thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Saturday, March 29, 2008

German Hackers publish Fingerprint of Interior Minister Schäuble

The German hacker association Chaos Computer Club has published a fingerprint of the federal minister for the interior, Wolfgang Schäuble. The new issue of the club's magazine "Datenschleuder" even has a prepared foil in it that can easily be used to create a fingerprint dummy that people can stick to their own fingers (instructions). The CCC aims at forcing a more public and critical debate about the false sense of security when using biometrics. The European Union is already requiring every passport holder to give his fingerprints to the authorities. The German hackers now plan a whole collectors' series of fingerprints from politicians who push for more surveillance.

Tuesday, March 11, 2008

Dangerous Moves: OpenID and Government-Issued ID tokens

As I wrote in my last post: "The identity management systems that are being developed and rolled out right now are laying the foundations that may be used to end online anonymity." This is becoming especially relevant with the development of e-government identification tokens that are issued by more and more governments around the world. I consciously said "may", because a cruicial question is how the systems are designed.

This is a very crude ranking:
  • U-Prove and related zero-knowledge technologies can really help securing privacy by offering untraceable and unlinkable tokens based on an existing ID.
  • CardSpace only offers some privacy protection in specific use cases (self-issued cards, non-auditing mode), but has general problems with unlinkability.
  • OpenID offers basically no privacy if you don't run your own OpenID server and thereby authenticate yourself, because the OpenID provider can always see what you do.
  • Using CardSpace for logging into your OpenID provider only secures the login process, but does not protect you against the OpenID provider seeing what you do.
So what happens if OpenID and government-issued identification tokens are combined? It depends.

If my government would be my OpenID provider, they could basically track all instances where I log into a web site. Very bad, and luckily nobody is thinking of this (yet). But a number of big companies have already started giving their employees an OpenID identity, which is not much better. The company can track what people do, and the relying party can be sure that is a real person namend John Doe who works at CompanyXYZ. I wonder when we see the first suggestion to do this for government authorities.

If the government-issued ID token is used for logging into your OpenID provider (what CardSpace can also be used for), it may secure the login process here. But the OpenID provider still can see all instances when you log in anywhere. But now, because you identify yourself with a government-issued ID token, the OpenID provider can link the activities of your (maybe pseudonymous) OpenID account to a real person.

This is exactly what is happening in Finland right now:
TrustBearer Labs, a leading authentication solutions company, has announced support for the Finnish National Electronic Identification Card (FINEID) with its OpenID service. With this support, the FINEID smart card can now be paired with the OpenID online authentication standard, enabling FINEID cardholders to use their cards for logging in to any website that accepts OpenID. (...)
As far as I can tell from the press release and the little background info, it only works with an OpenID provided and managed by TrustBearer themselves.

So how does the FINEID technology work? The FINEID smart card is carrying a "Citizen Certificate". This citizen certificate is not allowing stable pseudonyms or even transaction-specific pseudonyms:
The Citizen Certificate is standardized personal data, an electronic identity based on Public Key Infrastructure. It contains, among other information, a citizen’s first name, family name and an electronic client identifier.
The legislators in Kentucky who want to force everybody to use his or her real name for even the smallest online publications will be happy if they see this. The TrustBearer press release praises it:
"We believe that our OpenID service complements national identification programs, like Finland’s ID card. National ID card holders can now securely and efficiently manage many of the things they do on the Internet using a central and secure identity," says David Corcoran, Chief Executive Officer of TrustBearer Labs.
This is a very dangerous development. We have a technology here that allows the tracking of your online activities (OpenID) combined with a technology that always identifies you with your real, legal persona (FINEID). The only firewall between this and a fully-fledged government surveillance system for online activities is that
  • it is not mandatory (yet) and
  • the Finnish government can't (yet) directly peek into TrustBearers database.
These are only legal restrictions, and they can change over time, as history has proven many times. On the infrastructure side, identity management technologies are slowly moving us towards more online surveillance if we stick with the current ones and don't quickly develop, integrate and roll out the most secure products. Otherwise we have to abandon the whole idea that identity management for the web is a good thing.

When I started writing and speaking about the privacy problems connected with OpenID and similar Identity 2.0 projects, many people replied: "Yes, but it is only meant for blog comments and harmless stuff like that. Of course you can always use a pseudonym, and you will never use it for serious stuff like e-government." Well...

(Thanks to Kai Raven for the link to the TrustBearer story.)

Pressure Against Online Anonymity - or: Towards Online Identification

Online free speech is increasingly under attack. Not just by classical censorship, but by laws and regulations that would prohibit anonymity and establish mandatory identification systems.

The People’s Republic of China is working on a “real name verification system” for bloggers, but also for online gamers. South Korea is developing a similar “internet real-name system” for bloggers that they would have to use for posting blog entries and comments.

In the US, conservative senators McCain and Schumer introduced the "Keeping the Internet Devoid of Sexual Predators Act of 2007" (also called "KIDS Act", Bill No. S.431) in January 2007, which would force all convicted sexual offenders to register all their online identities with the authorities. They are dead serious about this: If people fail to register, they will face up to ten years of imprisonment. This is not for raping anyone; this is just for not telling the government all their online user names and pseudonyms. The bill has even attracted democratic co-sponsors, including Barrack Obama, John Kerry, Patrick Leahy and Dianne Feinstein.

Now, Kentucky is making the news with a proposal similar to the Chinese and Korean ones:
Kentucky Representative Tim Couch filed a bill this week to make anonymous posting online illegal. The bill would require anyone who contributes to a website to register their real name, address and e-mail address with that site. Their full name would be used anytime a comment is posted.
Digg alerts its readers that the story was "reported by diggers as possibly inaccurate". Well, it is accurate. Here is the relevant part of the bill:
(1) An interactive service provider shall establish, maintain, and enforce a policy to require information content providers to register a legal name, address, and valid electronic mail address as a precondition of using the interactive service.
(2) An interactive service provider shall establish, maintain, and enforce a policy to require information content providers to be conspicuously identified with all information provided by, at a minimum, their registered legal name.
(3) An interactive service provider shall establish reasonable procedures to enable any person to request and obtain disclosure of the legal name, address, and valid electronic mail address of an information content provider who posts false or defamatory information about the person.

An interactive service provider that violates any of the provisions of Section 2 of this Act shall be fined five hundred dollars ($500) for the first offense and one thousand dollars ($1,000) for each subsequent offense.
What is the reasoning behind it? National security? Preventing online stalking and insults? No - bullying! Local tv station WTVQ reports:
Representative Couch says he filed the bill in hopes of cutting down on online bullying. He says that has especially been a problem in his Eastern Kentucky district.
Because Tim Couch gets all the fire now, it is fair to mention that his republican party colleague Jimmy Higdon is co-sponsoring the bill.

Ryan Radia has a good post about the background for these developments at the Technology Liberation Front:
The Kentucky bill comes on the heels of controversy over the growing popularity of, a "Web 2.0 website focusing on gossip" where college students post lurid—and often fabricated—tales of fellow students’ sexual encounters. The website bills itself as a home for "anonymous free speech on college campuses," and uses anonymous IP cloaking techniques to shield users’ identities. Backlash against the site has emerged, with Pepperdine’s student government recently voting to ban the site on campus. (...)

Despite the appeal of combating defamation by banning online anonymity, lawmakers should be wary about restricting anonymous speech in the name of fighting libel. The same laws designed to deter defamation can also be used to target political dissent or silence whistleblowers for whom the option of remaining anonymous is critical.
But there is hope, at least for the moment. WTVQ from Kentucky again:
Couch says enforcing this bill if it became law would be a challenge.
At the moment, he is absolutely right.

But what happens if, in ten years from now, we all have government-issued IDs that function as smart cards and together with the OpenCardSpace technology (or whatever it is called then) can be used to authenticate us before we can post anything online? The identity management systems that are being developed and rolled out right now are laying the foundations that may be used to end online anonymity. I certainly hope that U-Prove or similar technology is built into every identity system and operating system by then. But what if legislation forces the technologists to disable the anonymity for certain uses? That's why the struggle for free speech and anonymity also has to be a political and legal one, not just a technological one.

Monday, March 10, 2008

Spam and Governance in Facebook

Facebook recently had a porn chain letter from Slide, who are running the Facebook "fun wall" application. Mary Hodder explains how it worked:
[I]magine you get some sort of email message from a friend in Facebook. This is a real friend, someone you do business with and/or socialize with and maybe have known for a long time (...). The message asks you to click into Facebook, at which point, you are asked to "install an app" (...). Then, once installed, you are taken to Slide's Fun Wall App, which shows you some porn, and says, "Click Foward to see what happen."(...) Turns out, if i'd clicked the "forward" button, Slide would have forwarded that spam to EVERYONE I KNOW in Facebook. All 500+ of them.
This event is interesting from the governance side of social networks: How do you establish and enforce norms in these new environments?

Mary sent complaints to Facebook and Slide, and after not hearing back, she called people in both companies she knew. She was
appalled at the responses I got. Now, these are people I know socially, and they gave me the real answers, but with the expectation that I would not attribute to them. However, I am confident that their answers reflect the culture and real value sets within these companies.

Facebook pointed the finger at Slide (the app maker in this case), and said, "There is nothing we can do. We have no control over the apps people make or the stuff they send." Oh, and if I wanted Facebook to change the rules for apps makers? I'd have to get say, 80k of my closest Facebook friends to sign on a petition or group, and then they might look at the way they have allowed porn spam to trick people into forwarding, but until then, there would be no feature review. (...)

Also both companies told me that blogging doesn't affect them, because they don't read blogs. The only thing they pay attention to are Facebook groups. Because they don't look at problems that a single person discovers.

Somehow, this reminds me of real existing democracy: If you don't get enough people on the streets or as participants in a class action law suit, politicians just won't listen. But apart from democratic considerations, in real government arrangements, you should also have the right to legal redress. Remember, in history, rule of law and democracy were not necessarily connected.

Slide, on the other hand, replied, according to Mary:

Facebook was the problem, because as the "governing" body, Facebook makes the rules and "Slide wouldn't be competitive if they changed what they do, and their competitors weren't forced to as well." In other words, Slides competitors use the same features to get more users (or trick more users as the case may be) and Slide didn't want to lose out on getting more users with similar features, regardless of the effect the features have on us and our relationships.
This sounds like real existing free market with a lack of regulatory oversight. For dealing with these kinds of problems, you normally need some authority that does not have a vested interest and at the same time has the power to regulate market failures and externalities. Facebook clearly has the power, as they control the technology and can decide what applications can and cannot do. If you conceive of Facebook as the government of the relationship space, Facebook does not have this division of powers and arms-length agencies governments normally have. And at the same time, as mentioned above, they lack a legal system the would enable individual users to claim their rights.

So, how do you change Facebook's attitude towards application providers? You develop a loud voice, which seems to be a large Facebook group. Or you leave. These are the textbook examples of Albert O. Hirschman's "Exit, Voice, Loalty" trias.

Leaving is what Mary Hodder and a lot of other people did:
For now, the answer for me is to use Facebook minimally and Slide not at all. Interestingly, at recent social gatherings I've mentioned these issues. At almost every one, people have said they are getting off Facebook and not going back, for precisely the reasons I mention above.
But the voice option also had some effect:
Facebook did recently force apps makers to default turn "off" the checked names in forward (as far as I can tell from my own analysis of Facebook and via other blogs explanations). But I have yet to receive replies to my original support notes to these companies, and feel confused about an unspoken, barely there response. It's as though after barely changing one thing aspect of a feature, in order to mitigate the problem, they want to sweep it all under the rug.
Maybe Facebook finally has started reading blogs? Remember, another important feature of modern democracy, beyond the rule of law and the division of power, is the existence of a public sphere.

Note that my argument has been an institutional one. There is also the cultural-sociological aspect, which is mentioned in Mary's post. In this view, the hope is that younger generations (here: including Marc Zuckerberg and the Slide guys) learn from older people about how to behave:
[I]t seems logical (and has happened in cultures around the world for millennia) that older, wiser men would advise young, clueless hormone driven boys how to act in the community.
Which approach would you take?


Microsoft buys Privacy-Friendly Identity Technology

Microsoft has acquired Montreal-based privacy technology company Credentica. While that probably means nothing to most of you out there, it is one of the most important and promising developments in the digital identity world.

My main criticism around user-centric identity management has been that the identity provider (the party that you and others rely on, like your credit card issuer or the agency that gave you your driver's license) knows a lot about the users. Microsoft's identity architect Kim Cameron explains it very well:
[W]ith managed cards carrying claims asserted by a third party authority, it has so far been impossible, even for CardSpace, to completely avoid artifacts that allow linkage. (...) Though relying parties are not able to collude with one another, if they collude with the identity provider, a set of claims can be linked to a given user even if they contain no obvious linking information.
This is related to the digital signatures involved in the claims flows. Kim goes on:
But there is good news. Minimal disclosure technology allows the identity provider to sign the token and proof key in such a way that the user can prove the claims come legitimately from the identity provider without revealing the signature applied by the identity provider.
Stefan Brands was among the first to invent technology for minimal disclosure or "zero knowledge" proofs in the early nineties, similar to what David Chaum did with his anonymous digital cash concept. His technology was bought by the privacy firm Zero Knowledge until they ran out of funding and gave it back to Stefan. He has since then built his own company, Credentica, and, together with his colleagues Christian Paquin and Greg Thompson, developed it into a comprehensive middleware product called "U-Prove" that was released a bit more than a year ago. U-Prove works with SAML, Liberty ID-WSF, and Windows CardSpace.

The importance of the concept of "zero knowledge proofs" for privacy is comparable to the impact public key infrastructures (PKIs) described by Witfield Diffie and Martin Hellmann had on internet security. The U-Prove technology based on these concepts has been compared to what Ron Rivest, Adi Shamir and Leonard Adleman (RSA) did for security when they were the first to offer an algorithm and a product based on PKIs.

When I was at the CFP conference in Montreal last May, I was meeting Kim and Stefan, and a colleague pointed me to the fact that Kim was being very nice to Stefan. "He has some cool patents Microsoft really wants", my colleague said. Bruce Schneier recently also praised U-Prove, but questioned the business model for companies like Credentica. He added, "I’d like to be proven wrong."

Kim Cameron is now bragging about having proven Bruce wrong (which is hard to imagine, given the fact that "Bruce Schneier feeds Schrödinger's cat on his back porch. Without opening the box"), while admitting that he still has no business model:
Our goal is that Minimal Disclosure Tokens will become base features of identity platforms and products, leading to the safest possible intenet. I don’t think the point here is ultimately to make a dollar. It’s about building a system of identity that can withstand the ravages that the Internet will unleash. That will be worth billions.
Stefan Brands is also really happy:
For starters, the market needs in identity and access management have evolved to a point where technologies for multi-party security and privacy can address real pains. Secondly, there is no industry player around that I believe in as much as Microsoft with regard to its commitment to build security and privacy into IT systems and applications. Add to that Microsoft’s strong presence in many of the target markets for identity and access management, its brain trust, and the fact that Microsoft can influence both the client and server side of applications like no industry player can, and it is easy to see why this is a perfect match.
A good overview of other reactions is at Kim's latest blog post. The cruicial issue has, again, been pointed out by Ben Laurie, who quotes the Microsoft Privacy Team's blog:
When this technology is broadly available in Microsoft products (such as Windows Communication Foundation and Windows Cardspace), enterprises, governments, and consumers all stand to benefit from the enhanced security and privacy that it will enable.
Ben sarcastically reads it like "the Microsoft we all know and love", implying market domination based on proprietary technology. But the Microsoft we all know in the identity field is not the one we used to know with Passport and other crazy proprietary surveillance stuff. They have released the standards underlying the CardSpace claims exchange under an open specification promise, and Kim assures us that they will have their lawyers sort out the legal issues so anybody can use the technology:
I can guarantee everyone that I have zero intention of hoarding Minimal Disclosure Tokens or turning U-Prove into a proprietary Microsoft technology silo. Like, it’s 2008, right? Give me a break, guys!
Well. Given the fact that U-Prove is not just about claims flows, but involves fancy advanced cryptography, they really should do everybody a favour and release the source code and some libraries that contain the algorithm under a free license, and donate the patent to the public domain.

First of all, because yes - it's 2008, and "free is the new paid", as even the IHT has discovered in January 2007.

Second, because yes - it's 2008, and there has been an alternative product out there under a free license for more than a year. IBM Research Labs Zurich have finished their Idemix identity software that works with zero-knowledge proofs in January 2007. It is part of the Higgins identity suite and will be available under an open source license. (The Eclipse lawyers seem to have been looking into this for more than a year, though. Does anybody know about the current status?)

Third, because yes - it's 2008, it's not 1882 anymore, to quote Bruce Schneier again:
A basic rule of cryptography is to use published, public, algorithms and protocols. This principle was first stated in 1883 by Auguste Kerckhoffs.

Wednesday, March 05, 2008

Statement on "Identity Management and Reputation" for OECD Ministerial Meeting

The OECD is preparing a ministerial conference on "The Future of the Internet Economy" in Seoul in June. Civil Society groups have been working together for a few months in order to coordinate their input and activities. The executive summary (well, more a shortened version) of our joint statement has just been sent to the OECD secretariat. I happened to draft and revise the chapter on "Identity Management and Reputation", which is copied below. Comments and ideas are more than welcome and may end up in the long version, which will be finished in the next 2 weeks.

OECD Ministerial Meeting
Civil Society Background Paper, Version 1.0, March 5, 2008


The Future of the Internet Economy
‘Fueling Creativity, Ensuring Consumer Protection and Building Confidence, and Benefitting from Convergence’

(...) 3.4 Identity Management and Reputation

The Internet is part of consumers’ and citizens' daily lives and shops, banks, insurance companies and governments expect consumers to contact them online for services, advice, information, online payments and online banking. In an environment of increasing online fraud and identity theft, identity management and authentication is closely linked to security, privacy and consumer confidence online. The challenges posed by effective identity management include ever increasing use of massive consumer database systems and their integration, user profiling, complex relationships between companies and subsidiaries, and cross-border data flows.

Systems for electronic identification and authentication have been in place in a number of countries for a few years now, and the experiences clearly show a strong link between privacy and identity. The failure of large-scale singlesign- on services in the nineties has shown that citizens and customers are only accepting identification technologies and services if they are sure their privacy is respected at the same time.

The 2006 OECD Guidance on Electronic Authentication includes two principles that are particularly important from the consumer perspective: the one of proportionality, and the right of privacy.

While this is a good first step, latest research in online identity management has shown that there are more issues that need to be addressed. Technological development has made significant steps recently that allow for greater security while maintaining individual anonymity. Such systems should be encouraged. Important elements include:

  • Minimal disclosure: Identity and authentication systems must only provide the information that is needed for the actual transaction. Instead of transferring individualized claims and ID-tokens, it is very often sufficient to transfer anonymous credentials or group credentials that only prove the individual has certain properties, e.g. belonging to a university or being an adult. The foundation for this principle is that full anonymity must be the default option, and single information bits are then added consciously and sparingly, according to the actual need. Regulation must ensure that user and citizen data is not collected if it is not needed. at all for the transaction or service in case.

  • Non-Linkability: Digital identifiers have to be constructed in a way that they are only relevant in the specific context they are generated for and can not be linked across contexts. and transactions (context sensitivity, directed identity). This will protect users from cross-site and cross-transaction profiling and at the same time significantly shield against identity theft. Identity systems must therefore allow the use of non-linkable and context-specific pseudonyms.

  • Non-Traceability: Increasingly, online authentication of individuals towards third parties like businesses or government agencies is done by identity providers. Identification systems that are based on this model must ensure that the identity provider can issue context-specific and non-linkable credentials, but can not at the same time trace and track the services the user has used.

  • User Control: All identifying information about an individual, especially if transferred in the context of authenticating towards a third party, must flow through the individual’s hands, and it must be readable by the individual. This concept of “user-centric identity” has already matured among technology developers and identity architects. This concept must become the basis for general identification and authentication systems in the public and private sector. As opposed to recent developments in ITU-T Focus Group on IdM, OECD should take a lead in encouraging this privacy-enhancing approach on the international level.

  • Application to Government-issued Identity Tokens: The above-mentioned principles are especially relevant when moving towards government-issued identity tokens. In the offline world, we can show an ID card or a drivers’ license without the issuing agency knowing about this. The same amount of privacy has to be built into online identity systems.

  • Persistence of Paper-Based Identification: Especially when dealing with egovernment services, legislation must ensure that citizens are not forced to use these and can still use paper-based documents as a valid and significant option.

  • Relationship Information Belongs to Both Parties: Social networking platforms and other services that enable the online management of relationships like friendships or relations to schoolmates and colleagues have to take into account that information about a relationship belongs to both parties. Therefore, services allowing users to describe, publish, process and transfer information about these relationships have to ensure this can only be done when both parties have agreed to it under the same conditions.
For these reasons, OECD member countries should:
  • actively engage in informing society and the public at large about the dimensions and possible problems of digital identity solutions.

  • implement the OECD Recommendation on Electronic Authentication.

  • encourage the development and deployment of identity management systems that fully adhere to the principles of user control and usercentricity.

  • encourage research and knowledge transfer about identity-solutions that incorporate the principles mentioned above.

  • investigate what kind of redress processes individuals should have at their disposal for information about them.

  • enact legislation that offers reasonable, effective and inexpensive means of redress for individuals whose reputation is endangered by automated and user-generated rating and reputation systems, or by the publication of information about them.
To vendors:

  • Companies who implement stronger authentication practices for online payment systems should not require consumers to accept more responsibility or liability (e.g. lesser chargeback rights) than is reasonable in the circumstances.
To developers:

  • Designers of authentication and ID management systems, as well as businesses, who require consumers to use particular systems, should be held liable for losses incurred as a result of deficiencies of, or failures in their systems.

Tuesday, March 04, 2008

Data Portability? Portable People!

Drama 2.0 has a great guest comment at Mashable on the concept of "data portability", which means that people may be able to take their identity and social graph data from one Web2.0 platform and move it to a new one. There's been a lot of hype around this recently, but he says: "Data portability is boring":
I think the name reveals what’s wrong with the concept: “data.” Yes, data is important, but the data collected by Web 2.0 services isn’t what makes those services compelling- it’s the fact that real people you have some connection to are using them too. I could take my Facebook “data” with me to another Web 2.0 service, but if the friends “contained” within that data aren’t using that service, what’s the point?

Obviously, data portability goes beyond simple lists of friends, but in the context of consumer Web 2.0 services, I think technologists who now consider the addition of “social” features to existing applications to be innovation ironically overlook the fact that data and technology don’t drive the popularity of Web 2.0 services – people do.

Without active, engaged and passionate users who perceive some value in using the Internet as a platform for social interaction, a Web 2.0 service probably isn’t going anywhere, regardless of data portability.
The great British blues-rock band Ten Years After had a track on their 1979 album "Alvin Lee & Company" which was called "Portable People":
See them at the airport with their cases in their hand
Got a ten day package in another land
They're the jet age gypsies with a super-sonic sound
They're the portable people, and they take themselves around
The cases, airports and super-sonic jets nicely illustrate how much effort people take in order to work with or meet other people. Real people, not their de-contextualized data representations.

Drama 2.0 also points out the privacy problems of data portability, but I've blogged about those before.

(Mashable story via)