Chapter-02
"We Can Fix This Mess"
But before we describe the new model, we have to step back. Way back.
Stepping way back means asking ourselves, what does an information infrastructure provide? What do people use software for? What kind of facilities do computers and networks deliver to their users?
Is not the value proposition of many information technology projects very similar to the value proposition of real estate? Much of today’s software provides facilities where information is created, shared and kept—where people engage with each other in professional, avocational, or other pursuits.
In the world of real estate, a facility that provides an occupant with a set of useful, secure, and manageable spaces in which people can collaborate, pursue an agenda, get things done, or simply entertain each other is said to provide “Quiet Enjoyment.” It’s what your landlord owes you, the tenant in good standing. Quiet Enjoyment is a two-word distillation of the lessor’s lease obligations. Quiet Enjoyment means that the occupant has an enforceable right to a secure, manageable, useful space that is free from intrusion by any unauthorized parties, including the landlord.
At least that’s what we do in the physical world. Online, we meet, keep our files, hang out, educate our children and let them play in rest areas beside the busy, anonymous, dangerous information highway. As awareness of the hazards of the space grows, we put up stuff like firewalls and spam filters and malware disablers and intrusion detection systems. That is, we put up razor wire and robotic sentries to try to make that rest area a little safer, a little quieter, a little more manageable, all the while telling our colleagues and our children and their teachers that they need to be constantly vigilant for signs of the presence of bad guys.
No wonder MIT’s Technology Review came to the conclusion in the cover headline of their January 2006 issue: “The Internet Is Broken.”
Imagine if we asked office dwellers and teachers to spend that much time and effort on constant vigilance. Just picture an office building or a school where multitudes of spies and intruders and fraudsters and predators constantly prowled the halls, disguised as colleagues and children. “Watch out, they’re always out there. Don’t touch that attachment, keep your patches and firewall rules up to date, pore over those logs every day!” How could anyone get anything done? Yet isn’t that kind of chaos what we can expect from life lived by the side of the highway?
And the whole notion of protection from bad guys is naïve, to say the least. The design of real workplaces assumes that everyone is both good and bad, that spaces need to be designated for groups working on particular projects or processes, that security is about giving the right kind of access and the right privileges to the right resources to the right people at the right time. Some groups are subsets of others, some spaces represent unions or intersections of groups; people come and go from groups, so access and privileges cannot define identity but rather must be easily assignable to an established, immutable identity; and that immutable identity must not only exist in a context that preserves privacy, but also the identity itself must be a cornerstone upon which privacy is secured.
Management knows it needs security, and the picture of a military-style perimeter guard is a powerful image that can be readily grasped by nontechnical management. It also fits the open-rangeland mindset that defined the original approach to the Internet. So both CEO and CTO understand and like the idea of a perimeter defined by security appliances and monitored by managed security centers with their rows of monitors being watched 24-7 by trained security professionals. Pistols by their sides would be a nice touch.
Vendors like the idea too, as it implies that the more you spend on razor wire and intrusion detection systems and bandoliers and firewalls and malware-catching K9 corps and sentries and unified threat management appliances (fancier firewalls) and managed security services, the safer you are.
Just as buildings are important for the protection of you, your family, your personal assets and your information in the physical world, they are equally important in the online world. In fact they are more important, because existing identities in the online world can be easily spoofed.
In the version of this book for the open source community we noted that the notion of Quiet Enjoyment introduces a set of significant professional opportunities. People need buildings and people can have buildings. People do not need to settle for Rocinha-quality buildings, which are barely if at all better than outdoor spaces but which are the only kind of online buildings that exist today. People can have the benefit of reliable online buildings as soon as the relevant architectural, engineering, construction, building inspection and property management professions materialize and get to work. Profitable work.
The opportunity to provide buildings to organizations and individuals that desperately need them is perfectly suited to the needs and capabilities of open source software professionals, since the important ingredient, as we will illustrate, is not an elaborate software vendor organization but professional credentials backed by public authority. After all, if you need the services of an architect or structural engineer, you look for a licensed professional rather than a branded vendor. (If you are a software professional you might also want to look at The Office And The Bazaar. Also derived, as this book is, from Quiet Enjoyment, it describes the economic opportunity in providing secure and manageable online spaces using the QEI approach.)
The second question about professional credentials concerns the reliability of the identity of the holders of those credentials. Even if we have confidence that Joe Jones’ credential as a building inspector, that is, code auditor, is valid, how do we know that the individual presenting himself online is really Joe Jones and not some botnet builder?
The answer to the first question lies in the ancient distinction between government and state.
Consider for a moment that certain kinds of public official, typically a notary, can apply the authority of the state to a private document in a private setting, without so much as placing a call to a government office. Consider further that the notarization of that document will be honored by any other state or government anywhere in the world, as long as the source of the notarization is believed to be legitimate. A notarization performed in New York will be honored in Havana.
We already have a centuries-old means of applying duly constituted public authority on a universal, global scale. No bills need to be introduced to legislatures, no government commissions need to be formed. The apparatus of state authority, as opposed to government initiative, is in place and very well-established.
While the apparatus of authority is there, the binding of that authority to identity credentials is not. In fact, the archetypical identity credential, the birth certificate, is so hopelessly inadequate in the age of easily faked documents that it is useless in practice.
That is, the piece of paper is useless; the authority of city hall’s birth and death records department is as estimable as ever. If only they were able to apply technology to produce immutable, thoroughly reliable birth certificates that could be used anywhere, particularly online…
QEI solves the identity problem as well.
Identity is the foundation of security. Identity does not mean the identity of a company, or a digtital object, or a server, or a web site, or an organization. Identity means the irrefutable, authoritative identification of an individual human being. When we want to establish a reliable identity for an important object (server, site, balance sheet, organization, file, blueprint, building, etc.) a human being digitally signs the object, or signs an intermediary object (think “license plate”) that attests to the object’s being signed by a person.
Since the object signing concept touches the third rail at the intersection of universal identity and privacy, we hasten to illustrate by metaphor how privacy is protected in this model. When you put your car onto the public physical highway, it is identified by a registration number that is bound to an identity credential, your driver’s license. As you drive along the highway, anyone can see the registration number of that vehicle and report it to the authorities if you, its driver, do something wrong. However, the person reporting the problem cannot obtain the identity of the person to whom the vehicle is registered unless a right to know is established by due process, e.g. if there is an accident, which calls for identity information to be disclosed among the drivers involved.
Just because I can discern that a site, or piece of software, or other object is digitally signed by a human being does not necessarily mean that I can obtain the identity of the signer. A program’s certificate in QEI is like your car’s license plate, effectively attesting that the authorities have ensured that it is digitally signed by a human being but that one must establish a right to know the name of the signer before the identity of the human signer will be disclosed.
Some digital objects will be signed by a public official, which means that the signer’s identity is indeed as openly knowable as the building inspector’s signature on an office building’s occupancy permit. That’s what it means to be a public official.
Public authority is one element of reliable identity. The other element is the soundness of the process by which the identity is established.
Online identity credentials in use today generally consist of usernames protected by passwords. Sometimes the passwords are stored on an access control server in hashed form, and sometimes they are out there in plain text by the side of the highway. At the user end occasionally we see identity credentials housed in hard tokens or wallets such as a SecurID one time password device.
Always, credentials in use are manifestations of a transitory relationship, as opposed to a birth certificate, which stands on its own, immutable and utterly permanent. Always, as a result, they are established by an enrollment process that ranges from very weak to absurdly weak. At the time of enrollment we see the relationship-based credential as an expedient, no more significant than the assignment of a telephone extension to the new hire.
Later, when someone from another department, or contract programmer or marketing consultant needs quick access to a database, typically she gets it by borrowing someone’s username and password.
And why wouldn’t they? It gets the job done. And after all, the credential only protects the company’s assets, not the assets of the person identified. (If employees’ bank cards served as identity credentials, would the person needing access to a file ask to borrow the card and its associated PIN? Of course not – that would expose the holder’s own assets to risk, not merely the company’s assets.)
As time goes on and the identity credential becomes the access and privilege point for an increasingly complex web of file and communication resources, the casualness with which it was established and shared become forgotten. We are only left with a vague notion that nothing too important should be accessible from that identity. Later, when important things must be accessed, we have to try a little harder to forget the weaknesses of the identity infrastructure.
For an identity credential to be reliable, it must be established through the use of a sound enrollment process.
For an identity credential to be reliable, it must attest to immutable information about the person identified, not to relationships, which must all be considered transitory.
A universal, permanent identity credential that is established by the use of a sound enrollment process and that attests only to the unchanging information on one’s paper birth certificate is the starting point for a reliable information infrastructure.
When we have reliable identity then we can know who takes responsibility for the design of a facility, who takes responsibility for its construction, who inspected it (that is, who audited the code,) who attested to its habitability (such attestation being based in part on assurances that the architect and contractor have been paid) and, just as importantly, who is in the room with us.
Once we have professional certification backed by duly constituted public authority and we have identities based upon sound enrollment processes involving duly constituted public authority, then we have taken a big first step toward Quiet Enjoyment.
The next step in the path to Quiet Enjoyment is the selection of construction materials for our new buildings.
But first let's change what PKI stands for. For reasons that will become clear, let's call it Puzzle Kit Infrastructure. And let's take a look at how this remarkable PKI thing works.
With PKI, anyone who needs security and authenticity is provided with three digital items: two special numbers called keys, and a set of computer programs that makes and solves puzzles using those keys.
The two keys have a special relationship to each other: any puzzle that is made with either of the keys can only be solved with the use of the other key.
Let’s say our friend Bob needs security and authenticity and so Bob sets out to get his own puzzle kit, his own pair of keys and the software that will use those keys to make and solve puzzles. He'll designate one of the keys as his public key, which he then can give to anyone who might need to communicate with him. He puts it on his personal web site, in his MySpace listings, wherever. It’s public.
The other key, the private key, he will keep secret and secure.
Now where does Bob get those keys?
As it happens, any modern computer can generate perfectly good key pairs. But that means anyone can issue a key pair in anyone's name. If Bob is going to use his keys to establish authenticity, that is, in a way that lets people rely upon the identity represented by the key pair, he'll need a way to demonstrate that his key pair was really issued to him.
To accomplish that, Bob has his key pair issued by a public official in a face to face setting where his fingerprint and iris image are captured, along with a voice video of Bob reciting an oath of identity, which places him under penalty of perjury. Less costly but still satisfactory enrollment processes are also available when less is at stake, legally or financially. We'll get into all of them later. For now it will suffice to note that they all strongly associate a key pair with a particular human being.
Regardless of the enrollment method, a key pair is generated. Its public key is “digitally signed” by the public official using the very process we are in the middle of explaining here. So for now, just accept that there is such a thing as a digital signature that will be explained shortly. (Since legislators don’t understand PKI, all sorts of unreliable things are legally designated as “digital signatures.” Don’t be confused by them. If there is no key pair there is no real digital signature.)
A public key that is signed by a public official, applying public authority, is called a “certificate.”
Actually the word “certificate” is used in other contexts. Just as anyone can print up an official looking piece of paper and call it a certificate, so it is with digital certificates. Anyone can digitally sign a public key and call the result a certificate. The authority applied by the signer is what gives significance to a certificate.
Unlike the paper certificate, the authority behind a digital certificate can be examined simply by clicking an icon. If it's signed by a source of duly constituted public authority such as the International Telecommunication Union, it will say so. If it's backed by no more authority than a Beanie Baby certificate, it will say so.
And so to eliminate any doubt that the public key is really Bob's, a certificate was signed and issued to him at the time he was given his puzzle kit and keys by a type of certification authority. Since this certificate is a digital file, anyone who has the certificate can check its authenticity with the certification authority.
Bob keeps the other key, your private key, secret and secure.
Now let’s look at how files are digitally signed. Let's say Bob wants to send an important file to Alice in such a way that Alice will know that it came from Bob and that it has not been tampered with in transit. Bob might encrypt the file with his private key and send it to Alice. Alice then would get Bob's authoritatively signed public key from his MySpace listing or from a mail message or from a public directory and use that key to decrypt the file.
Actually though another step is added that seems to add complexity but actually makes the whole process more practical. Instead of encrypting the file, Bob instead uses his puzzle kit software to create what is known as a “one-way hash” from the file. The one-way hash is a rather short string of gibberish characters with some special characteristics. First, the process that created it cannot be reversed: there is no way to recreate the orignial file from its hash. Second, if a single bit in the original file is changed, the hash will be completely different. So if someone gives you a file and its hash, you can easily find out whether the file has been altered by putting it through the same hash process and comparing the results.
Bob then encrypts the hash, rather than the whole file, with his private key. He sends the original file and the encrypted hash together to Alice. Alice in turn uses the same process to hash the file, then looks up Bob's public key and uses it to decrypt the hash that was sent with the file. If the hashes produced by both processes are identical, then Alice knows that Bob really signed it and that it has not been tampered with. If the file has legal significance, perhaps a commitment by Bob to sell his yacht to Alice, then Alice has the benefit of non-repudiation. Bob cannot later keep the boat, claiming that he did not make that precise commitment.
If this seems complicated, know that neither Alice nor Bob need to concern themselves with the details. Bob clicks “sign this file and send it to Alice;” Alice receives the signed file and clicks “check the signature on this file.” Their computers do the work in the background using the puzzle kit software. It's good if Alice and Bob have sufficient basic understanding of the process to know why they should trust it (which is why we're explaining it here) but in practice it's a matter of click-click-click-done.
Note that there's no secrecy in that process. Anyone who manages to get Bob's file can read it. If Bob wants to send the file to Alice in complete confidence he might look up Alice's public key and use it to encrypt the file, knowing that only Alice, with the corresponding private key, can decrypt it.
Here again, the practical way is not the simplest way. Since public-private key encryption and decryption of anything but the smallest files takes too much computer power, typically we use those “asymmetric” keys to authenticate the two parties in a process like the one we used above in the digital signature example; then the two parties agree on an old fashioned “symmetric” key, where the same key is used for both encryption and decryption. This process creates the “tunnel” that is created when you see a lock icon in the corner of a “secure” Web page.
And again, if the process seems complicated, consider that visiting a lock-icon Web page is not complicated at all for you, the user. In the background your computer is working hard, but it's all transparent to the user. Your puzzle kit is like a skilled and obedient servant, understanding your wishes and acting upon them without troubling you with the details.
That’s the essence of PKI, whether it stands for public+private key infrastructure, puzzle kit infrastructure or (problematically as we will see) public key infrastructure.
Part of PKI’s problem has been the difficulty of explaining it. But, as you have seen here, it does not have to be so complex. And, even though the computer does this all in the background, the user still needs to decide what needs to be signed, what needs to be encrypted and which files need protection. This can make the use of PKI complicated in some instances. But by organizing the use of information around spaces and the identities of the people who are allowed into those spaces, the complexity melts away. And, if you understand this simplified explanation of PKI, and the corresponding Figures, then you have the necessary basic understanding of this wonderful construction material.
However, we still need to take on the myth that PKI is difficult to deploy.
An architecture which is used to bind public keys to entities, enable other entities to verify public key bindings, revoke such bindings, and provide other services critical to managing public keys.
PKI is the set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke PKCs [public key certificates] based on public-key cryptography.
To develop buildings you need duly constituted public authority, in the form of siting plan approvals by various agencies and approval of building plans by the buildings department; your architect needs to be licensed by the state, as does the engineer and most of the contractors. Materials and construction processes must be approved, that is, code must be audited by an impartial source of public authority.
We may not be fond of government, but let’s face it—it’s city hall that gives us the greatest part of the assurance that our building will be useful and will provide Quiet Enjoyment because city hall applies the weight of public authority to attest to it. The architect who designed it is licensed by the state, as is the structural engineer and the general contractor and most of the subcontractors. The architect’s plans had to conform to all sorts of standards—building codes, zoning ordinances, environmental, and community ordinances—before public authority will issue a building permit. Once started, the project must be frequently inspected by a building inspector who carries the weight of city hall’s duly constituted public authority.
Public authority in real estate is not unnecessary bureaucratic overhead. Rather, it is essential. For a view of real estate that is built and occuppied without the benefit of close involvement of public authority, take another look at Rocinha. Look at the physical Rocinha near Rio or look at the Rocinha on your desk. In terms of their reliability as habitable space they are identical.
Even after the building is completed and is certified to be compliant with all codes and ordinances, the owner still can’t start moving tenants in. There remains the matter—the very significant matter for purposes of this metaphor—of the occupancy permit.
It seems that the architect, structural engineer, and contractors must sign off on the occupancy permit application, attesting that they have been treated satisfactorily by their client, the building’s owner. “Treated satisfactorily” means that the licensed professionals have been paid and that they are willing to stake their licenses on the security and privacy that is provided by the structure. They need to certify that the owner has not deviated from their designs and instructions in any way that they find unacceptable. The occupancy permit is documentary evidence that specific individuals, not some malleable, fungible, commercial enterprise, have a lot to lose if the facility is not what it purports to be.
We make no apologies for the fact that public authority, which is not the same thing as government, has a central role in the Quiet Enjoyment Infrastructure and its privacy protection component called the Personal Intellectual Property Infrastructure.
This will not be the easiest sell, we realize. Some of the best writing and technology on the subject of online privacy comes from thought leaders who are frankly hostile to government when it comes to the latter’s involvement with personal information. Some in the zero knowledge/privacy community have characterized governmental activities in this space as just another form of attack, as in “legislative attack” on strong cryptography.
We agree with that characterization when it comes to things such as designating cryptographic algorithms as munitions and we agree that govenmental enterprise in this area is something to worry about. Much of the distrust is warranted.
But consider that almost all governmental activities may be categorized in two ways:
Application of public authority
This is not about government making things happen. This is about employing authority that government – or rather, the state – makes available when authenticity is needed in any activity, public or private. Think of the state as an authenticity factory. The manufactures a finished product called authenticity out of raw materials called reliable attestation and evidence of authenticity.
Here we must disambiguate the term “state” for those who think of “the state” as the government of one of the United States of America, or of South Africa, etc. We are talking about “the state” as in “L’etat c’est moi,” the seat of public authority rather than the government of a region of a nation.
In the case of vital records, the public authority called “the state” can reside in city hall in Europe and North America, or in a national health agency in many of the nations of the southern hemisphere. For our purposes we will assume that vital records are created and maintained by the birth and death records department at city hall. The department quietly certifies identity information so that society may have some source of that much-needed ingredient of civilization called authenticity. While the typical embossed-seal-on-paper certification technology is horribly inadequate, the attestation itself is very good and very needed.
Indeed, city hall probably does more quiet application of public authority than any other governmental entity. City hall is where you find building inspectors and day care inspectors and all other manner of certificate issuers. Their purpose isn’t to build programs that attempt to ensure that no child is left behind (a worthy goal to be sure) but rather to modestly apply their duly constituted public authority in attesting to a day care center’s safety and reliability.
All well and good, but where do we find a city hall for the Internet? We’ll get to that in a moment. For now, rest assured that we are not talking about some commercial enterprise masquerading as a certification authority. “Indoors” is not just more logo-program schtick. The “Indoors” designation is part of the Quiet Enjoyment Infrastructure, a special kind of PKI. Later we will describe sources of authority and the way their fungible product—public authority—may be applied in private matters as one uses any component in a process.
But P3P does not eliminate the ability to place and read cookies. Like the notification window for an “innocent” cookie, P3P may further anaesthetize people to what’s going on behind the scenes. P3P presents dialogs that are meant to empower people to specify what information may go to whom. Those organizations that are already the most open about the use of personal information will probably make serious use of P3P. Others will use P3P as a means to make people feel they’re in control while their information is being pilfered through the back door.
The goals of P3P are admirable, but upon examination it appears to have been written for a nicer world than our present global village. There’s a sort of “people will play by the rules if they know what they are” tone to P3P.
Our response to the invasion of the cookie clubs and to all the other gratuitous intrusions into our computers should start with a design that requires all traffic to be identified. If someone wants to read a cookie on your machine, well, let them identify themselves and let that identity be checked against the digitally signed permissions specifically granted to specific parties. Is the inquirer’s identity on the Personal NDA governing
that cookie? If not, then forget it.
The volunteer organization CPExchange is also making a valiant attempt at establishing a system- and platform-independent open standard for secure interchange of data. Their model is geared toward generating customer information standards for various enterprise systems. This is yet another instance of “you can have your privacy—all you have to do is exercise constant vigilance over those who influence and control our standard…”
You and I do not need privacy that requires constant vigilance. The mass media people know we will lose that one. Expecting vigilance on the part of the user—the subject of the information being gathered—is either naïve or devious and unfair, depending upon whether your intent is to protect privacy or to subvert privacy while pretending to protect it.
We have better things to do with our time. The burden of proof that information about us may be safely disclosed must be on the party requesting the information. And the individual must be the judge as to whether or not information about him or herself ought to be accessible to others. Anything else is just plain trickery.
Just because someone sets out to provide a framework to protect your privacy doesn’t mean that framework will do the job right. A highly qualified architect proposes a new kitchen to you. He surely wants you to have a good, usable kitchen. That intent, however, does not ensure you will get what you need. Examine the plans thoroughly before you call the contractor.
Our solution is one of the twelve components of QEI called the Personal Intellectual Property Infrastructure (whose acronym is MOI for My Own Information.)
The key piece of the Personal Intellectual Property Infrastructure is something called a Personal Nondisclosure Agreement. An online form that never needs to be printed, it is like the kind of form you fill out on a Web site to specify a set of preferences. Your Personal Nondisclosure Agreement is actually a file that is maintained by you and digitally signed by you.
Using your own Personal NDA form for you and one for each of your dependents, you specify who has a right to what information, and for what purposes each party can use it. As with all NDAs, it grants a license to have and use confidential information for very specific purposes and explicitly prohibits any other use.
Next to every group of identities that is either part of a default group that comes with the blank form (e.g. credit reporting agencies) or specified by you (e.g. members of my mountain bike club) is a set of permissions. In order gain access to a piece of information about you, permission must first be established in your Personal NDA for that particular user as an identified individual or as a member of a particular group (for instance, people who work for credit reporting agencies.)
What’s to prevent licensees from carrying on with information about you as they always have, sharing it indiscriminately in spite of the limitations specified in your Personal NDA? Part of the answer is idealistic. As we disclose information only within a global village where people must abide by identity rules or else not participate in the village, we simply change the way the world does business. Within that global village consisting of people whose online habitat is in buildings as opposed to the street people who live by the side of the information highway, possession by one person or company of personal information about another person is expected to be accompanied by a digitally signed NDA file from the identified individual. Unlicensed personal information will have to be handled like illicit drugs. It will add difficulty and will carry risks that will be unacceptable to most organizations. Admittedly all of this is not something that will happen by Thursday afternoon.
The less idealistic part of the answer is indicated in the notion that your Personal NDA grants permissions.
“Permission?!” exclaim the direct marketer, the credit reporter, the mortgage broker in unison. “Who are you to be granting us permission to use information about yourself?”
The permission part is what permission to use information is always about. It’s about intellectual property. It’s about copyright and proprietary secrets. Using your Personal Intellectual Property Infrastructure, you establish copyright to information about yourself, and further you declare and annotate such information to be a secret—the personal equivalent of the trade secret which is so important to business. Use of information about yourself without your permission is thus subject to two forms of intellectual property protection. One who uses it in a manner that is not permitted by a personal NDA may need to pay damages to its owner. Or, if its owner really wants to teach the perpetrator a lesson he may pursue criminal charges for theft of intellectual property.
The earlier point about the surreptitious mating of tables of personal information may seem to argue against this strategy, and indeed there will always be some infringement just as there will always be copying of music. But with a Personal Intellectual Property Infrastructure system in place it will become worthwhile for large numbers of victims of infringement to pursue the infringers. That fact, in turn, will give the CEO reason to make the company toe the line on its privacy rules instead of tacitly allowing transgressions to take place.
As we will see, a universal identity credential is entirely unnecessary for the skilled global data miners who know how to track you by the breadcrumbs that you leave throughout the cybersphere. Only those who need authenticity and who do not have access to the tools and information assets of the global data miner are inhibited by the lack of a reliable identity credential. In other words, it’s us ordinary computer users who are hurt by the lack of reliable identity.
The main concerns about universal identity seem to assume that some outsider such as a government controls the use of your identity credential. With the Personal Intellectual Property Infrastructure (MOI), one of the items that’s under your control is the credential itself. It is your property. You decide what may be done with it, by whom, for what purpose. Any time your personal information is in the hands of anyone but yourself, it had better be accompanied by your Personal NDA, which gives explicit permission for that specific part of your information to be held by that specific party. If that is not the case then you have grounds to take action.
Like the other eleven components or Instigations of QEI, the Personal Intellectual Property Infrastructure will require the efforts of a dedicated group of people to make it prevail. Our name for the organization that will take responsibility for the Personal Intellectual Property Infrastructure component is The ZK Group, after the “Zero Knowledge” technology pioneered by Stefan Brands and others. Zero Knowledge protocols will enable us to implement the license-plate type assertions mentioned earlier, where anyone can know that something is properly signed by a reliably identified individual without being able to know the individual’s identity.
But before we describe the ZK Group we need get more specific about the problem that needs to be solved. Our privacy is indeed under attack, not just from the much-discussed efforts of those who want to dig into our personal information but from the much-less-covered efforts of those who want to use it to manipulate us.
To be fair, a few, notably Michael Baum, tried to introduce the element of genuine authority into the thing named “certification authority.” Their ideas would have gained more traction if they had been more immediately profitable and exciting.
"We Can Fix This Mess"
Privacy and Security Are Not Antithetical
We can have real privacy and real security. They can both be achieved at the same time with a new model for information infrastructures. The new model provides not only privacy and reliability, but also manageability and sound economics.But before we describe the new model, we have to step back. Way back.
Stepping way back means asking ourselves, what does an information infrastructure provide? What do people use software for? What kind of facilities do computers and networks deliver to their users?
Is not the value proposition of many information technology projects very similar to the value proposition of real estate? Much of today’s software provides facilities where information is created, shared and kept—where people engage with each other in professional, avocational, or other pursuits.
In the world of real estate, a facility that provides an occupant with a set of useful, secure, and manageable spaces in which people can collaborate, pursue an agenda, get things done, or simply entertain each other is said to provide “Quiet Enjoyment.” It’s what your landlord owes you, the tenant in good standing. Quiet Enjoyment is a two-word distillation of the lessor’s lease obligations. Quiet Enjoyment means that the occupant has an enforceable right to a secure, manageable, useful space that is free from intrusion by any unauthorized parties, including the landlord.
Hanging Out Outdoors, by the Highway
Let’s consider a space where Quiet Enjoyment is absent. We have no Quiet Enjoyment in, for example, a rest area by the side of a busy highway. While it might be possible to have a business meeting, keep your files, and let your kids play in a busy outdoor rest stop, of course you never would. We use highways to travel to buildings – facilities that are designed for these sorts of things. Facilities that provide Quiet Enjoyment.At least that’s what we do in the physical world. Online, we meet, keep our files, hang out, educate our children and let them play in rest areas beside the busy, anonymous, dangerous information highway. As awareness of the hazards of the space grows, we put up stuff like firewalls and spam filters and malware disablers and intrusion detection systems. That is, we put up razor wire and robotic sentries to try to make that rest area a little safer, a little quieter, a little more manageable, all the while telling our colleagues and our children and their teachers that they need to be constantly vigilant for signs of the presence of bad guys.
No wonder MIT’s Technology Review came to the conclusion in the cover headline of their January 2006 issue: “The Internet Is Broken.”
Imagine if we asked office dwellers and teachers to spend that much time and effort on constant vigilance. Just picture an office building or a school where multitudes of spies and intruders and fraudsters and predators constantly prowled the halls, disguised as colleagues and children. “Watch out, they’re always out there. Don’t touch that attachment, keep your patches and firewall rules up to date, pore over those logs every day!” How could anyone get anything done? Yet isn’t that kind of chaos what we can expect from life lived by the side of the highway?
And the whole notion of protection from bad guys is naïve, to say the least. The design of real workplaces assumes that everyone is both good and bad, that spaces need to be designated for groups working on particular projects or processes, that security is about giving the right kind of access and the right privileges to the right resources to the right people at the right time. Some groups are subsets of others, some spaces represent unions or intersections of groups; people come and go from groups, so access and privileges cannot define identity but rather must be easily assignable to an established, immutable identity; and that immutable identity must not only exist in a context that preserves privacy, but also the identity itself must be a cornerstone upon which privacy is secured.
Our Preposterous Security Paradigm
In this context the firewall notion of security is preposterous. It’s the picture of a workplace as a commando outpost in a jungle instead of a useful, manageable, not-very-exciting building.Management knows it needs security, and the picture of a military-style perimeter guard is a powerful image that can be readily grasped by nontechnical management. It also fits the open-rangeland mindset that defined the original approach to the Internet. So both CEO and CTO understand and like the idea of a perimeter defined by security appliances and monitored by managed security centers with their rows of monitors being watched 24-7 by trained security professionals. Pistols by their sides would be a nice touch.
Vendors like the idea too, as it implies that the more you spend on razor wire and intrusion detection systems and bandoliers and firewalls and malware-catching K9 corps and sentries and unified threat management appliances (fancier firewalls) and managed security services, the safer you are.
Just as buildings are important for the protection of you, your family, your personal assets and your information in the physical world, they are equally important in the online world. In fact they are more important, because existing identities in the online world can be easily spoofed.
In the version of this book for the open source community we noted that the notion of Quiet Enjoyment introduces a set of significant professional opportunities. People need buildings and people can have buildings. People do not need to settle for Rocinha-quality buildings, which are barely if at all better than outdoor spaces but which are the only kind of online buildings that exist today. People can have the benefit of reliable online buildings as soon as the relevant architectural, engineering, construction, building inspection and property management professions materialize and get to work. Profitable work.
The opportunity to provide buildings to organizations and individuals that desperately need them is perfectly suited to the needs and capabilities of open source software professionals, since the important ingredient, as we will illustrate, is not an elaborate software vendor organization but professional credentials backed by public authority. After all, if you need the services of an architect or structural engineer, you look for a licensed professional rather than a branded vendor. (If you are a software professional you might also want to look at The Office And The Bazaar. Also derived, as this book is, from Quiet Enjoyment, it describes the economic opportunity in providing secure and manageable online spaces using the QEI approach.)
Identity And Authority
The expression “professional credentials backed by public authority” should raise a couple f questions. First, who exactly is “public authority”? The government? Which government? Really, the Internet highway, the packets on that highway, and the buildings that will be used by people sending and receiving those packets know nothing about geographic boundaries, so how can any government exercise appropriate authority?The second question about professional credentials concerns the reliability of the identity of the holders of those credentials. Even if we have confidence that Joe Jones’ credential as a building inspector, that is, code auditor, is valid, how do we know that the individual presenting himself online is really Joe Jones and not some botnet builder?
The answer to the first question lies in the ancient distinction between government and state.
Consider for a moment that certain kinds of public official, typically a notary, can apply the authority of the state to a private document in a private setting, without so much as placing a call to a government office. Consider further that the notarization of that document will be honored by any other state or government anywhere in the world, as long as the source of the notarization is believed to be legitimate. A notarization performed in New York will be honored in Havana.
We already have a centuries-old means of applying duly constituted public authority on a universal, global scale. No bills need to be introduced to legislatures, no government commissions need to be formed. The apparatus of state authority, as opposed to government initiative, is in place and very well-established.
While the apparatus of authority is there, the binding of that authority to identity credentials is not. In fact, the archetypical identity credential, the birth certificate, is so hopelessly inadequate in the age of easily faked documents that it is useless in practice.
That is, the piece of paper is useless; the authority of city hall’s birth and death records department is as estimable as ever. If only they were able to apply technology to produce immutable, thoroughly reliable birth certificates that could be used anywhere, particularly online…
QEI solves the identity problem as well.
Identity is the foundation of security. Identity does not mean the identity of a company, or a digtital object, or a server, or a web site, or an organization. Identity means the irrefutable, authoritative identification of an individual human being. When we want to establish a reliable identity for an important object (server, site, balance sheet, organization, file, blueprint, building, etc.) a human being digitally signs the object, or signs an intermediary object (think “license plate”) that attests to the object’s being signed by a person.
Since the object signing concept touches the third rail at the intersection of universal identity and privacy, we hasten to illustrate by metaphor how privacy is protected in this model. When you put your car onto the public physical highway, it is identified by a registration number that is bound to an identity credential, your driver’s license. As you drive along the highway, anyone can see the registration number of that vehicle and report it to the authorities if you, its driver, do something wrong. However, the person reporting the problem cannot obtain the identity of the person to whom the vehicle is registered unless a right to know is established by due process, e.g. if there is an accident, which calls for identity information to be disclosed among the drivers involved.
Just because I can discern that a site, or piece of software, or other object is digitally signed by a human being does not necessarily mean that I can obtain the identity of the signer. A program’s certificate in QEI is like your car’s license plate, effectively attesting that the authorities have ensured that it is digitally signed by a human being but that one must establish a right to know the name of the signer before the identity of the human signer will be disclosed.
Some digital objects will be signed by a public official, which means that the signer’s identity is indeed as openly knowable as the building inspector’s signature on an office building’s occupancy permit. That’s what it means to be a public official.
Public authority is one element of reliable identity. The other element is the soundness of the process by which the identity is established.
Online identity credentials in use today generally consist of usernames protected by passwords. Sometimes the passwords are stored on an access control server in hashed form, and sometimes they are out there in plain text by the side of the highway. At the user end occasionally we see identity credentials housed in hard tokens or wallets such as a SecurID one time password device.
Always, credentials in use are manifestations of a transitory relationship, as opposed to a birth certificate, which stands on its own, immutable and utterly permanent. Always, as a result, they are established by an enrollment process that ranges from very weak to absurdly weak. At the time of enrollment we see the relationship-based credential as an expedient, no more significant than the assignment of a telephone extension to the new hire.
Later, when someone from another department, or contract programmer or marketing consultant needs quick access to a database, typically she gets it by borrowing someone’s username and password.
And why wouldn’t they? It gets the job done. And after all, the credential only protects the company’s assets, not the assets of the person identified. (If employees’ bank cards served as identity credentials, would the person needing access to a file ask to borrow the card and its associated PIN? Of course not – that would expose the holder’s own assets to risk, not merely the company’s assets.)
As time goes on and the identity credential becomes the access and privilege point for an increasingly complex web of file and communication resources, the casualness with which it was established and shared become forgotten. We are only left with a vague notion that nothing too important should be accessible from that identity. Later, when important things must be accessed, we have to try a little harder to forget the weaknesses of the identity infrastructure.
For an identity credential to be reliable, it must be established through the use of a sound enrollment process.
For an identity credential to be reliable, it must attest to immutable information about the person identified, not to relationships, which must all be considered transitory.
A universal, permanent identity credential that is established by the use of a sound enrollment process and that attests only to the unchanging information on one’s paper birth certificate is the starting point for a reliable information infrastructure.
When we have reliable identity then we can know who takes responsibility for the design of a facility, who takes responsibility for its construction, who inspected it (that is, who audited the code,) who attested to its habitability (such attestation being based in part on assurances that the architect and contractor have been paid) and, just as importantly, who is in the room with us.
Once we have professional certification backed by duly constituted public authority and we have identities based upon sound enrollment processes involving duly constituted public authority, then we have taken a big first step toward Quiet Enjoyment.
The next step in the path to Quiet Enjoyment is the selection of construction materials for our new buildings.
Your Basic Collection of Building Materials: PKI
What technology, process or method distinguishes a secure, manageable building, a space of Quiet Enjoyment, from the commando outpost approach? We start with something that is established, proven and assumed (erroneously, as we will demonstrate) to be difficult to deploy. We start with public key infrastructure, or PKI. PKI is our set of construction materials.But first let's change what PKI stands for. For reasons that will become clear, let's call it Puzzle Kit Infrastructure. And let's take a look at how this remarkable PKI thing works.
With PKI, anyone who needs security and authenticity is provided with three digital items: two special numbers called keys, and a set of computer programs that makes and solves puzzles using those keys.
The two keys have a special relationship to each other: any puzzle that is made with either of the keys can only be solved with the use of the other key.
Let’s say our friend Bob needs security and authenticity and so Bob sets out to get his own puzzle kit, his own pair of keys and the software that will use those keys to make and solve puzzles. He'll designate one of the keys as his public key, which he then can give to anyone who might need to communicate with him. He puts it on his personal web site, in his MySpace listings, wherever. It’s public.
The other key, the private key, he will keep secret and secure.
Now where does Bob get those keys?
As it happens, any modern computer can generate perfectly good key pairs. But that means anyone can issue a key pair in anyone's name. If Bob is going to use his keys to establish authenticity, that is, in a way that lets people rely upon the identity represented by the key pair, he'll need a way to demonstrate that his key pair was really issued to him.
To accomplish that, Bob has his key pair issued by a public official in a face to face setting where his fingerprint and iris image are captured, along with a voice video of Bob reciting an oath of identity, which places him under penalty of perjury. Less costly but still satisfactory enrollment processes are also available when less is at stake, legally or financially. We'll get into all of them later. For now it will suffice to note that they all strongly associate a key pair with a particular human being.
Regardless of the enrollment method, a key pair is generated. Its public key is “digitally signed” by the public official using the very process we are in the middle of explaining here. So for now, just accept that there is such a thing as a digital signature that will be explained shortly. (Since legislators don’t understand PKI, all sorts of unreliable things are legally designated as “digital signatures.” Don’t be confused by them. If there is no key pair there is no real digital signature.)
A public key that is signed by a public official, applying public authority, is called a “certificate.”
Actually the word “certificate” is used in other contexts. Just as anyone can print up an official looking piece of paper and call it a certificate, so it is with digital certificates. Anyone can digitally sign a public key and call the result a certificate. The authority applied by the signer is what gives significance to a certificate.
Unlike the paper certificate, the authority behind a digital certificate can be examined simply by clicking an icon. If it's signed by a source of duly constituted public authority such as the International Telecommunication Union, it will say so. If it's backed by no more authority than a Beanie Baby certificate, it will say so.
And so to eliminate any doubt that the public key is really Bob's, a certificate was signed and issued to him at the time he was given his puzzle kit and keys by a type of certification authority. Since this certificate is a digital file, anyone who has the certificate can check its authenticity with the certification authority.
Bob keeps the other key, your private key, secret and secure.
Now let’s look at how files are digitally signed. Let's say Bob wants to send an important file to Alice in such a way that Alice will know that it came from Bob and that it has not been tampered with in transit. Bob might encrypt the file with his private key and send it to Alice. Alice then would get Bob's authoritatively signed public key from his MySpace listing or from a mail message or from a public directory and use that key to decrypt the file.
Actually though another step is added that seems to add complexity but actually makes the whole process more practical. Instead of encrypting the file, Bob instead uses his puzzle kit software to create what is known as a “one-way hash” from the file. The one-way hash is a rather short string of gibberish characters with some special characteristics. First, the process that created it cannot be reversed: there is no way to recreate the orignial file from its hash. Second, if a single bit in the original file is changed, the hash will be completely different. So if someone gives you a file and its hash, you can easily find out whether the file has been altered by putting it through the same hash process and comparing the results.
Bob then encrypts the hash, rather than the whole file, with his private key. He sends the original file and the encrypted hash together to Alice. Alice in turn uses the same process to hash the file, then looks up Bob's public key and uses it to decrypt the hash that was sent with the file. If the hashes produced by both processes are identical, then Alice knows that Bob really signed it and that it has not been tampered with. If the file has legal significance, perhaps a commitment by Bob to sell his yacht to Alice, then Alice has the benefit of non-repudiation. Bob cannot later keep the boat, claiming that he did not make that precise commitment.
If this seems complicated, know that neither Alice nor Bob need to concern themselves with the details. Bob clicks “sign this file and send it to Alice;” Alice receives the signed file and clicks “check the signature on this file.” Their computers do the work in the background using the puzzle kit software. It's good if Alice and Bob have sufficient basic understanding of the process to know why they should trust it (which is why we're explaining it here) but in practice it's a matter of click-click-click-done.
Note that there's no secrecy in that process. Anyone who manages to get Bob's file can read it. If Bob wants to send the file to Alice in complete confidence he might look up Alice's public key and use it to encrypt the file, knowing that only Alice, with the corresponding private key, can decrypt it.
Here again, the practical way is not the simplest way. Since public-private key encryption and decryption of anything but the smallest files takes too much computer power, typically we use those “asymmetric” keys to authenticate the two parties in a process like the one we used above in the digital signature example; then the two parties agree on an old fashioned “symmetric” key, where the same key is used for both encryption and decryption. This process creates the “tunnel” that is created when you see a lock icon in the corner of a “secure” Web page.
And again, if the process seems complicated, consider that visiting a lock-icon Web page is not complicated at all for you, the user. In the background your computer is working hard, but it's all transparent to the user. Your puzzle kit is like a skilled and obedient servant, understanding your wishes and acting upon them without troubling you with the details.
That’s the essence of PKI, whether it stands for public+private key infrastructure, puzzle kit infrastructure or (problematically as we will see) public key infrastructure.
Part of PKI’s problem has been the difficulty of explaining it. But, as you have seen here, it does not have to be so complex. And, even though the computer does this all in the background, the user still needs to decide what needs to be signed, what needs to be encrypted and which files need protection. This can make the use of PKI complicated in some instances. But by organizing the use of information around spaces and the identities of the people who are allowed into those spaces, the complexity melts away. And, if you understand this simplified explanation of PKI, and the corresponding Figures, then you have the necessary basic understanding of this wonderful construction material.
However, we still need to take on the myth that PKI is difficult to deploy.
The Myth of PKI Deployment Difficulty
A couple of formal definitions of PKI reveal the essence of the perceived deployment problem. The U.S. National Institute of Standards and Technology (NIST) defines PKI in FIPS publication 196 as:An architecture which is used to bind public keys to entities, enable other entities to verify public key bindings, revoke such bindings, and provide other services critical to managing public keys.
The NIST definition mentions only public keys, as one might expect with something called a public key infrastructure. It’s essential that there be a means by which we can be sure that a particular public key belongs to a particular individual or object and not to an impostor.
But a public key infrastructure is useless without private keys. As we have seen, the privacy of private keys is essential to the reliability of a PKI. Do we have an infrastructure for dealing with them?
The short answer— really, the complete answer—is no. PKI was put out there as an “architecture” for people to use, to make things secure, and yet no one ever came up with a comprehensive plan for dealing with an essential piece of the “architecture.”
Private keys are tricky things to manage. If you leave a private key to an important PKI on your hard drive and a piece of malware manages to send it to some botnet master, there are problems. Problems of that sort are sometimes spelled l-i-a-b-i-l-i-t-i-e-s. Rather than put one’s name on a prescription for the use and protection of private keys if that name may find itself on a court docket, the PKI industry has left users to their own private key devices. Thus we have one reason for PKI’s reputation for difficulty of deployment.
Another definition of PKI reveals even more about the myth of deployment difficulty. This one comes from the The Open Source PKI Book:
PKI is the set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke PKCs [public key certificates] based on public-key cryptography.
Note the important ingredient added in this definition: people. We often hear that for all of PKI’s qualities, it’s hard to make it work in the real world. Perhaps that’s a direct consequence of the common habit of overlooking this most important part of a PKI. Of course people are at the heart of other important parts of a puzzle kit infrastructure.
For example, we know that a very important piece of a PKI is the certification authority. In that expression the term “authority” should mean exactly what an uninitiated person would expect it to mean: the human power or right to give orders or make decisions, as for instance the power to certify. Yet in practice the certification authority is treated as a server, a piece of technology managed by technicians.
Describing PKI as a set of building materials is not just a convenient, isolated metaphor. We will show that the whole extended metaphor of buildings and professional licensing and permits and municipal building codes and building materials has real depth.
A bunch of construction materials does not make a building. Even if you have all the materials necessary for constructing an office building, you have a lot to think about and do before you bring in the construction crews. You need skills and capabilities that are far removed from those of construction materials experts (cryptographers and software engineers). You need architects and structural engineers and a wide variety of contractors to make an office or school building or even a residence.
This is the essence of the reason why PKI has been considered difficult to deploy: it works a lot like physical real estate. Planning and permitting and constructing and managing a building requires relatively few construction materials experts compared with the number of other professionals involved.
When was the last time an IT security professional said, “You don’t need anywhere near as many of us IT professionals as you thought. You need more non-IT skills to complete this IT project.”
Anyone who has ever been a kid knows it’s easy and fun to put on a convincing role playing game such as commando-outpost-in-the-jungle. By contrast, the roles involved in developing or managing a useful piece of real estate involve such distinctly less fun concepts as professional liability and public authority. As Dan Geer notes in his foreword to Quiet Enjoyment, it’s work that is “not exciting, merely important.” At first, that is. As you immerse yourself in it, important work provides a better kind of excitement than what you experienced playing jungle commando as a youth, or as a “security expert.”
The distinctly unexciting subjects of professional liability and public authority are at the core of the difference between a pile of construction materials and a useful, manageable, and secure office building. You will never have security if you don’t consider and accommodate its relationship to public authority and professional liability. Fortunately the real estate industry has figured that all out for us.
Government Is Not the Same Thing as Public Authority.
When the original developers of PKI discovered that they needed something called a certification auhority, that should have been a tipoff that they needed to reach way outside of their information technology domain for the elements that would make PKI deployable.To develop buildings you need duly constituted public authority, in the form of siting plan approvals by various agencies and approval of building plans by the buildings department; your architect needs to be licensed by the state, as does the engineer and most of the contractors. Materials and construction processes must be approved, that is, code must be audited by an impartial source of public authority.
We may not be fond of government, but let’s face it—it’s city hall that gives us the greatest part of the assurance that our building will be useful and will provide Quiet Enjoyment because city hall applies the weight of public authority to attest to it. The architect who designed it is licensed by the state, as is the structural engineer and the general contractor and most of the subcontractors. The architect’s plans had to conform to all sorts of standards—building codes, zoning ordinances, environmental, and community ordinances—before public authority will issue a building permit. Once started, the project must be frequently inspected by a building inspector who carries the weight of city hall’s duly constituted public authority.Public authority in real estate is not unnecessary bureaucratic overhead. Rather, it is essential. For a view of real estate that is built and occuppied without the benefit of close involvement of public authority, take another look at Rocinha. Look at the physical Rocinha near Rio or look at the Rocinha on your desk. In terms of their reliability as habitable space they are identical.
Even after the building is completed and is certified to be compliant with all codes and ordinances, the owner still can’t start moving tenants in. There remains the matter—the very significant matter for purposes of this metaphor—of the occupancy permit.
It seems that the architect, structural engineer, and contractors must sign off on the occupancy permit application, attesting that they have been treated satisfactorily by their client, the building’s owner. “Treated satisfactorily” means that the licensed professionals have been paid and that they are willing to stake their licenses on the security and privacy that is provided by the structure. They need to certify that the owner has not deviated from their designs and instructions in any way that they find unacceptable. The occupancy permit is documentary evidence that specific individuals, not some malleable, fungible, commercial enterprise, have a lot to lose if the facility is not what it purports to be.
We make no apologies for the fact that public authority, which is not the same thing as government, has a central role in the Quiet Enjoyment Infrastructure and its privacy protection component called the Personal Intellectual Property Infrastructure.
This will not be the easiest sell, we realize. Some of the best writing and technology on the subject of online privacy comes from thought leaders who are frankly hostile to government when it comes to the latter’s involvement with personal information. Some in the zero knowledge/privacy community have characterized governmental activities in this space as just another form of attack, as in “legislative attack” on strong cryptography.
We agree with that characterization when it comes to things such as designating cryptographic algorithms as munitions and we agree that govenmental enterprise in this area is something to worry about. Much of the distrust is warranted.
But consider that almost all governmental activities may be categorized in two ways:
Application of public authority
Governmental enterprise
While the activities of government to accomplish things— provide economic stimulation, fight wars, divert rivers, care for the disadvantaged—get all the attention, the other, much older function of government tends to be forgotten, or taken for granted.This is not about government making things happen. This is about employing authority that government – or rather, the state – makes available when authenticity is needed in any activity, public or private. Think of the state as an authenticity factory. The manufactures a finished product called authenticity out of raw materials called reliable attestation and evidence of authenticity.
Here we must disambiguate the term “state” for those who think of “the state” as the government of one of the United States of America, or of South Africa, etc. We are talking about “the state” as in “L’etat c’est moi,” the seat of public authority rather than the government of a region of a nation.
In the case of vital records, the public authority called “the state” can reside in city hall in Europe and North America, or in a national health agency in many of the nations of the southern hemisphere. For our purposes we will assume that vital records are created and maintained by the birth and death records department at city hall. The department quietly certifies identity information so that society may have some source of that much-needed ingredient of civilization called authenticity. While the typical embossed-seal-on-paper certification technology is horribly inadequate, the attestation itself is very good and very needed.
Indeed, city hall probably does more quiet application of public authority than any other governmental entity. City hall is where you find building inspectors and day care inspectors and all other manner of certificate issuers. Their purpose isn’t to build programs that attempt to ensure that no child is left behind (a worthy goal to be sure) but rather to modestly apply their duly constituted public authority in attesting to a day care center’s safety and reliability.
All well and good, but where do we find a city hall for the Internet? We’ll get to that in a moment. For now, rest assured that we are not talking about some commercial enterprise masquerading as a certification authority. “Indoors” is not just more logo-program schtick. The “Indoors” designation is part of the Quiet Enjoyment Infrastructure, a special kind of PKI. Later we will describe sources of authority and the way their fungible product—public authority—may be applied in private matters as one uses any component in a process.
Platform for Privacy Preferences (P3P)
The World Wide Web Consortium (W3C) offers the Platform for Privacy Preferences (P3P) as a solution to the cookie problem. P3P is a technology that opens the process of disclosing personal information, making it visible and understandable.But P3P does not eliminate the ability to place and read cookies. Like the notification window for an “innocent” cookie, P3P may further anaesthetize people to what’s going on behind the scenes. P3P presents dialogs that are meant to empower people to specify what information may go to whom. Those organizations that are already the most open about the use of personal information will probably make serious use of P3P. Others will use P3P as a means to make people feel they’re in control while their information is being pilfered through the back door.
The goals of P3P are admirable, but upon examination it appears to have been written for a nicer world than our present global village. There’s a sort of “people will play by the rules if they know what they are” tone to P3P.
Our response to the invasion of the cookie clubs and to all the other gratuitous intrusions into our computers should start with a design that requires all traffic to be identified. If someone wants to read a cookie on your machine, well, let them identify themselves and let that identity be checked against the digitally signed permissions specifically granted to specific parties. Is the inquirer’s identity on the Personal NDA governing
that cookie? If not, then forget it.
The volunteer organization CPExchange is also making a valiant attempt at establishing a system- and platform-independent open standard for secure interchange of data. Their model is geared toward generating customer information standards for various enterprise systems. This is yet another instance of “you can have your privacy—all you have to do is exercise constant vigilance over those who influence and control our standard…”
You and I do not need privacy that requires constant vigilance. The mass media people know we will lose that one. Expecting vigilance on the part of the user—the subject of the information being gathered—is either naïve or devious and unfair, depending upon whether your intent is to protect privacy or to subvert privacy while pretending to protect it.
We have better things to do with our time. The burden of proof that information about us may be safely disclosed must be on the party requesting the information. And the individual must be the judge as to whether or not information about him or herself ought to be accessible to others. Anything else is just plain trickery.
Just because someone sets out to provide a framework to protect your privacy doesn’t mean that framework will do the job right. A highly qualified architect proposes a new kitchen to you. He surely wants you to have a good, usable kitchen. That intent, however, does not ensure you will get what you need. Examine the plans thoroughly before you call the contractor.
Identity Is Also the Foundation of Privacy
Not only is identity the foundation of security, identity is also the foundation of privacy. The goals of P3P are commendable. But without identity and without real tools by which individuals can really control the use of information about themselves, P3P will not work.Our solution is one of the twelve components of QEI called the Personal Intellectual Property Infrastructure (whose acronym is MOI for My Own Information.)
The key piece of the Personal Intellectual Property Infrastructure is something called a Personal Nondisclosure Agreement. An online form that never needs to be printed, it is like the kind of form you fill out on a Web site to specify a set of preferences. Your Personal Nondisclosure Agreement is actually a file that is maintained by you and digitally signed by you.
Using your own Personal NDA form for you and one for each of your dependents, you specify who has a right to what information, and for what purposes each party can use it. As with all NDAs, it grants a license to have and use confidential information for very specific purposes and explicitly prohibits any other use.
Next to every group of identities that is either part of a default group that comes with the blank form (e.g. credit reporting agencies) or specified by you (e.g. members of my mountain bike club) is a set of permissions. In order gain access to a piece of information about you, permission must first be established in your Personal NDA for that particular user as an identified individual or as a member of a particular group (for instance, people who work for credit reporting agencies.)
What’s to prevent licensees from carrying on with information about you as they always have, sharing it indiscriminately in spite of the limitations specified in your Personal NDA? Part of the answer is idealistic. As we disclose information only within a global village where people must abide by identity rules or else not participate in the village, we simply change the way the world does business. Within that global village consisting of people whose online habitat is in buildings as opposed to the street people who live by the side of the information highway, possession by one person or company of personal information about another person is expected to be accompanied by a digitally signed NDA file from the identified individual. Unlicensed personal information will have to be handled like illicit drugs. It will add difficulty and will carry risks that will be unacceptable to most organizations. Admittedly all of this is not something that will happen by Thursday afternoon.
The less idealistic part of the answer is indicated in the notion that your Personal NDA grants permissions.
“Permission?!” exclaim the direct marketer, the credit reporter, the mortgage broker in unison. “Who are you to be granting us permission to use information about yourself?”
The permission part is what permission to use information is always about. It’s about intellectual property. It’s about copyright and proprietary secrets. Using your Personal Intellectual Property Infrastructure, you establish copyright to information about yourself, and further you declare and annotate such information to be a secret—the personal equivalent of the trade secret which is so important to business. Use of information about yourself without your permission is thus subject to two forms of intellectual property protection. One who uses it in a manner that is not permitted by a personal NDA may need to pay damages to its owner. Or, if its owner really wants to teach the perpetrator a lesson he may pursue criminal charges for theft of intellectual property.
The earlier point about the surreptitious mating of tables of personal information may seem to argue against this strategy, and indeed there will always be some infringement just as there will always be copying of music. But with a Personal Intellectual Property Infrastructure system in place it will become worthwhile for large numbers of victims of infringement to pursue the infringers. That fact, in turn, will give the CEO reason to make the company toe the line on its privacy rules instead of tacitly allowing transgressions to take place.
Buildings Provide Privacy
Wouldn’t it be great if:- Software could deliver the kind of trustworthy facilities we associate in the physical world with the word indoors, that distinguishes it from vulnerable and exposed outdoor spaces such as highways, that is, information highways
- A building could not be designated as “indoors” and could not be part of a set of namespaces that people rely upon as secure and manageable, until it has an occupancy permit, that is, until it meets building codes and until the licensed professionals who were involved in its creation are willing to attest that it is their work, for which they take professional responsibility
- One such indoor space is one’s personal private office, where all personally identifiable information is kept under the control of the best locks and keys that PKI technology makes available
- Only the individual identified, or parents/guardians of minors or others not legally competent, may have direct access to information in one’s private personal office
- The collection of information in one’s private personal office is designated a “work” as the term is used by the copyright laws of the United States and other nations and is therefore subject to copyright
- All items of information in one’s private personal office are designated as secret, placing them in the domain of trade secret law, to be disclosed to others only under a license granted by the owner of the office that fits the specific situation and that obviates any possibility of fair use claims
- The content of one’s private personal office is encrypted using keys that are generated in a reliable enrollment process
- Among the key pairs that are generated in the enrollment process and subsequent process is a license signing key pair
- In fulfillment of the goals of P3P, the Platform for Privacy Preferences, anything that is disclosed under license is identified in the license, which is digitally signed by both grantor and grantee
- Penalties for subsequent unauthorized sharing of licensed information by licensee are clearly spelled out in the license...
- ...and in law, since such an act would constitute theft of intellectual property
- The license itself is a standardized part of this privacy infrastructure, so licensees and their software know exactly what they may and may not do without a person having to read the license conveyed with each disclosure
- Any information that is requested and granted under a “statistical disclosure” license must meet anonymity guidelines regarding sample size and other criteria
- Under a statistical disclosure license, information is conveyed using zero knowledge technology including EPAL protocols, making it realistically impossible for the recipient to determine the identity of the subject of the information
- Zero knowledge technology is also used in other instances where anonymity is acceptable and desired
- Privacy activists got behind this plan so that professional data miners would have to deal with it honestly instead of directing their PR departments to spin and discredit it
These are the basic characteristics of the Personal Intellectual Property Infrastructure, one of the twelve components or “Instigations” of the Quiet Enjoyment Infrastructure.
Privacy And Universal Identity
In addition to distrust of government activity in this area among privacy activists, there is widespread belief that a universal identity system is a de facto invasion of privacy because its credential allows all of a person’s activities to be tracked.As we will see, a universal identity credential is entirely unnecessary for the skilled global data miners who know how to track you by the breadcrumbs that you leave throughout the cybersphere. Only those who need authenticity and who do not have access to the tools and information assets of the global data miner are inhibited by the lack of a reliable identity credential. In other words, it’s us ordinary computer users who are hurt by the lack of reliable identity.
The main concerns about universal identity seem to assume that some outsider such as a government controls the use of your identity credential. With the Personal Intellectual Property Infrastructure (MOI), one of the items that’s under your control is the credential itself. It is your property. You decide what may be done with it, by whom, for what purpose. Any time your personal information is in the hands of anyone but yourself, it had better be accompanied by your Personal NDA, which gives explicit permission for that specific part of your information to be held by that specific party. If that is not the case then you have grounds to take action.
Like the other eleven components or Instigations of QEI, the Personal Intellectual Property Infrastructure will require the efforts of a dedicated group of people to make it prevail. Our name for the organization that will take responsibility for the Personal Intellectual Property Infrastructure component is The ZK Group, after the “Zero Knowledge” technology pioneered by Stefan Brands and others. Zero Knowledge protocols will enable us to implement the license-plate type assertions mentioned earlier, where anyone can know that something is properly signed by a reliably identified individual without being able to know the individual’s identity.
But before we describe the ZK Group we need get more specific about the problem that needs to be solved. Our privacy is indeed under attack, not just from the much-discussed efforts of those who want to dig into our personal information but from the much-less-covered efforts of those who want to use it to manipulate us.
To be fair, a few, notably Michael Baum, tried to introduce the element of genuine authority into the thing named “certification authority.” Their ideas would have gained more traction if they had been more immediately profitable and exciting.
Deception need not be intentional or premeditated. At Delphi we inadvertently found ourselves in a position of “control” over the relationships between a magazine publisher and its readers and advertisers. We did not understand then that some level of control would be a consequence of our setting up and managing online meeting places.
Been wondering whether this paragraph should go before “Privacy and Security Are Not Antithetical” or after “”
I think this section should go after Privacy and Security Are Not Antithentical.