Identity as externality: Trustbearer, CAC, eID

TrustBearer has become the first public demonstration of an idea this blogger first described in a ThinkWeek paper in 2006: identity management systems create positive externalities. Once built for a purpose, they are often easily extended, adopted or co-opted for completely different objectives. This pattern predates the Web, PKI and even the development of modern computing systems. The classic example is the social security number. Originally introduced by the FDR’s New Deal-era Social Security Administration for the purpose of administering benefits, it has become the de facto identifier for everything from credit rating agencies to some badly designed online banking websites; Fidelity originally used SSN as “username” but later changed the system to allow for choosing nicknames. Drivers licenses were introduced to control who can drive vehicles on public roads. When laws introduced minimum drinking age and imposed penalties for serving to minors, bars found it the natural choice to decide who gets to order drinks. (A bartender in Seattle once declined to server this blogger due to an expired driver’s license.)

Not all of these extensions are necessarily good ideas. In particular the re-purposing of the social security number from a simple identifier into a credential– something that proves identity, never intended in the original design– created  the current identity theft mess. In another example, RFID tags are a primitive identity management system designed for tracking inventory; the tag identifies the object it is attached. But when the tags are not deactivated after they are sold to consumers, they can be repurposed for tracking. Each tag emits a constant identifier that can be scanned by anyone with the appropriate transmitter and receiver set up, allowing tracking of individuals in physical space.

Occasionally unofficial extensions to an identity system provides unexpected benefits. Typically there is a very large upfront investment in deploying a system, driven by a well-defined objective. But once the system is built, adding one more person who can use it, or one more website which uses that system for authentication has a small marginal cost. Take for example the Common Access Card or CAC, soon to be replaced by the PIV. These are both PKI systems managed by the Department of Defense, for the purpose of controlling access to systems with national security implications. But once the PKI deployment is operational, individuals have been issued their cards and smart-card readers, they can be used for purposes completely unrelated to defense sector. Case in point: TrustBearer’s OpenID service accepts CAC/PIV cards for authentication to any OpenID enabled relying site. DoD certainly did not design the system for employees to check their personal email accounts or write blog comments in spare time. But given that the smart-cards were already out there in the hands of users, it was a no-brainer for TrustBearer to accept these credentials for strong authentication. Any other website could have done the same: called “SSL client authentication,” the underlying functionality has been supported by web browsers and web servers in some fashion since the late 1990s. The user interface may be clunky because it is rarely seen outside the enterprise context, but all it takes is tweaking some settings in IIS or Apache. The Department of Defense created a positive externality for all websites.

Design matters of course: some technologies are far more amenable to being re-purposed this way. For example, Kerberos is inherently a closed system: adding another relying party requires coordinating with the people in charge. Public-key infrastructure is open by design: once a digital certificate is issued, people can use it to authenticate anywhere. There are still gotchas: revocation checking imposes costs on the identity provider (adding another relying party is not a free lunch when it is hammering the system with revocation checks) or it may not work at all for an entity “outside” the official scope. Some new protocols such as OCSP stapling address that by making freshness proofs portable. More important is the question of acceptable use policy. Just because the cryptography works out does not mean that the official owner of the identity system will approve the creative re-purposing.

That brings us to the European eID deployments. These are national ID systems, with the cards containing PKI credentials. Here is one case where a PKI based system funded by tax-payer money is built with the express intent that anyone can use it for authentication to their service. (This is what governments do after all– they generate externalities, much to the chagrin of libertarians.) Not surprisingly eID cards are also accepted by TrustBearer– specifically Belgian eID. This is an even greater externality because there are bound to be many more of them in existence even today, and this will only improve over time as other EU governments make progress on their deployment. On the other hand, the precedent for using eID online is scarce and chances are most users lack the required card-readers and drivers, while the CAC/PIV users already use their cards regularly in a professional context.

cemp

Charter and Project Canoe: one step forward, two steps back

Charter communications announced that it was canceling a controversial plan to sell advertisers information about the web usage patterns of customers. The plan had sparked backlash from privacy advocates, soon spreading to regulatory agencies, culminating in Connecticut Attorney General formally asking Charter to throw in the towel. As CNN/Money reports the market barely shrugged, sending the stock down a mere 3.5%, leaving it trading well above its 52-week low. All of that effort for nothing? Once the dust settles, Charter may be remembered for successfully generating free PR (but not necessarily of the desirable variety) and positioning itself as an ISP ready to make aggressive, ill-advised moves in the name of monetizing existing subscribers with complete disregard for privacy.

With the ink on that story barely drying, another news item from Reuters reports on privacy concerns about US cable providers have teaming up to mine the TV viewership data from their subscribers. Objective: stop the advertising revenue from shifting over to the web. Individual, targeting is the main differentiating factor for advertisement the web, whether this is done by profiling users over time or derived from point-in-time context, such as a search query. By contrast mass media suffers from its “broadcast” nature where many people by definition will see the same content. The ability to tailor the message to the audience is very crude by comparison, despite heavy investments to improve that over the years. For example today newspaper can target particular zipcode– it is possible to get New York Times to print a full page ad but only for certain zipcodes in Manhattan. Impressive as that sounds for an old school newspaper, this is primitive compared to the level of customization on the web.

There are two pieces to the puzzle: first one is being able to understand the audience better and the second one is being able to deliver unique, personalized content for each subscriber. Digital cable in principle already solves the second problem. Unlike analog systems where all channels are delivered to the user at all times and a “tuner” picks out the particular one, with digital cable the subscribers set-top unit requests a particular channel from the provider. That also allows solving the first problem: getting to know the subscriber. DVRs were the first devices with visibility into everything a user is watching and the ability to call home with this information. TiVo unwittingly created the first privacy scare over DVR tracking by commenting on the 2004 Super Bowl. Cable providers have long been able to derive similar conclusions. (The DVR does have an advantage in that it can report on multiple-views, including the number of times a recorded program is watched and when. But then again many DVRs today are bundled with cable packages and cobranded by the provider so it is not clear who is calling the shots on the device logic.)

With both pieces in place, what remains is creating the platform. Enter Project Canoe. Backing this new initiative are Time Warner, Comcast, Cox, Cablevision — and Charter. From a privacy perspective there is good reason for concern. The extent of data mining is unclear. A key question is whether it will be limited to TV content. Several of these companies are both cable providers and broadband Internet providers. Charter crossed the line once before backing down. The current attitude is summed up in this quote:

“The cable industry is betting that full disclosure to subscribers about the information being collected, the ability for them to opt out, and the attraction of more relevant ads would help overcome potential misgivings.

The problem is few people read the disclosures and even fewer understand the extent of data collection and its implications to make an informed decision on whether this practice is consistent with the person’s personal values on privacy. Even for users who decide to take issue, some fraction will be deterred by the difficulty of the opt-out process. Quoting an analyst about the initiative the article concludes:

“It’s all but certain that the cable operators will have to set a third-party clearing house for information to safeguard privacy concerns,” Moffett said.

The article does not speculate on which independent entity would be stepping up to the plate for that role. In general the idea of trusted third-parties safeguarding information is very attractive in principle, but so far there have been no takers. Even the organization trying to offer a much simpler service, third-party verification of privacy practices have been dogged by skepticism about their effectiveness.

cemp

3G iPhone and location privacy

An article from New York magazine rediscovers the age-old problem of location privacy in mobile devices. Titled iTagged: get ready for the stalkverse the alarmist piece vividly attempts to describe the dangers of having everyone else learn about our location:

Technology was certainly not supposed to know you were at the laundromat. Or the Yankees game. Or your co-worker’s apartment when you were supposed to be working late. But now when you’re at the laundromat, everyone will know.

All true but this is not a new problem being introduced by the iPhone. It is not even being aggravated by the phone having GPS. Global Positioning System sounds like a very neat feature but remains largely a red herring from the privacy point of view, because it is neither necessary or sufficient for tracking. It is not necessary because mobile operators have been legally required by FCC to be capable of locating their subscribers based on triangulating a position from cell phone towers. Dubbed enhanced-911 or E911 these regulations had a very simple objective: knowing where to send the ambulance, fire engine and police car when a 911 call is received. While the USA lagged and to this day continues to lag Europe and Japan in wireless adoption, the FCC correctly predicted that in the future more and more calls would be placed over phones that were not bound to a fixed location that could be looked up in the phone directory.

Not surprisingly the reception was mixed. Privacy advocates feared that they could be used for tracking individuals without oversight. (One ancient article from Infoworld points out that judges must approve any law enforcement access to location data.) Public safety groups pointed to scenarios when E911 was used to locate individuals in kidnapping cases and even urge users to change the settings on their phone to enable location at all times. These regulations were phased in over time, requiring that 95% of handsets sold in 2005 must be capable of radiolocation. Considering that the average lifetime of a handset is 18 months, a reasonable assumption is that all phones in use today support the feature. No GPS required.

GPS is also not enough because it requires line of sight to satellites– forget about it working indoors– and can be frustratingly slow to develop an initial fix. At best GPS adds to tracking capabilities when the subscriber is attending Burning Man, out of the range of cell phone towers. Of course without reception the phone has no way to report back the location to the would-be-stalkers in real time, but presumably it could store that  information for future upload when the handset has service again.

Where the iPhone could have a disruptive effect is the integration of the feature and its social acceptability. Some handsets today allow using the phone for driving directions, with real-time position information, placing the carriers in direct competition with the dedicated GPS units such as Garmin.  A few carriers such as Nextel directly advertise tracking as a feature for fleet management. These are strictly business applications; phones are carried by employees in charge of some asset that is owned by the company and the intention is tracking the asset more than the individual. Poster child is the trucking company with 18 wheelers criss-crossing the country that wants to know exactly where each truck is so they can re-route the one closest to Dubuque to pick up another load.

iPhone is strictly a consumer technology and one that defines the cutting edge. The moment a popular application comes along that requires the user to opt-in to location tracking, it will create social pressure for others to do the same. It will define the new standard for what is “acceptable” for location privacy. This is the main takeaway from the article:

Because you’ll be letting them know. Maybe not yet; you’re still shy, and think the laundromat is boring. But in a year or two, when everyone is doing it, that shyness will start to seem stupid. It will begin to seem rude not to tell—I mean, what’s wrong with the laundromat?

And some predictions for awkward consequences:

The initial etiquette screwups are going to be exquisite: not just the stalking, but the brand-new form or snubbing where you can see your friends gathering without you. You’ll feel wildly self-conscious for about six months. But soon it’s all going to seem normal and automatic.

Such a race-to-the-bottom is not unknown in privacy. The moment people started putting their personal lives up for display on Facebook, it created a pressure on others to become even more transparent. How long until there is a Facebook gadget that charts your location on a map? Forget about Dopplr and depending on the user to diligently report their wanderings; the next web 2.0 application with no regard for privacy can tap into that information straight from the iPhone.

cemp

CFP2008: Deep thoughts on deep packet inspection

DPI came up on the Friday morning discussion of network neutrality and when exactly an ISP has crossed the line. There is a material distinction between “content” and “meta-data” of communications. For example the rules around a pen register / trap-trace and different and more stringent than those governing a full wiretap. For IP communications, the parallel for phone number is the header of an IP packet, which might describe its destination, how much data it contains and perhaps hint at the protocol.  Looking past that into the payload of the packet is what can be termed “deep packet inspection.”

On the panel it was pointed out that DPI simply not commercially feasible until recently. The hardware required to look at every packet flying by a high-speed gigabit link is not exactly stocked at the local BestBuy. According to David Reed, initial demand was driven by intelligence applications. But Moore’s law does not discriminate between military and commercial use. As soon as the capability was within striking distance for large ISPs, people started looking for ways to capitalize on it: in other words, a solution in search of a problem. As with most of these contrived, artificially created uses of technology that start from the ISDN position (“innovations-subscribers-don’t-need”) the first attempt has proved less than brilliant.

The proposals from Charter and British-Telecom cross the line from dubious into no-doubt-about-it nefarious. This is the one scenario where less intrusive solutions are not possible because the business model favors collecting more data about customers. There is an interesting correlation between how far into the IP packet the ISP must look and the social acceptability of its objectives. Comcast can manage its scarce resources by simply counting bits– looking at the size of the IP packets sent, without regard for its destination or port. As it turned out their first crude, inept attempt did look at port numbers and single out BitTorrent. Luckily bandwidth is bandwidth and while the ISP has every right to create different pricing models that may require limiting resources consumed by the heaviest users, it has no business deciding which protocol the customer will use or what endpoints they choose to communicate with. Looking at the size of the IP packet and keeping tabs on usage is good enough for this purpose.

Looking at more data in the packet cranks up the intrusiveness level. Destination address will reveal the websites the customer is visiting. Advertising networks have traditionally relied on this information for targeting. This is the same data Charter and British-Telecom are going after. The final step will involve looking past the header and directly into the contents of the packet. Moore’s law is not on the side of privacy in this case. The CFP discussion and Peter Ohm’s ideas about the ECPA connection are very timely.

cemp

LifeLock proves social security numbers can not be defanged

“I’m Todd Davis, CEO of LifeLock. And ..-…-…. is my real social security number.”

This was the full page advertisement in New York Times Sunday magazine. Except the SSN was not blanked out and this was no careless redaction error. LifeLock had developed an identity theft solution so reliable that the CEO was willing to disclose his own social security number to prove it. Brave indeed: SSN is by far more dangerous than the credit card numbers for many reasons: the card networks have already accepted the risk of payment card fraud and absorb losses (at least in the US; your mileage may vary by jurisdiction), cards can be revoked and the damages are bounded by the spending limits on cards. SSN on the other hand enables so-called “new account fraud” because it is used as an authenticator: knowing the SSN for a person counts as proof of being that person. Lenders are happy to extend credit based on this ludicrous authentication protocol and there is no Visa/Mastercard to underwrite that risk by refunding consumers for losses. (Full disclosure: more on this distinction appears in a chapter this blogger contributed to an upcoming book by Stanford press.)

This distinction has implications for a breach. Having a credit card number made public is easily recoverable and often with minimal damage. In the 2006 FTC Survey on identity theft, the median losses from existing card fraud were exactly $0. It would not be quite as impressive if the LifeLock CEO had published his credit card number in the newspaper, except it may run a foul of the card-holder agreement in case there are any requirements towards “due diligence” in security. But the social security number is an identifier US residents are stuck with for life. It can not be revoked or easily changed. If any protection service could control the risk to the point that an individual can publish their SSN in a newspaper, that would have been a major breakthrough.

Today a Wired article shows it’s too early for celebration. LifeLock is getting sued on behalf of three customers who claim that the service does not work. The attorney filing the charges points to the fact that the there have been 87 attempts to fraudulently use the identity of the CEO– including one that succeeded where the perpetrator succeeded in taking out a payday loan in Texas. In addition the article concedes:

“Davis said it’s possible driver’s licenses have been issued to other people in his name because of the widespread availability of his personal information – and because of what he described as the flimsy mechanisms in place to report that kind of fraud.”

This is not completely surprising: virtually all of the identity theft protection services depend on the triumvirate of credit bureaus for detection. Any new loan applications will be reported to these companies (in fact even the existence of a credit-check prior to granting the loan is recorded) and can be periodically queried. But a new driver’s license will not appear on the radar. This is not surprising: SSN is used in an open, distributed ecosystem without a centralized clearing point. Payment card networks have complete visibility into all transactions involving the card. Actions involving the SSN can only be reconstructed by putting together fragments of records from data brokers such as the credit reporting bureaus, Axciom, Choicepoint and Seisint (now owned by Lexis-Nexis) The case against LifeLock suggests that this patchwork solution is far from being a reliable identity theft defense.

cemp

Giga-pixel aerial imaging

Courtesy of a Google News Alert on the keyword “surveillance.”

Semi-professional digital SLRs have recently broken the ten megapixel barrier and very high-end models reach upwards of twenty MP. Impressive for printers but they can not even approach the gigapixel sensor described in this article. Don’t expect to find it at the local electronic retailer: it is designed for ISR (intelligence, surveillance, reconaissance) applications. In other words, this is the next generation eye in the sky. Mounted on a gyroscopically stabilized platform with 6 axis, this system boasts four focal planes with 92 five megapixels sensors on each to provide sixty-degree field of view at a resolution of 15cm on the ground. Dubbed ARGUS-IS, the design is as much an information processing marvel as it is an optical one: those sensors generate vast amounts of data, carried around by the same type of fiberoptic cables comprising the Internet backbone and compressed on board the airplane before being transmitted to the downlink through a broadband channel approaching 300 Mbps.

If the trickle-down effect holds for surveillance technology, there will be some traces of this in consumer electronics one day.

cemp

Bank of America and know-your-customer

Financial institutions in the US are subject to know-your-customer regulations which requires them to verify the identity of customers. These rules are designed to identify money-laundering and terrorist network financing operations; in fact some provisions derive from the PATRIOT act.  This is one reason opening a bank account requires government issued ID and social-security number. Virgin Islands or Switzerland may be portrayed as havens for  hear-no-evil, no-name private banking in the average Hollywood crime caper. The strict banking regulations make it unlikely they will be opening a US branch anytime soon.

But when it comes to a more basic notion of knowing the customer– such as having a clue about them  before mailing out credit card offers– it turns out the banks could use some help. “Usted ha sido previamente calificado para una tarjeta de credito que podria ahorrarle dinero.” says the message visible in the envelope. Not a Spanish speaker? Neither is this blogger but that would not stop Bank of America from sending an unsolicited, pre-approved credit card offer in Spanish. Twice.

In fairness, after opening the envelope it turned out to be bilingual: there were two copies. That is a good thing: from New York subways to product manuals, there are good signs that institutions are adjusting to the reality of a diverse America. More importantly both versions appeared to offer the same basic terms: it would have been blatant discrimination if the APR were higher on the Spanish offer for example. It is a small error, but indicative of the impersonal nature of credit. One would expect that with a cottage industry in consumer data-mining and extensive dossiers compiled on all US residents, a bank would be able to determine the primary language of a customer they are trying to solicit business from. BoA, or more precisely the random company where they outsourced the credit-card offer carpet bombing operation, did make a decision in putting one of the two variants first, visible in the envelope window. From their point of view the recipient is not a person with a language preference but a one-dimensional statistic, reduced to the FICO score.

cemp

Credit rating system and meaningful choice

A story from NYT Real Estate section about a British expat’s search for an apartment in Manhattan reads on different levels. Describing the interaction with a real estate agent:

“Almost by way of small talk, she said ‘Where are you from’  and I said ‘I’ve just come over from London yesterday,’ … She asked whether he had a credit history in the Unites States or a bank account or a Social security number, all of which he would need to rent an apartment. No, no, no. … But his employer would provide initial financing and act as guarantor.”

What would be the expected response from the realtor? In this case walking out on the client:

“She completely lost interest and just left,” leaving him standing on the pavement.

Welcome to the Big Apple. It would be easy to dismiss this as yet another rude-awakening in the ways of Manhattan for a new arrival– an experience this blogger can relate to. But there is a more subtle point about the pernicious growth of credit rating systems here. It’s not an oversimplification to say that without a social security number, a US consumer is just a nebulous and largely invisible presence in the eyes of lenders.  Most of the data compiled by data-brokers such as Acxiom, Choicepoint and the more familiar credit-reporting bureaus such as Experian and TransUnion are indexed by the SSN. To oversimplify in database terms one could say SSN is the primary key to the database. In this case the expression “key” is quite appropriate because it unlocks all the reputation information required for a significant transaction: buying a car, leasing an apartment, even getting a cell-phone contract. With the credit history available, consumers stop being blanks faces, they acquire useful numbers: Alice has 700 FICO score, Bob has an 8-year mortgage in good standing etc. Everyone is now a three-dimensional character jumping out of the page, shrouded in precise numbers.

One of the arguments in defense of massive data collection is that it enables credit: individuals can go anywhere around the country and still enjoy the same access to credit as if they lived in a small-town where everyone knew first-hand about their impeccable track record in paying back debts. (The flip-side, never mentioned in the same sentence, is that nobody can start over: the scarlet letter of bankruptcy or foreclosure also follows people around. It is true that in this case there are no second acts in American life.)  The more wide-spread and inflexible our reliance on credit history, the more difficult it is to get started and the greater discrimination between those who have an extensive dossier verses those with a blank slate. NYC may be an extreme example. In keeping with its completely ludicrous and preposterous state of affairs, some landlords demand to see bank statements,  employment verification on official company letterhead and even past tax returns before approving a lease. But stories like the one above are far from unique: if the agent had any shred of common sense, she would have realized that a decent sized company–implied by having offices in London and New York– as a guarantor is much better than one would expect to get from most consumers: while individuals can go bankrupt or disappear, a company with deep pockets can be litigated to the last penny. The story did have a happy ending because at least one rental agency was sane enough to accept his application with six month deposit– but only after running a credit check on this person’s manager. There is no escaping the system.

cemp

Self-negating advice on privacy

This suggestion from LifeHacker is unlikely to work. First it’s not all clear that the DNS names in question are affiliated with Google. The mappings can change and sending search-queries to random third party is hardly conducive to privacy. Second the threat model assumed here is a lost cause. Most enterprises control the computing environment used by their employees, right down to the software for web browsing. That means web history can be ferreted out of the client side, without having to sift through proxy logs or network traces. (Home user vs. over-reaching ISP is a better example.)

But there is another reason for the overwhelming futility of the idea: even if it were useful against the current crop of Big-Brother-ware because of an oversight in the URLs it logs, publicizing that blind-spot only ensures that the next versions are likely to fix the problem.

cemp

From the digital media front

Starting the year on a positive note:

• On the last day of 2007, New York Times published an article about the University of Oregon resisting RIAA’s subpoena requests. In the Fight Over Piracy, a Rare Stand for Privacy points to the opposition from Oregon state Attorney General’s to RIAA request for student information. RIAA has been aggressively going after P2P file-sharing in higher-education. Quoting the article:

The recording industry may not be selling as much music these days, but it has built a pretty impressive and innovative litigation subsidiary.

Oregon AG is not taking a stand on the principle that file sharing should be legalized in all forms– that more extreme position, while espoused by EFF is unlikely to hold sway with the courts. Instead this is a more focused, tactical battle against the questionable approach used by RIAA in going after suspected file-sharers by pressuring colleges to work around due-process and presumption of innocence.

• More labels announced support for publishing their catalog without DRM. Sony/BMG is the last label to get on the bandwagon; still a long way for a company that once root-kitted user machines in the name of content protection.

• Better technology can succeed in the market: Warner may just have delivered the fatal hit to HD-DVD by throwing its weight behind Blu-Ray format pioneered by Sony. This new alignment brings everyone one step closer to the anticipated end of the high-definition DVD format wars. The 3% decline in DVD sales for the past year was in part being attributed to consumer reluctance to buy into a new format until the dust settled. Some companies such as Samsung tried capitalizing on the confusion by building dual-mode HD/Blu-Ray players but consumers balked at the price. Sony may have its revenge for losing the VCR format with BetaMax, which provided a textbook example of how a better technology (similar to BluRay having more storage capacity than HD-DVD) does not necessarily succeed in the marketplace against savvy deal-making. It sounds like Sony learned the lesson and aggressively pursued studios with heavy incentives for exclusive commitment to its favored format this time around.

cemp