Security-by-credential or security-by-inspection

[Greg Broiles]

At 09:46 AM 11/8/2001 -0800, Tim May wrote:

>The confusion "Nomen Nescio" shows in thinking that an is-a-person 
>government tracking system fixes the airline security problem is common 
>these days. It's the same confusion that causes many to think national 
>I.D. cards will fix current pressing problems. They won't.
>
>[...]
>Nomen Nescio and others should read Chaum's "Credentials without identity" 
>papers. A true name is just another credential, not necessarily more 
>important than any of several other credentials. People should think 
>deeply about this issue.

Indeed.

It's popular to frame this as a "this or that" question - like we've got a 
choice between terrorism (or insecurity) and security without privacy, and 
it's time for some group of people to deliberate carefully about the right 
choice to make, or the right way to balance mutually exclusive options.

There is no such choice - the is no other side to bargain with, who will 
accept our privacy or autonomy or liberty in exchange for guaranteed safety.

We can't build any sort of reliable security infrastructure on top of our 
existing identity scheme. Our current scheme doesn't provide for one-to-one 
mappings between people and identities, it doesn't provide for reliable 
ways to validate a proposed match between a meat body and an identity, and 
it provides a multitude of informal and traditional ways to adopt 
additional or alternate identities in a perfectly legitimate and orderly way.

There's simply no way to enforce or implement an "identity" system meant to 
track humans if all of the elements of the system are pure information, 
because people who want to defeat the system will report misleading or 
incomplete information.

It's also wildly impractical to even think of issuing some sort of physical 
token to the *billions* of people on Earth - people cannot (and will not) 
preserve them against loss, theft, damage, and so forth - nor can they be 
trusted not to falsely report loss or theft, or to sign up for multiple 
identities. Tokens which become associated with negative histories will be 
"lost" immediately; and tokens associated with positive histories will be 
targets of fraud and theft.

The only way to manage identity with the robustness required to provide the 
sort of trackability and accountability required for an application like 
that proposed is to use some sort of biometric identifier. Nazi Germany 
(and I don't bring them up just for shock value) understood that, and used 
tattooed numbers on the arms of Jews and other unfortunates to eliminate 
the possibility of identity fraud or theft.

In light of the logistical and capital requirements which a high-tech 
biometric system would require - and since we're talking about 
international travel and international border crossing, a strong ID project 
must be worldwide, not just US-based - it's simply not possible to think 
that we'd be able to use some sort of sexy high-tech retinal scanners, 
fingerprint scanners, hand geometry scanners, and so forth, to form the 
biometric basis of identity in such a system. The infrastructure doesn't 
exist, and can't be developed and deployed in anywhere near the time scale 
which would be required to address our current security problems, and the 
initial and recurring costs would be astronomical.

The only way we could implement a system like that, starting this year, 
would be with good old-fashioned human-readable or human-measurable factors 
which are unchangeable, or at least very difficult to change - and that 
means something like tattooing or branding every living human being, on a 
part of their body that's likely to be publically visible, so an unmarked 
person (or person with altered marks) would be immediately conspicuous. A 
human readable-mark like a tattooed number would allow border guards, 
immigration workers, employers, and others to verify a person's status and 
provide updates using analog technology like telephones, faxes, or slow 
dialup modems which are universally available and whose installation and 
maintenance are relatively well understood.

So let's say we do tattoo a number on the inside of everyone's forearm - 
would that incredible infringement on privacy and freedom and autonomy 
guarantee us our safety?

No, it would not - it would allow us to identify people who had done bad 
things in the past, and restrict their access to places or things which we 
anticipate might allow them to cause very great damage in the future - but 
it would do nothing at all to identify people who have not yet been caught 
doing anything wrong. It also would not stop otherwise disqualified people 
from seizing controlled resources by trickery or force, or from assembling 
destructive things out of otherwise unremarkable consumer goods (like the 
truck bomb which struck the Murrah federal building in OKC.)

Tim McVeigh wasn't wanted or suspected of anything prior to the OKC bombing 
- identity-based security wouldn't have prevented him from renting the 
truck, nor buying the fertilizer and airplane fuel used to build his bomb. 
All of the alleged WTC hijackers passed through immigration and other 
checkpoints without being detected as dangerous - if the technology and 
techniques we're discussing wouldn't even have prevented known attacks in 
the past, how can we imagine they'll be effective in the future?

It's a popular fantasy, this idea that people will faithfully report a 
"true name" which can be matched to a database of past actions which will 
reliably predict future behavior - but it's a failure in every way, from 
the notion of a true, unique name, to the idea that access to dossiers can 
be both widely available and reliable, to the idea that it's possible to 
know what someone will do tomorrow based on knowledge of his behavior in 
the past.

I can understand why people want to believe that it's possible - much like 
people want to believe that Marx' vision of Communism is possible, even in 
the face of many failed attempts which created only misery and starvation 
and death - but I'm disappointed to see that people's wish that it were 
possible turns out to be stronger than their common sense which should tell 
them that it is not.

When people talk about "ID checks", they're going down a slippery slope 
which leads to either ridiculously ineffective charades like our existing 
airport security - or to a deadly efficient system like forearm tattoos.

Is there anyone who wants any part of either of those visions of the future?

Can anyone articulate a feasible identity system, using technology 
available today in third-world countries, which would have prevented events 
like the WTC attack or the OKC bombing? How about anthrax in the mail?

If so, do you really want to live in that world?

If not, isn't it time we abandoned this "ID card" fairy tale, and start 
thinking about how to solve our current problems using the abilities and 
limitations of our current situation?


--
Greg Broiles -- gbroiles at parrhesia.com -- PGP 0x26E4488c or 0x94245961
5000 dead in NYC? National tragedy.
1000 detained incommunicado without trial, expanded surveillance? National 
disgrace.