Cyphernomicon Top
Cyphernomicon 11.14

Surveillance, Privacy, And Intelligence Agencies:
Credentials


  11.14.1. This is one of the most overlooked and ignored aspects of
            cryptology, especially of Chaum's work. And no one in
            Cypherpunks or anywhere else is currently working on "blinded
            credentials" for everyday use.
  11.14.2. "Is proof of identity needed?"
           - This question is debated a lot, and is important. Talk of a
              national ID card (what wags call an "internal passport") is
              in the air, as part of health care, welfare, and
              immigration legislation. Electronic markets make this also
              an issue for the ATM/smart card community. This is also
              closely tied in with the nature of anonymous reamailers
              (where physical identity is of course generally lacking).
           + First, "identity" can mean different things:
             - Conventional View of Identity: Physical person, with
                birthdate, physical characteristics, fingerprints, social
                security numbers, passports, etc.--the whole cloud of
                "identity" items. (Biometric.)
             - Pseudonym View of Identity:  Persistent personnas,
                mediated with cryptography. "You are your key."
             - Most of us deal with identity as a mix of these views: we
                rarely check biometric credentials, but we also count on
                physical clues (voice, appearance, etc.). I assume that
                when I am speaking to "Duncan Frissell," whom I've never
                met in person, that he is indeed Duncan Frissell. (Some
                make the jump from this expectation to wanting the
                government enforce this claim, that is, provided I.D.)
           + It is often claimed that physical identity is important in
              order to:
             - track down cheaters, welchers, contract breakes, etc.
             - permit some people to engage in some transactions, and
                forbid others to (age credentials, for drinking, for
                example, or---less benignly--work permits in some field)
             - taxation, voting, other schemes tied to physical
                existence
           + But most of us conduct business with people without ever
              verifying their identity credentials...mostly we take their
              word that they are "Bill Stewart" or "Scott Collins," and
              we never go beyond that.
             - this could change as digital credentials proliferate and
                as interactions cause automatic checks to be made (a
                reason many of us have to support Chaum's "blinded
                credentials" idea--without some crypto protections, we'll
                be constantly tracked in all interactions).
           + A guiding principle: Leave this question of whether to
              demand physical ID  credentials up to the *parties
              involved*. If Alice wants to see Bob's "is-a-person"
              credential, and take his palmprint, or whatever, that's an
              issue for them to work out. I see no moral reason, and
              certainly no communal reason, for outsiders to interfere
              and insist that ID be produced (or that ID be forbidden,
              perhaps as some kind of "civil rights violation"). After
              all, we interact in cyberspace, on the Cypherpunks list,
              without any such external controls on identity.
             - and business contracts are best negotiated locally, with
                external enforcement contracted by the parties (privately-
                produced law, already seen with insurance companies,
                bonding agents, arbitration arrangements, etc.)
           - Practically speaking, i.e., not normatively speaking,
              people will find ways around identity systems. Cash is one
              way, remailers are another. Enforcement of a rigid identity-
              based system is difficult.
  11.14.3. "Do we need "is-a-person" credentials for things like votes
            on the Net?"
           - That is, any sysadmin can easily create as many user
              accounts as he wishes. And end users can sign up with
              various services under various names. The concern is that
              this Chicago-style voting (fictitious persons) may be used
              to skew votes on Usenet.
           - Similar concerns arise elsewhere.
           - In my view, this is a mighty trivial reason to support "is-
              a-person" credentials.
  11.14.4. Locality, credentials, validations
           + Consider the privacy implications of something so simple as
              a parking lot system. Two main approaches:
             - First Approach. Cash payment. Car enters lot, driver pays
                cash, a "validation" is given. No traceability exists.
                (There's a small chance that one driver can give his
                sticker to a new driver, and thus defraud the parking
                lot. This tends not to happen, due to the inconveniences
                of making a market in such stickers (coordinating with
                other car, etc.) and because the sticker is relatively
                inexpensive.)
             - Second Approach. Billing of driver, recording of license
                plates. Traceability is present, especially if the local
                parking lot is tied in to credit card companies, DMV,
                police, etc. (these link-ups are on the wish list of
                police agencies, to further "freeze out" fugitives, child
                support delinquents, and other criminals).
           - These are the concerns of a society with a lot of
              electronic payments but with no mechanisms for preserving
              privacy. (And there is currently no great demand for this
              kind of privacy, for a variety of reasons, and this
              undercuts the push for anonymous credential methods.)
           - An important property of true cash (gold, bank notes that
              are well-trusted) is that it settles immediately, requiring
              no time-binding of contracts (ability to track down the
              payer and collect on a bad transaction)


Next Page: 11.15 Records of all UseNet postings
Previous Page: 11.13 National Health Care System Issues

By Tim May, see README

HTML by Jonathan Rochkind