CDR: Non-Repudiation in the Digital Environment (was Re: First
Tony Bartoletti wrote:
The problem goes beyond simple impersonation in that the victims subsequently find it difficult to convince large institutions that they are who they say they are. My understanding is that the term comes from victims' statements that they felt as if their identities had been stolen. See http://www.consumer.gov/idtheft/. The question is relevant here, not as just another parallel question of semantics, but because exactly how the legal system treats "non-repudiation" can make the identity theft problem much better or much worse.
No. The fact that people like to talk in dumbed down soundbites like "identity theft", instead of using well-established words like "impersonation", does not mean that any legally relevant conclusions can be drawn from the misuse of technical terms like "theft" in the soundbite.
Other choices?
Identity Theft Identity Pollution Identity Vandalism Identity Assault Identity Misappropriation (Slander in the First Person :)
Would it matter if we substitute "reputation" for "identity". Is my identity (to others) any different than the reputation with which it is associated?
Call it what you will. If institutions that once recognized me fail now to do so, I have lost something-in-general.
Name that something-in-general.
Well, you have not lost it nor has it has been "stolen". You are simply barred from using it. This is the result of impersonation, since now the other person is the one that has access to it. The use of "identity theft" instead of impersonation is thus utterly misleading, even though lawyers and lawmakers are the ones perpetrating such use. No legally relevant conclusions can be drawn from the misuse of the technical term "theft" in the soundbite. In comparison, defining non-repudiation in terms of protocol messages and only for protocol messages is, at most, a solipsistic endeavor. However, it is IMO a most useful one so that others, including lawyers and lawmakers, are prevented from using it in a perverted way just because RFCs are written in English. Cheers, Ed Gerck
Tony Bartoletti wrote:
No. The fact that people like to talk in dumbed down soundbites like "identity theft", instead of using well-established words like "impersonation", does not mean that any legally relevant conclusions can be drawn from the Other choices? Identity Theft Identity Pollution Identity Vandalism Identity Assault Identity Misappropriation (Slander in the First Person :) Would it matter if we substitute "reputation" for "identity". Is my identity (to others) any different than the reputation with which it is associated? Call it what you will. If institutions that once recognized me fail now to do so, I have lost something-in-general. Name that something-in-general. Well, you have not lost it nor has it has been "stolen". You are simply barred from using it. This is the result of impersonation, since now the other person is the one that has access to it.
The use of "identity theft" instead of impersonation is thus utterly misleading, even though lawyers and lawmakers are the ones perpetrating such use. No legally relevant conclusions can be drawn from the misuse of the technical term "theft" in the soundbite.
I believe a more accurate term would be "credentials fraud", a more sound biteable term might be "credentials theft", which is fairly accurate. -- A quote from Petro's Archives: ********************************************** Sometimes it is said that man can not be trusted with the government of himself. Can he, then, be trusted with the government of others? Or have we found angels in the forms of kings to govern him? Let history answer this question. -- Thomas Jefferson, 1st Inaugural
Other choices?
Identity Theft Identity Pollution Identity Vandalism Identity Assault Identity Misappropriation (Slander in the First Person :)
Would it matter if we substitute "reputation" for "identity".
I think it'd be clearer.
Is my identity (to others) any different than the reputation with which it is associated?
No. I suggest Reputation Hijacking, but don't expect the lexicon to change.
At 12:31 PM -0400 10/18/00, David Honig wrote:
Other choices?
Identity Theft Identity Pollution Identity Vandalism Identity Assault Identity Misappropriation (Slander in the First Person :)
Would it matter if we substitute "reputation" for "identity".
I think it'd be clearer.
Is my identity (to others) any different than the reputation with which it is associated?
No.
I suggest Reputation Hijacking, but don't expect the lexicon to change.
And I think all of these examples/phrases miss the essential point. (I don't intend for this to sound too confrontational, though it is phrased bluntly. This is in fact an extremely interesting topic, and I thank David for making his points so that I can rebut them.) Here are the bold, but little-appreciated, points: Alice does not own her reputation. Alice does not own her identity. Alice does not own the trust others have in her various credentials. Alice does not own the various beliefs people and agents around her have. Even when those beliefs involve _her_, e.g., her identity, her age, her creditworthiness, her insurability, and her "reputation." The key issue is an ontological one. These are all beliefs that various others have in some attribute or credential referring to Alice. Bob believes Alice to be a trustworthy person. Charles believes Alice to be 25 years old. Dorenda believes Alice to actually be the person with the birthname "Alice B. Toklas." And so on. Sometimes other people act to change these beliefs. Hilda the Hijacker says "Do you know that Alice was actually born Ruthanne Rutledge?" Or Lenny the Lender says "Alice borrowed money from me and didn't pay it back. Watch out for her." Has Hilda the Hijacker actually "hijacked" Alice's name identity? Has Lenny the Lender stolen Alice's creditworthiness? Crypto and related tools offer Alice and others the means to make such casual "thefts" (aspersions, etc.) harder to do. Alice can digitally sign to "prove" mathematically she is the holder of certain credentials. And so on, for the obvious extensions to webs of trust, webs of doubt, webs of gossip, etc. Any talk of "theft" or "misappropriation" misses this key point. And, even more importantly than the crypto/signature part (ironically), such language misses the critical issue of "who owns a reputation?" As I have described above, Alice does not own her reputation: "her" reputation consists of a set of beliefs of varying degrees of certainty held by a set of people around her. "Where do I go to get my reputation back?" Think about it. The same point applies to identity, of course. --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
Other choices?
Identity Theft Identity Pollution Identity Vandalism Identity Assault Identity Misappropriation (Slander in the First Person :)
Would it matter if we substitute "reputation" for "identity". Is my identity (to others) any different than the reputation with which it is associated?
Call it what you will. If institutions that once recognized me fail now to do so, I have lost something-in-general.
Name that something-in-general.
Well, you have not lost it nor has it has been "stolen". You are simply barred from using it. This is the result of impersonation, since now the other person is the one that has access to it.
This is a curious viewpoint. If someone makes off with my car, according to the DMV the car is still owned by me. Thus, it has not been stolen, I am simply barred from using it while the other person has access to it. (And if it has a hidden tracking device, it has not even been "lost".)
The use of "identity theft" instead of impersonation is thus utterly misleading, even though lawyers and lawmakers are the ones perpetrating such use. No legally relevant conclusions can be drawn from the misuse of the technical term "theft" in the soundbite.
In comparison, defining non-repudiation in terms of protocol messages and only for protocol messages is, at most, a solipsistic endeavor. However, it is IMO a most useful one so that others, including lawyers and lawmakers, are prevented from using it in a perverted way just because RFCs are written in English.
I appreciate your comments, but I still feel that "impersonation" is too general a term, and lacks important implications of the term "identity theft". It is one crime to impersonate an officer. The crime is not one that some officer finds their personal identity subverted or nullified. The term is often used when an "impersonal role" is assumed. In some venues, impersonation can be flattering. If I use a sledgehammer to smash a car's windshield, or someone's forehead, I am not charged in both cases with "sledgehammering". The name of the crime reflects the result more generally than the means employed, in this case either "destruction of private property" or "homicide". Granted that "theft" is most often associated with the physical removal of property. But the import of the term is both that (1) the legitimate owner finds they no longer have the use of the item, and (2) the "thief" profits by the misappropriation, as if they were the owner-possessor. It may not be a complete match, but "identity theft" is well characterized by points (1) and (2) above. That the "theft" is accomplished through the mechanism of impersonation seems at most a related issue. You might well point out that, unlike an ordinary theft, what was "taken" here cannot be simply returned. If, instead of impersonation, I were to access and modify records and accounts in your name, add police records, medical problems, and credit anomalies, what term would be appropriate for the crime? I consider perhaps "character assassination" to come rather close. Unlike a "theft", the perpetrator is not "assuming" the role corresponding to the now-polluted data. (Note: "Impersonation" also conveys no direct sense that, once the impersonation is halted, the significant damage remains. But this is true of "identity theft" as well. "Identity assault" captures this, but not the misappropriated use.) Sound-bites (memes) will only persist if they have utility. Time will tell. ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900
Tony, Your examples were so bad! ;-) of course, I meant "good" as in that new IBM commercial where the IBM guy says that the IBM laptop is "bad" ;-) I appreciate your comments and, yes, very often society uses contrary words to mean another thing. But if we step aside a bit from the usefulness or not of dumbed down soundbites or current slang in technical documents that should be precise, I see this "identity theft" discussion mainly as a counterexample to those that like to require a legal context to every word -- whereas we do not even have a worldwide legal context. As we saw, lawyers and lawmakers are oftentimes the first ones to use the term "identifty theft" -- which simply is not a theft, it is impersonation. Of course, I continue to hope that we in crypto don't have to use "identity theft" as well. But, should they can continue to use it? Some lawyers don't think so, including Mac Norton in this list who wrote: Speaking as a lawyer, one of "they,", they should not continue to use it. Identity theft might be accomplishable in some scenario, one in which I somehow induced amnesia in you, for example, but otherwise the use of the term to cover what you rightly point is simply impersonation, does a disservice to my profession as well as yours. I also think that using "identity theft" for what actually is impersonation is a disservice to our profession. In the same way that I think we need to make sure lay people understand that non-repudiation in the technical realm is not an absolute authentication or undeniable proof. If we can only this, deny that non-repudiation means undeniable proof, it will be already very useful. Then, we may be able to apply the concept of non-repudiation as we feel the need for it in protocols -- and note that we did not invent it, rather we discovered it. Authentication is not sufficient to describe validity. Cheers, Ed Gerck
At 01:06 PM 10/18/00 -0400, Tim May wrote:
At 12:31 PM -0400 10/18/00, David Honig wrote:
I suggest Reputation Hijacking, but don't expect the lexicon to change.
And I think all of these examples/phrases miss the essential point. ... Alice does not own her reputation. Alice does not own her identity. Alice does not own the trust others have in her various credentials. ... Crypto and related tools offer Alice and others the means to make such casual "thefts" (aspersions, etc.) harder to do. Alice can digitally sign to "prove" mathematically she is the holder of certain credentials. And so on, for the obvious extensions to webs of trust, webs of doubt, webs of gossip, etc.
Any talk of "theft" or "misappropriation" misses this key point.
Good point. Perhaps 'fraud by impersonation' is better. ...
"Where do I go to get my reputation back?" Think about it.
I suppose a chick with a sullied reputation has to go to a different social clique where they haven't heard of her, won't recognize her, and don't communicate with the clique that implements the first reputation. You'll note I've phrased it so that the reputation is *distributed* amongst the former clique, which I think is your point: reputation (and the polymoderators thereof) is a private, nongovernmental matter. If you want to believe the council of rabbis or the better business bureau or the FTC its your choice. Of course, the maligned chick should have been using crypto to protect herself. Still, I'm aware of no protocol that will prevent malicious collaborators from claiming wrong things about her, e.g., if they restrict their libel to her and otherwise maintain trustworthy. PK sigs don't help. ALSO, infosec is a *system* property, and you may have to trust others that you don't control. E.G., your (nominally private and typically authenticating) SSID was leaked to the public; this could be used to harass you. Similarly with digitized fingerprints that the DMV owns a copy of, etc. Which reminds me that you can't change those; meatspace 'identity' has a problem in that fingers will be used as authenticators, so meat-identity can't be as... parallel... as fully informational identities, like nyms. Anyway, I don't think I ever claimed I "owned" my reputation (in the sense of being able to get the govt to coerce you to act that way). But I am bound to (I was going to write, "own") my 'responsibility to creditors', abuse of which by forging my meatspace-id is fraud, which the govt is reasonable in using violence to prevent. I suspect that you regard such impersonation-fraud as theft, as I do. I suspect we also both regard any violence-based (ie, govt) rules wrt linking meat to bits as unconstitional limits on freedom of speech. Both points need to be communicated to Joe Sixpack, Joeseph Merlot, and Johannes Bourbon III. dh
At 07:09 PM 10/18/00 -0700, Ed Gerck wrote:
Tony,
Your examples were so bad!
;-) of course, I meant "good" as in that new IBM commercial where the IBM guy says that the IBM laptop is "bad" ;-)
Thanks :)
"identifty theft" -- which simply is not a theft, it is impersonation. Of course, I continue to hope that we in crypto don't have to use "identity theft" as well. But, should they can continue to use it?
Some lawyers don't think so, including Mac Norton in this list who wrote:
Speaking as a lawyer, one of "they,", they should not continue to use it. Identity theft might be accomplishable in some scenario, one in which I somehow induced amnesia in you, for example, but otherwise the use of the term to cover what you rightly point is simply impersonation, does a disservice to my profession as well as yours.
There is "my sense of my identity", which works for me in many ways. Short of amnesia or devious brainwashing, that identity cannot be lost, stolen, or even diminished or tarnished in any way without "my consent". There is "other's sense of my identity" which works also for me in important ways. It gets me recognized, allows me access, etc. When I am maliciously impersonated (impersonation itself not a crime I think) then the quantity we call "other's sense of my identity" has been polluted, vandalized, and in the most plain of terms, I have lost the facility of that identity needed in my relationship to others. And someone else has gained from its use. Technically, one can argue that this is not "theft" of one's identity. (Would you grant it is "misappropriation of one's identifying attributes"?) But "impersonation", while very accurate, describes a method more than it does the crime itself, much as "discharging a firearm" is accurate, but says nothing about the intent, the target, or the damages. The term "impersonation" can apply to a role, as in impersonating a police officer or a doctor. In such (ironically "impersonal") cases, no individual police officer's or doctor's identity (or character or reputation) is in any way involved. This being the case, how to distinguish (give a name) to the crime that DOES involve usurping the identifying attributes of a individual person, to the diminishment of their character or reputation? Even "identity impersonation", while more specific, does not carry the connotations of criminality. (If I am invited to the wedding of a distant obnoxious relative, and pay a friend of mine to impersonate me at that wedding, I may be guilty of poor ethics, but I don't believe I have violated any criminal statute.) So we come down to "unauthorized malicious identity impersonation". Doesn't quite roll off the tongue ... Cheers! ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900
participants (5)
-
David Honig
-
Ed Gerck
-
petro
-
Tim May
-
Tony Bartoletti