thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Friday, January 12, 2007

ID Standard Wars, Episode One: OpenID vs CardSpace

As I wrote in the previous blog entry: "Big standards organizations (ISO, W3C, ANSI) have set up working groups on identity management recently. Expect some interesting standard wars here in the short run." That was of course not intended to mean that only public institutions can fight each other.

Some private sector players are currently heating up their blog-to-blog debate. Dick Hardt from Sxip and Kim Cameron from Microsoft are discussing if OpenID or Windows CardSpace is more secure. See a summary at ZDNet or the original posts by Kim and Dick. Chronological order: Kim - Dick - Kim - Dick. To be continued.

I just wish they would put as much energy into discussing which system is more privacy-friendly.

Thursday, January 04, 2007

Identity Management Systems and the State from 1500 to 2008

The following is an edited part from my "Privacy, Identity and Anonymity" manuscript from the CCC congress. It looks like the official video of the presentation takes a bit longer to get online, and the inofficial recordings seem to have not recorded all sessions. Just making the slides available would not help, because we mainly used pictures and single words, which is hard to understand without hearing us. So you have to read.

As the sociologists have told us: Managing your identity is managing which roles you have in relation to different people and contexts. Corporate identity management systems have done role management for quite a while. They use role modelling for differentiating the several tasks their employees can take. Who can enter the premises? Who has access to which database? Who can authorize buy and sell orders for which amount of money? This is where the big players like Oracle, Novell, or Sun come from. They call it "provisioning" or "workflow auditing". In the end, of course, it is about controlling employees.

And this is one of the most fundamental functions of identity management systems: Control.

These ID vendors are now also trying to roll it out for the web. Here, ID management from the customer’s perspective (so-called "grassroots identity") is merging with ID management from the corporate perspective. The web companies are also working on it. Yahoo is doing this with is “BBAuth” service, Google is doing it with “Google Accounts”, Microsoft tried it with Passport and failed big time. They are now coming back with InfoCards AKA CardSpace.

Because of all these different approaches, big standards organizations (ISO, W3C, ANSI) have set up working groups on identity management recently. Expect some interesting standard wars here in the short run.

Looking back in history: Who was the first to establish identity management and identification systems? It was the early modern European state. At that time, the first laws were enacted that made it illegal to change your name without government approval. Now, in order to make sure to others that you are the person whose name you pretend to have, you need some extra proof. Normally this takes the form of identity tokens. First, they used to be official letters or seals, and later, we saw the development and spread of passports and ID cards.

The emergence of the computer then replaced names with numbers – social security numbers, tax numbers, passport numbers, and so on. But the idea is actually much older. Jeremy Bentham, who invented the idea of the Panopticon, also suggested that every citizen should have a serial number tattooed on his arm.

But even today, your tattoo is not transmitted when you go online. So, some governments now want to establish a certified, official link between your real physical identity and your online identity. Because this holds quite some potential for large-scale surveillance and control of online behaviour, a lot of people don’t like this idea. Especially in countries without ID cards, people still distrust the idea of mandatory online (and offline) identification systems.

So, what do you do as a security politician or a government agency that wants to establish a tighter infrastructure for control? How do you set up such a system? You start with groups like foreigners or criminals that get little support for their rights in the general population. US Senator John McCain has drafted this bill, which would force all convicted sexual offenders to register all their email-accounts and all other online identities with the authorities. And they are dead serious about this: If people fail to register, they will face up to ten years of imprisonment. Remember, this is not for raping someone, this is just for not telling the government all your online user names and pseudonyms. Can you remember all of the logins you ever created?

But welcome to Germany, the land of more advanced bureaucracy. The "E-Government 2.0" program, published by the German Interior Ministry in September, has an interesting chapter on electronic ID-cards and "e-Identity". They plan to issue an electronic ID-card from 2008 on, which will enable people to authenticate themselves online with their government-certified ID.

So in Germany, registration of your online identity with the authorities is not a “for criminals only” thing. It will apply to the whole population. And the private sector will love it, as it give them a better means to control their customers. In the end, we might end up with the government as the ultimate trusted third party or ID provider, and get a "perfect" ID management system that encompasses everybody. (Of course, according to democratic theory, you should not trust governments, but control them and limit their power.)

How will the government build the infrastructure for this? Well, they say they are currently working together with the private sector and some big IT corporations. And this is of course where "Identity 2.0", Windows Vista CardSpace and all the rest comelos into the picture.

The few critical contributions to the digital identity debate so far have largely focused on the privacy implications: How likely is tracking of people with these systems? It seems to me we should also think about the zoning aspects. Will the internet with an identity layer on top of it still be a space where we can more or less freely move around, or will it be divided into bordered national territories, fenced corporate playgrounds, and only a few open/outlaw places?

Get 'em while they're young

I've been reading, thinking, and blogging about about identity management in the last few months, and my own thoughts, together with discussions with colleagues from computer science and law, have made me more and more sceptical that identity infrastructures can or will be privacy-enhancing at all. For the general reasoning, read my older posts and have a look at e.g. this paper or this presentation, or wait for the video of my presentation at the recent Berlin hackers conference. Or let me refer you to Lawrence Lessig, who as early as 1999 made a major point in his book on "Code and other Laws of Cyberspace" on how identification enables zoning, which in turn enables control. Control of course limits freedom, and identification also limits privacy.

Having said this, I was surprised by a report about the Scottish Secondary Teachers' Association (SSTA) that wants all secondary pupils in Scotland to carry photo ID cards. Their argument was it would stop bullying - yes, bullying!
The SSTA's general secretary, David Eaglesham, said the time had come for photographic identification to be added to the cards used to access school facilities. "Introducing photo ID cards will help bring an end to bullying over use of 'cash free' cards for school meals".
Of course, according to the SSTA, it would also enhance exams security and "assist with access to school bus services" (read: control access to school buses).

But the hidden agenda is elsewhere, and my feeling of being surprised came from how openly it was articulated :
He said that introducing such a system would also help prepare young people for "the realities of identity management in the 21st Century".
Yeah, great. Why not also start fingerprinting all pupils, taking their DNA, putting surveillance cameras in the classroom and forcing them to not let their bags unattended or else they will be blown up by a SWAT team? By establishing this kind of stuff in schools, you create little monsters and authority-obeying subjects, not people who have fun being curious and learning. I totally subscribe to the reaction by Green Party MSP Patrick Harvie:
"We should be preparing young people for the reality of defending their privacy and civil liberties against ever-more intrusive government systems".
Again, Bruce Schneier hits the mark here:
It's important that schools teach the right lessons, and "we're all living in a surveillance society, and we should just get used to it" is not the right lesson.