faked, repudiated or are specifically unwarranted (e.g. by commercial CAs) to relying-parties over the Internet. That the US INS accepts UK birth (naming) certificates in order to certify immigration status for its own policy of regulation, does not mean that the INS is acting to "confirm" the legitimacy of the name, or organise the UK namespace. So, the first conclusion is that acceptance of an identity by a recipient does not make that identification more veritable to others ... though it is often interpreted so, especially when a third document is issued by the recipient and publicly known. Sure, there is a bar on the standard of the {UK,...} authorities who the INS respects sufficiently for its own activities. But INS confirmation (or rather "use") confers no status on the original document unless the INS policy wished to make such representation explicit. Which would involve legal responsibilities that escalate like those that would derive from a blank signed cheque. Thus, this is also an unsolved problem in the 3D-world, outside the Internet. On 15th April 1997, The Daily Telegraph, a UK quality newspaper, reported on Alan Reeve [2] -- a convicted criminal and triple killer who was described as "friendly, caring, dependable and loving" by his fiancÈe when he was arrested under false identity in Ireland. Clearly, the indeterminacy of "identity" on the 3D-world is itself a reason to doubt any extension of such credentials to the Internet [3,4]. Which is made worse by the often neglected fact that the certificate user (e.g., "relying-party") is not privy to the contract between the CA and the certificate subscriber [3]. Further, CAs effectively contradict any possible public rights that relying-parties might claim, by declaring in the CA's CPS (the governing law) that a certificate has no warranted content to relying-parties [3]. Moreover, on the Internet, we also need to identify hosts, routing, software, etc. -- not just humans. Thus, the basic Net disconnect is that the Internet is essentially that wire that goes to your computer! Anything else that you imagine is just this -- you imagine. Even if you receive a message that looks like mine, from my address, should you believe 100% it is mine? "Doubt until you have proof". Of course, the degree of proof required depends on what is at stake and what is your cost -- however, the best proof is to be considered the one that leaves the concerned parties with no doubts [cf. 2]. Of course, the law may require a higher degree of proof (eg, when buying firearms you cannot just do it over e-mail -- you need to present a legal identity, a legal connection to yourself and perhaps also an address as a further legal connection). The same disconnect happens in the 3D world, because who is to affirm that the presented ID card is the "right one"? Or, that the person depicted in the card is the "right one"? Who is Alan Reeve? However, as given in [5,6], there is an answer to the privacy/security paradox. And, practical tools that may help the Clinton administration (or, any government, company or individual) to decrease costs without resorting to privacy burdens over the puported beneficiaries. The answer begins by a question: What is "to identify"? The study shows that "to identify" is to look for connections. Thus, in identification we look for logical or natural connections -- we look for coherence. The work shows that not identity but coherence is the general metric for identification and deduces more than 64 basic types of identification. More coherence and more identification types mean stronger identification, even if anonymous. Identification can thus be understood not only in the sense of an "identity" connection, but in the wider sense of "any" connection. Which one to use is just a matter of protocol expression, need, cost and (very importantly) privacy concerns. A further benefit is that it allows clear definitions for a large number of new anonymous identification types, sorely needed on the Internet, for e-commerce and to decrease costs inccurred with fraud, in general, but without compromising one's privacy just to tank the car or buy a lunch. I note that even though motivated by the Internet, as a practical arena, the concepts reported in [5,6] can be applied to improve any identification method -- including the present proposal by the US Government. Cheers, Ed Gerck ============================================ References: [1] Merriam-Webster Dictionary, http:www.m-w.com [2] http://www.mcg.org.br/auth_b1.htm [3] http://www.mcg.org.br/certover.pdf [4] http://www.mcg.org.br/cert.htm [5] http://www.mcg.org.br/coherence.txt [6] http://www.mcg.org.br/coherence2.txt ______________________________________________________________________ Dr.rer.nat. E. Gerck egerck@novaware.cps.softex.br http://novaware.cps.softex.br --- end forwarded text ----------------- Robert A. Hettinga <mailto: rah@philodox.com> Philodox Financial Technology Evangelism <http://www.philodox.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'