To summarize briefly the google researchers pointed out that by comparing your friends on different social networking sites or data mining comments you or your associates leave on blogs it will frequently be possible to associate your pseudonymous identity to your official identity (name). While it says nothing particularly surprising the paper is interesting for vividly demonstrating how easy it is for people to have their pseudo-anonymity stripped. It is also interesting for the responses it suggests to these dangers.

To combat the risk of a friend’s trackback accidentally connecting your official and pseudonymous identities the researchers suggest automated link analysis to warn users when data mining might allow third parties to learn more about them or their friends than they intended. Presumably the idea is that some kind of automated warning would tell you before you added a trackback to your friends blog that might connect his blogging handle and real name. Similarly they suggest providing users with a tool to warn them when information they reveal on myspace might allow someone to associate their myspace and twitter accounts.

These suggested countermeasures are interesting not because they are workable but because they are so horribly flawed. Warnings about unintended information exposure are only as good as the current generation of data mining techniques but once published information can’t be put back in the bottle². When the Netflix dataset was published it was thought to be impractically difficult if not impossible to connect rental histories with individuals but researchers developed a new technique that allowed them to do just that. Moreover, this incident also demonstrates that even trivial pieces of information like what movies you like or your favorite TV show can help connect your pseudonymous and official identities. Each time you wanted to answer a question for an internet quiz or a compatibility test for online dating you would have to study the report warning of the information that could be inferred from this data and your friends would have to be just as cautious on your behalf as unmasking them would likely unmask you.

Indeed, even if you never set foot online it would be enough for someone to analyze the people who claim to be your friend and their answers to questions like “Do you have any gay friends?” to discover you are gay³. Even if your friends are willing and contentious enough to avoid ever mentioning their favorite movies on their livejournal because of the drunk post you made five years ago revealing you and doglover69 were friends you still aren’t safe. Complete strangers can unmask you by revealing trivial information about your friends. Separate posts on different sites revealing the favorite movies of your four friends favorite movies could be compared with your blog post about the day your supportive friends each brought over their favorite movie and watched them all with you after learning you were gay. And these are only the inferences that are simple enough for people to easily imagine. By integrating all sorts of statistical information from social networks comments by people who don’t even know your friends could unmask you. The situation becomes completely hopeless when you consider other tools like Stylometry that, with a proper search tool, might allow your employer to search for blogs with similar linguistic style to yours.

Even though the authors of the paper must realize how weak these techniques are they still can’t accept (or believe their audience can’t) that information technology fundamentally changes the nature of social interaction in a large society. I suppose this shouldn’t be surprising as we have seen the same kind of response when other technologies have fundamentally altered the social ‘economics.’ Just as before the invention of the printing press each copy of a book required substantial effort to produce so too did finding out about other parts of someone’s life require great cost or effort, e.g., hiring a private investigator. The printing press changed the equation so that one person’s labour in setting up the press could cheaply distribute that information to large populations and similarly data mining reduces the marginal cost of discovering public but obscure information (what you did at that party) to nearly zero. Only one person needs to come up with the clever algorithm to ferret out yet more information from our online activities and everyone can now mine that information.

It’s hopeless to imagine that we will stop revealing any personal information about ourselves or our friends online. We are evolutionarily hard wired signal our preferences, opinions, subcultural affinities (pot smoker, party girl, player, slacker, bear/twink⁴) and sexual daring as well as to gossip about the behavior and sexual couplings of our friends. The idea that teens or adults will avoid advertising their sexual attractiveness, social status, or scandalous behavior online makes the idea that people only have sex inside marriage sound plausible. I mean a major reason that people flash the bar during spring break, go streaking across campus, cross dress at a party or other scandalous public behavior with on vacation is to advertise ourselves as fun, sexually daring, brave or whatever else so it’s absurd to think we won’t distribute this advertisement in the social context in which we wish to project that image. The very point of sharing that information is to build social connections and portray who we are (or want to be) so inevitably enough information will be revealed to demask all but the most reclusive or paranoid individuals social networking accounts and blogs and what gets revealed will include drug use, sexual kinks, and how trashed we got at that party.. It’s time to accept the fact that the era of obscurity is coming to an end and to start working on how to deal with it. At least pot will probably finally be decriminalized.

The problem with Solove’s arguments is that he tries to simultaneously argue for the value of privacy while seemingly rejecting the notion that there is any principled commonality to the values that we place under the rubric of privacy. While both of these notions are plausible on their own they are in significant tension with each other. If indeed privacy is a word like ‘game’, famously analyzed by Wittgenstein to be a hodgepodge of different concepts related only by a chain of analogies, then it’s at best pointless and confusing to defend it as a package and at worst a way to smuggle in values you can’t defend using the cover of an unprincipled linguistic grouping. Unless the values we term privacy have some important principled commonality then they should stand or fall on their own merits rather than riding the coat tails of the vague positive connotations we have with the word privacy.

To see that privacy isn’t really a monolithic notion compare the idea that other people shouldn’t be able to easily find out your social security number really doesn’t have much to do with the idea that the government shouldn’t be able to monitor your phone calls and reading habits. These two notions don’t really have very much in common. One of them is concerned with other people’s knowledge of your intimate affairs and private conversations while the other involves only a purely arbitrary identifying number. The reason we don’t want people to find out our social security number isn’t because it’s an intimate detail of our life but because it’s unfortunately used as an authentication method for certain financial transactions and we fear becoming the victims of credit fraud. Certainly it’s important that people not be able to buy a car in my name but arguments that defend my right to be free of government surveillance aren’t going to have much to say about who finds out my social security number and vice versa.

However, I do think there is a certain core concept that is shared by many, though far from all, things we conceptualize as a right to privacy. That is the notion that we should enjoy a certain autonomy or freedom of choice, both from the government and society, in how we conduct certain parts of our lives. Certainly this is no definition of even one kind of privacy but I think it’s the uncritical acceptance that it’s literally privacy that’s important that sidetracks so many people into silly issues like what facebook publishes by default on their friend feed¹. The reason I tend to be largely critical of privacy crusaders is that they tend to take the idea too literally and fight a lost cause trying to limit what other people are able to learn about you (endangering free speech….and privacy² along the way) rather than looking for the underlying value privacy provides for the culture and seeing how best to achieve that end in the information age

Ultimately what privacy provides is the freedom from judgment (be it legal, religious or social) about certain aspects of our lives. It does this both by making it practically difficult to enforce certain kinds of invasive laws (thus discouraging their enactment) as well as keeping your porn collection or wild spring break party a secret from your parents/priest/boss. Both of these mechanisms are endangered by the information age. The traditional protections of 4th amendment law border on uselessness in the face of fancy data mining programs to suggest likely offenders, the amount of information out there on the internet (your friends and neighbors gossip…and may take infrared pictures of your house even if the police can’t), and the huge amount of information we store on computers (police can subpoena your ISP’s buisness records or get access to your entire computer if they have probable cause to see even one document). Similarly search programs and the inevitable advent of facial recognition along with people’s tendency to post pictures to the internet will erase the anonymity you might have once had on spring break.

However, I think we can find replacements for these tools that provide the same benefits in the information age. Just as some other cultures have done we need to develop traditions of ignoring (or at least not scolding) based on certain aspects of people’s lives. This is the reason that unequal loss of privacy/anonymity is so much more dangerous than an equitable loss. Everyone has things that might embarrass them or present a less than professional image and if we all know that these can easily be found we are much more likely to let other people have their personal space as well. The legal aspect will be more difficult but it is also achievable. We will need to shift the focus of our protections away from the guarding of information and towards rules against intrusiveness. Perhaps in addition to rules requiring search warrants we could have rules barring unprompted investigation, i.e., rules that prevent tearing someone’s life up for a crime without a particularized identification of a victim who does/would have wanted an investigation. That’s just a shot in the dark but I suspect something better will be found.

What was surprising, however, was to see someone else who had a reasonable take on the whole ‘privacy’ issue, especially linked from slashdot.

While the author seems reluctant to make the leep the article flirts with the two critical points in the ‘privacy’ debate. First of all that true obscurity/freedom from recording is a lost cause and secondly that the real danger is from unequal erosion of our obscurity. So long as we only see footage of ‘crooks’ or the surveilance cameras are only placed in minority/poor neighborhoods it’s easy to use the substantial difference between what society officially designates as acceptable and how people actually behave against the most powerless parts of our society.

In the modern era most of what we do in one context (like hanging out with friends) won’t make it back to another (the office, our church). The net result of this has been to encourage endemic hypocrisy where we pretend to support the most puritanical standards while we wouldn’t dream of actually behaving that way. So long as obscurity protects our actual behavior from the prying eyes of our boss/mother/coworker/religious friend it’s much easier to affirm their moral judgments than it is to tell them we think sodomy/drugs/exhibitionism/swinging/bestiality is just fine. Thus so long as enough of us are protected from exposure those who lose their obscurity suffer greatly but if all of us are exposed then it becomes more important to avoid hypocrisy than to pretend to false virtue.

Of course the loss of obscurity only adds to the value of true privacy. When technology eliminates the difference between being on an empty street and center stage at a rock concert it will become even more important to have somewhere truly private we can retreat into. However, real privacy (actually being outside of the public view) is something that laws and technology can provide if we try hard enough.

While it may have been intellectually obvious before this sort of project really drives home the fact that increasing computational power and algorithmic advances in computer vision negate the need for any coordinated database. So long as their are enough pictures out there somewhere the right algorithm can sow them back together and extract whatever information you want out of them. Right now the best we might be able to hope for is a fancy version of google’s street view but the inevitable increase in the amount of online content (webcams, automated picture taking etc..) and the inexorable progress of the computer industry means that eventually we will be able to figure out who you are sleeping with¹, where you buy your groceries and even reveal certain health problems.

There is no way around it. Computational advances will eliminate obscurity. The only real question is whether we implement ultimately ineffective laws about ‘privacy’ that will give large organizations with massive computing power an informational advantage until computational power catches up. Anyway I’m repeating myself some I’m going to stop now.

Now some people seem to think that reporting on or distributing this information is immoral as the sex lives of politicians should remain private and others find this an unpalatable invasion of privacy. Presumably this is the reason that ABC refused to identify any of Palfrey’s non-politician clients. But this is mind bogglingly hypocritical. I mean jesus christ the men on this list are faced with potentially losing their job or being divorced. Ms. Palfrey is facing prison time. It’s insane to think that prostitution is bad enough to throw Palfrey in jail for it but not bad enough to cause some guys to be embarrassed. Unless the guys calling are on the record as supporting the legalization of prostitution I have no sympathy for their plight.

Every day the government takes away people’s freedom for no other reason than prudish moral disapproval¹. It is the people who don’t really believe prostitution (or drug use) is that bad (such as the johns) but stay silent out of ambition or fear of censure who are really guilty here not Madam Palfrey. None of us would defend the person who let an innocent man go to jail rather than reveal he was having an affair and tacitly supporting the criminalization of prostitution is even worse. You don’t even need to admit you have been to a prostitute to argue for it’s legalization. Just like homosexuals working for gay bashing senators these clients deserve to be punished for their hypocrisy if anyone does and more importantly we ought to discourage this sort of hypocritical behavior.

If we really knew the names of everyone who used drugs or visited prostitutes they would become legal within the week. I’m hopeful the loss of obscurity (aka privacy) that everyone complains about will bring us to a point where this sort of hypocritical moralizing is no longer possible.

In case you aren’t familiar with the situation so far Ms. Palfrey ran Pamela Martin and Associates, an exclusive escort business in the Washington DC area for the last 13 years and is now being charged with running a prostitution ring. Of course she contends that her escort service only provided legal services and any sex her escorts might have had with clients wasn’t part of the service her business provided. Since many of her clients were in government, some highly placed like Senator David Vitter and Deputy Secretary of State Randall Tobias (who has resigned as a result), Ms. Palfrey had the brilliant idea of releasing all of her phone records with the potential benefits of creating pressure to make the case go away or availing herself of a list of high profile individuals who would testify that no sex was involved. Unfortunately for Ms. Palfrey the strategy seems to have been backfiring as the exposed individuals seem to be fessing up or resigning.

This distinction is important to make as it is privacy that is essential to both personal liberty and a democratic society not obscurity. It is the fact that the government doesn’t get to see the books we read in our homes that lets us learn what the unpopular side thinks during times like the red scare, not the ability to keep a lid on the mundane thrillers we read on the train. Moreover, the success of early American democracy suggests that a free society can live perfectly well without obscurity as the notion hardly exists in small towns but that privacy is a bedrock value. This doesn’t mean that the continued erosion of obscurity by technology posses no serious problems, indeed we may need to take steps to ensure this doesn’t allow the government to peer into our private sphere, only that it is foolish to assume that the only solution is to hold off our loss of obscurity.

This is lucky as in this age of increasing computational power and worldwide information networks maintaining obscurity is incompatible with individual freedom. At the moment we might be able to buttress our failing obscurity by opposing anti-crime cameras in our cities and government attempts to build DNA databases but eventually increasing computational power will bring obscurity directly into conflict with personal freedom.

Even ignoring things like security systems and ATM cameras I probably walk past at least one public webcam everyday probably more and who knows when I might appear in the corner of someone’s tourist picture. Someday face recognition will become sufficiently advanced that you will be able to search the internet for pictures that show a particular individual. Should we ban people from posting their vacation photos to flickr? Do we pass a law against webcams, require a webcam license? What then happens when wearable computers really become feasible? Should the law stop me from having an assistant in my eyeglasses who reminds me of names I’ve forgotten? Will we abridge free speech by banning me from posting who I run into every day? I could continue but I think the point is clear.

Legally any attempt to preserve obscurity will run smack dab into the first amendment. Even if we ban webcams and tyrannically clamp down on what can be done with security cameras just a small percent of the population choosing to document who or what they see in public locals would be enough to eliminate obscurity. We can’t ban the practices that will strip our obscurity because they differ only in degree from behavior we think deserves protection (relating your day, posting pictures, citizen journalism a la Rodney King). Free speech will not abide quotas on the amount of photos we can post or the number people we mention having seen that day leaving us with a choice between freedom and obscurity.

Obviously I think we should opt for freedom. We can partially alleviate the loss of obscurity by stronger privacy protections (giving phone call logs, work email more protection). Other harms are primarily the consequence of differential obscurity rather than obscurity itself. Ironically I fear that efforts to prevent the loss of obscurity will leave governments and large corporations with the resources to analyze the information themselves with a leg up on the average citizen who cannot. If we accept that retaining obscurity is a lost cause and put our efforts to productive use ensuring that we retain a substantive private sphere and that the same rules apply to the powerful and powerless it is likely that the ill effects will be minimal. We had better hope so since we don’t have any choice about it.

UPDATE (7/8/07): Replaced anonymity with obscurity throughout the post. I think this is a much more accurate term.

Unless this report turns out to be a politically motivated hoax things are a lot more scary than I thought.

While many people seem to regard the specter of a national ID card as a serious threat to privacy and perhaps civil liberties less people are aware that the REAL ID act effectively turns state drivers licenses into a national ID. This approach has a great many problems. However, just pushing back this legislation wouldn’t do much for privacy or identity theft. Credit cards, drivers licenses, social security numbers and a hundred other forms of identification are easily used and stolen. Surprisingly I think the best solution is to create a national ID card designed to respect privacy and prevent identity theft.

Instead of trying to fight a losing battle to prevent universal machine readable identification privacy advocates should get behind a well designed national ID. As I argue below such an ID would actually increase our personal privacy in addition to providing several other benefits. By supporting such a system privacy advocates can make sure it is built to protect privacy not to enable surveillance by law enforcement and corporations.

The Current System

Admittedly national ID cards have long been the enemy of privacy concerns but this is more to do with implementation choices than necessity. Usually national ID cards are designed at the behest of law and order types to make information collection as efficient as possible not to protect privacy. If instead a national ID card was specifically designed with privacy in mind it could actually decrease the amount of personal information revealed in every day transactions compared to the current system.

Already our drivers licenses contain machine readable data including your address, date of birth, and medical impairments amoung other things. While all of the driver’s licenses may not be interoperable, yet; at least 39 of them use 2D bar codes which are easily recordable by one system. Once real ID goes into effect it will be completely interoperable. So in effect we already have something which resembles a very bad national ID system. Pragmatically we are required to posses a state driver’s licenses with plaintext machine readable information on it. If you have been to a club, fancy bar or a liquor store near a university lately you know that private businesses swipe your driver’s license giving them any information available on that card.

The response that one can choose not to present or have a driver’s license is not a reasonable objection. Privacy in this sense isn’t a kind of absolute right one can insist on but a pragmatic question about how easy it is for other people to collect publicly available information about you. Most people don’t have a real choice about getting a driver’s license. I tried to go without one for a couple years but if I wanted to be a California resident for schooling purposes I had to either get a driver’s license or a state ID which is really the same thing but without the right to drive a car.

The fact that a few people can refuse to use such identification is really irrelevant. If it is only .1% of the population who chooses not to use these privacy infringing forms of identification businesses, governments and the like can require them to fill out long forms or present other documentation to receive services. Since it is only .1% of the population the extra expense and inconvenience would not be prohibitive to the organizations requireing the identification. Ultimately the privacy we are talking about here exists only because it is too difficult or expensive for the government or corporation to collect the information in question. If only a few people refuse to make this information easily available the government or corporation can just pay (or make you pay) to get this information anyway. In other words the notion of privacy in question here is a collective good and not an individual one and any system which doesn’t treat it as such is doomed to fail.

Advantages of a National ID

Alright, so in the current system privacy isn’t looking so good but what can a national ID do to help the situation? If designed correctly such an ID card could only indicate identity (and perhaps age for liquor convenience) unless the user authorized the release of more information. That is a well designed national ID could stop us from leaking unnecessary information with every transaction. Moreover, as a government issued document additional rules protecting privacy can be required as a condition of use by businesses or other information aggregators without infringing on free speech rights.

Additionally a national ID could have serious economic benefits and reduce the risk of identity theft#[idtheft]. At the moment we carry many forms of identification just a few of which need to be compromised to engage in identity theft. A well designed national ID card could replace all these other IDs, credit cards and other identity documents resulting in significant savings to the economy. Additionally since it is replacing many cards the national ID card itself need only be less expensive than all these others forms of ID put together to be economically beneficial.

The Most significant benefit would be the additional convenience and entirely new applications a national ID could allow. Rather than carry around a student ID, credit cards and building entrance keys one could just keep one universal ID in your pocket. Since such an ID would be useless to anyone without the passcode or biometric features accidental loss of your wallet would be much less horrible. With an additional computer interface such a national ID card could allow identification and perhaps even secure communication over the internet. Not only would this make online banking and financial transactions a lot more secure but it could also allow internet voting.

One thing a national ID would not do is make the country significantly more secure. For political reasons this has been one of the primary arguments for a national ID in both the US and UK despite making little sense. As far as I know there wasn’t a single forged document used in 9/11 or any other recent terrorist incidents. The weak link in preventing terrorism is not identifying bodies with names but rather identifying which people are likely to be terrorists. Plausibly a massive government surveillance system which maintained a database of what books you bought and where you shopped could improve our security at a severe cost to privacy but this is a completely different issue than a national ID card. As I will argue below the government could easily implement such a system already without a national ID making the entire discussion irrelevant to the national ID debate. In short on this point the critics are right, a national ID does nothing for national security.

Debating the Disadvantages

There are two primary concern about national IDs, privacy and identity theft. I argued above that the current situation regarding privacy is already pretty bad and that a well designed national ID could reduce the amount of information we leak. However, it is worthwhile to address the particular concerns raised about a national ID. While many of these concerns are legitimate I will show how a well designed system need not suffer from them.

The first kind of privacy concerns raised in objection to a national ID relate to the information collected when the card is used. While above I pointed out that a well designed national ID would leak less information per transaction than our current patchwork system of state IDs and credit cards one might worry that the ubiquity and ease of use of a national ID would further infringe on our privacy. If instead of credit cards we swipe our ID and instead of using our building key card we swipe our national ID doesn’t this mean all our purchases and many of our movements can be tracked?

Indeed it does mean this but this is only an argument against a national ID if one has an unrealistic idea of the amount of anonymity we posses in the current system. All of these applications a national ID card might be used for already uniquely identify the user. The RFID card keys to buildings usually have a unique ID which can be easily looked up in a database to recover the user’s identity. Credit cards, driver’s licenses and other forms of ID by their very nature uniquely identify the user (or at least account) in question. Small snippets of computer code and a database lookup lets any merchant or institution gain just as much or more information than would be provided by a national ID. Given the inevitable computerization of nearly all record keeping systems and the market value of consumer information it would be silly to think that the minor difficulty in writing different code for each type of ID is going to keep corporations or other institutions from consolidating all this data about us. In fact by making all the different ways we can be monitored more apparent a national ID may in fact encourage privacy protecting regulation.

A second and more compelling privacy concern is the information a national ID card might make available to the government. For instance a serious concern about the proposed British national identity card is that it would give the government access to the fingerprints of every UK national. As this record of fingerprints could be used in police investigations and enable other types of information gathering it is a significant issue. Additionally the British ID comes as part of a package with a National Identity Register, a giant database which would collect information about card holders including the particulars of every record lookup.

Admittedly I have serious concerns about the British system but none of these flaws is inherent in an national ID card. Rather than giving reasons to oppose a national ID these flaws demonstrate the harm of letting such a system be designed without sufficient input from the pro-privacy lobby. The concern about fingerprint records is easily avoided by using retinal scans instead of fingerprints for the biometric identification (with password fallback for those without eyes). As a retinal scan is not the sort of thing one leaves lying about after you leave like fingerprints the privacy implications are minimal. Besides the retinal scan solution avoids the messy possibilities of theft in a world where your finger is the key (it should be easy to ensure that unconnected eyeballs do not work).

The database worries are either already present in our current system or avoidable. The concern that a national identity database would allow government organizations or even corporations to cross reference all their information about a citizen is not unique to an ID card. Your social security number already allows this kind of centralized indexing and any government agency with enough information to uniquely identify can easily recover your social security number (at least in principle, perhaps it is legally prohibited but similar legal protections could be installed with a national ID). In fact the very notion of establishing your identity is to uniquely identify yourself so any effective identification scheme, be it credit cards, driver’s licenses or a national ID card allows this scary sort of data aggregation. Blocking a national ID scheme not only does not protect us from this computer aided big brother scenario but may make it more likely by giving people a false sense of security.

Finally we come to the concerns about identity theft. Above I argued that a well designed national ID would significantly improve the situation with respect to identity theft by incorporating more security features into the card as well as enabling identity verification across the internet for applications like banking security. The critics contend that a national ID card would actually make identity theft easier as only one ID needs to be targeted. Furthermore they allege the increased trust placed in such an ID would make the consequences of identity theft worse.

While perhaps on target in the British case these arguments do not generalize to all national IDs. The ’single point of failure’ arguments presupposes it is easier to compromise the national ID card than it is to compromise several current forms of ID together. I don’t know if this is true in the British proposal but it is doubtful this must hold generally. In many security situations one is better off putting all your eggs in one basket. When using public key encryption to establish identity it is significantly more secure to spend 5 seconds creating one large key than it would be to spend 1 second each to create 5 keys each of which must sign a message to consider it authentic. In fact this is the central fact which makes cryptography work, a linear growth in resource usage by the user corresponds to a more than linear growth in the resources needed by a an attacker. I think it is quite probable that a similar relationship exists in terms of identity documents meaning we would be better off putting all our eggs and resources in one basket.

Moreover, the ’single point of failure’ argument is only convincing if the current system does not have a single point of failure. While it might be possible to use the many IDs we all carry in a way which provided redundant checks in reality we use them in exactly the opposite fashion. It is fairly easy to take a few pieces of information and do some fast talking to acquire the other forms of ID. A criminal with just our driver’s license can easily read off our address and use that information to steal a bill from our mailbox. The two of which together are enough for them to convince almost any government agency to issue a new ID. Until we put passcodes in our IDs or add biometric identification our identification system must be weak like this if we don’t want a lost wallet to be a major catastrophe.

The above considerations point out that we are probably drastically overestimating the reliability of our identification methods already. This suggests that worrying about placing too high a confidence in our methods of identification is like worrying about the barn door after the horse has left. Still one might argue that a new national ID card would increase confidence more than it would increase actual reliability. I don’t think this is the case but at worst it merely tells us not to play up the national ID as some sort of perfect fix and nothing about the utility of the actual ID card itself.

What a Good System Might Look Like

All my arguments above come to nothing if it isn’t possible to build an ID card with the features I described. Thus a description of how such a system might work is in order. In it’s most basic form a national ID would be some type of smart card with your picture and name on it and maybe some anonymous email account (so it can be returned if lost) but no address or other information. When inserted into the card reader and presented with the correct user pin it would respond with a name and unique identification number and verify that these belonged to the card. It could do this many ways but one way would be to encrypt both the name and number combination and a challenge token with some secret private key embedded into the smart card. Since the corresponding public key would be publicly known the reader could verify the ID was valid and hence telling the truth about it’s rightful owner. While quite simple this system could be quite secure and is still usable remotely (over the internet).

In the very simple system I mentioned any institution wishing to use the system would have to store its own data. In other words each agency making use of this type of identity would only have as much information as you give them (or they otherwise acquire). While this sounds good in theory it does have some drawbacks in practice. If you want to verify that you are over 21 how do you do that? The obvious answer is for someone like the state to maintain a database attesting to various people’s ages. Unfortunately this effectively lets whoever runs the database track your liquor purchases by recording when your record is acquired from the database. The efficiency of any tracking scheme can be reduced by transmitting segments of the database and caching them but this is no guarantee against powerful statistical methods. An in principle solution using holomorphic encryption (which I will discuss in an upcoming post) is possible but as it requires transferring something on the order of the square root of the database size on each lookup it is probably not practical. Besides, trusting the merchants to protect our privacy from the state may not be the most wise course of action.

A slightly more complex system can easily deal with this issue. Instead of only one pin each person now needs three (or more depending on how much you want the ID card to do), one for each level of access. In response to the first pin the smart card would merely verify the ID number and name of the card holder and perhaps whether he was over 21. In response to the second pin it would reveal everything the first revealed plus basic information about your address and driving status. The third would reveal enough information to display your various enabled credit cards (e.g. your account numbers). Thus negating the need for any more state databases than today#[keydb]. Sure, remembering three different pins might be a bit of a pain but as it would replace your ATM pin and all the other cruft in your wallet it seems a small price to pay.

Finally if one wished to make the system even more resistant to identity theft one would add biometric identification. In a well designed system biometric identification would not require a query of some government database. Rather, the retinal scan of the card owner would be stored on the card itself. The card could then have two types of identity verification, with and without biometric identification. In addition to the functionality described above such a card would (perhaps only if the second or third pin is entered) also verify whether or not a particular retinal scan belongs to the card owner (or perhaps relay a stored retinal scan to the card reader so the computational work can be done there). Unless you find the arrangement of blood vessels in the back of your eye deeply private this situation would be an improvement over the current system both in terms of privacy and identity theft.

Additionally a few extra features might be included to enable entirely new applications. By including some additional secret in the smart card known only by the card and the government not only can identity be verified remotely but one can create an encrypted communication channel between the government and the machine reading the card known to be free of man in the middle attacks#[mim]. This would potentially open the door for internet voting and other secure governmental transactions over the internet. A slightly more sophisticated approach would equip each ID card with its own private key with the government keeping a record of the public key. The ID card would then identity itself using its public key as its unique ID communicated whenever the card is used. Thus letting banks and other institutions create a secure connection with the user as well creating significant protection against identity theft. Since the card itself would provide its public key there would be no need for these institutions to query the government database.

Other useful additions are possible as well. Perhaps a cryptographic signing feature could be included as well making electronic signatures far more reliable than their physical counterparts. Likely their are a hundred other applications that haven’t occurred to me.

Conclusions

I think I have firmly established that it is possible to create a national ID which actually increases our privacy protections while providing a convenient and reliable means of identification. The only remaining worry is the cost of such a system. A smart card designed to be both secure and perform public/private key encryption would be quite expensive compared to our normal forms of identification. I think in the long run a national ID would be cheaper than all the money we spend on our redundant forms of identification, certainly so if we include the savings from increased protection against identity theft. Still it would be transferring what are currently private expenditures made by credit card companies to the government and would require that we pay all the costs up front.

I think the possibilities a smart national ID opens up in terms of internet security and identification are worth a pretty steep cost. Others may not agree with me but fiscal objections to an identity card are a very different beast than privacy concerns. From a tactical standpoint it still seems that privacy advocates would be better served by getting behind a well-designed national ID rather than trying to stop the inevitable. In terms of privacy and identity theft the system we have currently is pretty bad and getting worse. Only by having significant input on the next generation of IDs can privacy advocates achieve something useful. It is alot easier to influence the direction of a national ID if you are willing to support a well-designed version than if you are going to oppose it no matter what. If the well-designed national ID gets killed for fiscal concerns you are no worse off, and quite possibly in a better political position, than you were before.

So despite the conventional wisdom I think privacy advocates should get behind a national ID scheme. I think common machine readable identification is inevitable and I would much rather have it designed by people sensitive to privacy rather than the law and order types.

[idtheft]: Some people (sorry couldn’t remember the actual post) would argue that the epidemic of identity theft is mostly the result of the lax policies of financial institutions in checking identification. This is correct, however, the reason financial institutions do not use a more secure system is the inconvenience to the customers as well as the expense of maintaining such a system. A national ID with the appropriate features would provide a secure and convenient method of identification encouraging the financial companies to make us of it. In other words most of the benefit of a national ID with respect to identity theft is not a result of the inherently more secure means of identification but instead the convenience and universality of this identification.

[keydb]: One might still be worried about queries to whatever database stored the public/private key pairs. However, this is only necessary if each card has its own private key. All that is really necessary is one government secret key hidden in each smart card to verify the card is a valid government ID. Of course to prevent the cards having one point of failure it would probably be best to keep a couple hundred private government keys and equip each card with a few randomly selected keys from this set. Thus if any one key is compromised the card would not be rendered useless. Since this is a static list of public keys it would not require any government maintained databases for merchants to query. Rather each card reader would be shipped with the list of valid public keys and would only need to communicate with the state to receive updates about compromised keys, i.e., it would only receive not send information.

[mim]: A man in the middle attack is a means by which an adversary who can control your internet connection can foil encryption. In essence the attacker inserts himself between the two parties and pretends to each that he is the other party. As an example suppose Alice is trying to securely interact with a government service over the internet. She sends a message to the government server asking to initiate a connection. The attacker, call him Peter, intercepts Alice’s communication and forwards it to the government server himself as if it had come from his machine. The government and Alice now try and negotiate a shared key to encrypt their conversation from eavesdroppers. However, since Peter is intercepting all their messages what really happens is that Alice creates an encrypted channel to Peter thinking he is the government and Peter creates an encrypted channel to the Government who thinks he is Alice. Now when the government tries to verify it is really talking to Alice it sends out a challenge token over the encrypted channel. Except instead of being sent to Alice it is really sent to Peter who in turn forwards it to Alice. Alice successfully responds to the challenge and Peter forwards this response to the government which now thinks it is talking to Alice. At this point he could stop relaying information from Alice and successfully impersonate her to the government. If Alice and the government share a secret they could use this information (without revealing it) to negotiate an encrypted channel which is immune to this attack.