Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Weak links in the Blockchain

One of the silliest things I've read yet about blockchain came out in Business Insider Australia last week. They said that the blockchain “in effect” lets the crowd police the monetary system.

In the rush to make bigger and grander claims for the disruptive potential of blockchain, too many commentators are neglecting the foundations. If they think blockchain is important, then it’s all the more important they understand what it does well, and what it just doesn’t do at all.

Blockchain has one very clever, very innovative trick: it polices the order of special events (namely Bitcoin spends) without needing a central authority. The main “security” that blockchain provides is nottamper resistance or inviolability per se -- you can get that any number of ways using standard cryptography -- but rather it’s the process for a big network of nodes to reach agreement on the state of a distributed ledger, especially the order of updates to the ledger.

To say blockchain is “more secure” is a non sequitur. Security claims need context.

  • If what matters is agreeing ‘democratically’ on the order of events in a decentralised public ledger, without any central authority, then blockchain makes sense.
  • But if you don't care about the order of events, then blockchain is probably irrelevant or, at best, heavily over-engineered.
  • And if you do care about the order of events (like stock transactions) but you have some central authority in your system (like a stock exchange), then blockchain is not only over-engineered, but its much-admired maths is compromised by efforts to scale it down, into private chains and the like, for the power of the original blockchain consensus algorithm lies in its vast network, and the Bitcoin rewards for the miners that power it.

A great thing about blockchain is the innovation it has inspired. But let’s remember that the blockchain (the one underpinning Bitcoin) has been around for just seven years, and its spinoffs are barely out of the lab. Analysts and journalists are bound to be burnt if they over-reach at this early stage.

The initiatives to build smaller, private or special purpose distributed ledgers, to get away from Bitcoin and payments, detract from the original innovation, in two important ways. Firstly, even if they replace the Bitcoin incentive for running the network (i.e. mining or “proof of work”) with some other economic model (like “proof of stake”), they compromise the tamper resistance of blockchain by shrinking the pool. And secondly, as soon as you fold some command and control back into the original utopia, blockchain’s raison d'etre is no longer clear, and its construction looks over-engineered.

Business journalists are supposed to be sceptical about technology, but many have apparently taken leave of their critical faculties, even talking up blockchain as a "trust machine". You don’t need to be a cryptographer to understand the essence of blockchain, you just have to be cautious with magic words like “open” and “decentralised”, and the old saw "trust". What do they really mean? Blockchain does things that not all applications really need, and it doesn't do what many apps do need, like access control and confidentiality.

Didn't we learn from PKI that technology doesn't confer trust? It's been claimed that putting land titles on the blockchain will prevent government corruption. To which I say, please heed Bruce Schneier, who said only amateurs hack computers; professional criminals hack people.

Posted in Trust, Security, Payments, Innovation

The Economist's take on blockchain

An unpublished letter to the editor of The Economist.

November 1, 2015

Just as generalists mesmerized by quantum physics are prone to misapply it to broader but unrelated problems, some are making exorbitant claims for the potential of blockchain to change the world ("The trust machine", The Economist, October 31st). Yes, blockchain is extraordinarily clever but it was designed specifically to stop electronic cash from being double spent, without needing central oversight. As a general ledger, blockchain is unwieldy and expensive.

Trust online is all about provenance. How can I be sure a stranger’s claimed attributes, credentials and possessions are genuine? Proving a credit card number, employment status, or ownership of a block of land in a ‘democratic’ peer-to-peer mesh strikes some as utopian, but really it’s oxymoronic. The blockchain is an indelible record of claims, which still need to be vouched for before they are carved forever into mathematical stone.

Steve Wilson
Principal Analyst - Identity & Privacy, Constellation Research.

Posted in Innovation, Security, Trust

Biometrics Privacy Trust Mark Development - Stage 2

The Biometrics Institute has received Australian government assistance to fund the next stage of the development of a new privacy Trust Mark. And Lockstep Consulting is again working with the Institute to bring this privacy initiative to fruition.

A detailed feasibility study was undertaken by Lockstep in the first half of 2015, involving numerous privacy advocates, regulators and vendors in Europe, the US, New Zealand and Australia.

We found strong demand for a reputable, non-trivial B2C biometrics certification.

Privacy advocates are generally supportive of a new Trust Mark, however they stress that a Trust Mark can be counter-productive if it is too easy to obtain, biased by industry interests, and/or poorly policed. There is general agreement that a credible trust mark should be non-trivial, and consequently, that the criteria be reasonably prescriptive. The reality of a strong Trust Mark is that not all architectures and solution instances will be compatible with the certification criteria.

The next stage of the Biometrics Institute project will deliver technical criteria for the award of the Trust Mark, and a PIA (Privacy Impact Assessment) template. A condition of the Trust Mark will be that a PIA is undertaken.

Please contact Steve Wilson at Lockstep swilson@lockstep.com.au or Isabelle Moeller (Biometrics Institute CEO) isabelle@biometricsinstitute.org, if you'd like to receive further details of the Stage 1 findings, or would like to contribute to the technical research in Stage 2.

Posted in Trust, Privacy, Biometrics

Breaking down digital identity

Identity online is a vexed problem. The majority of Internet fraud today can be related to weaknesses in the way we authenticate people electronically. Internet identity is terribly awkward too. Unfortunately today we still use password techniques dating back to 1960s mainframes that were designed for technicians, by technicians.

Our identity management problems also stem from over-reach. For one thing, the information era heralded new ways to reach and connect with people, with almost no friction. We may have taken too literally the old saw “information wants to be free.” Further, traditional ways of telling who people are, through documents and “old boys networks” creates barriers, which are anathema to new school Internet thinkers.

For the past 10-to-15 years, a heady mix of ambitions has informed identity management theory and practice: improve usability, improve security and improve “trust.” Without ever pausing to unravel the rainbow, the identity and access management industry has created grandiose visions of global “trust frameworks” to underpin a utopia of seamless stranger-to-stranger business and life online.

Well-resourced industry consortia and private-public partnerships have come and gone over the past decade or more. Numerous “trust” start-up businesses have launched and failed. Countless new identity gadgets, cryptographic algorithms and payment schemes have been tried.

And yet the identity problem is still with us. Why is identity online so strangely resistant to these well-meaning efforts to fix it? In particular, why is federated identity so dramatically easier said than done?

Identification is a part of risk management. In business, service providers use identity to manage the risk that they might be dealing with the wrong person. Different transactions carry different risks, and identification standards are varied accordingly. Conversely, if a provider cannot be sure enough who someone is, they now have the tools to withhold or limit their services. For example, when an Internet customer signs in from an unusual location, payment processors can put a cap on the dollar amounts they will authorize.

Across our social and business walks of life, we have distinct ways of knowing people, which yields a rich array of identities by which we know and show who we are to others. These Identities have evolved over time to suit different purposes. Different relationships rest on different particulars, and so identities naturally become specific not general.

The human experience of identity is one of ambiguity and contradictions. Each of us simultaneously holds a weird and wonderful ensemble of personal, family, professional and social identities. Each is different, sometimes radically so. Some of us lead quite secret lives, and I’m not thinking of anything salacious, but maybe just the role-playing games that provide important escapes from the humdrum.

Most of us know how it feels when identities collide. There’s no better example than what I call the High School Reunion Effect: that strange dislocation you feel when you see acquaintances for the first time in decades. You’ve all moved on, you’ve adopted new personae in new contexts – not the least of which is the one defined by a spouse and your own new family. Yet you find yourself re-winding past identities, relating to your past contemporaries as you all once were, because it was those school relationships, now fossilised, that defined you.

Frankly, we’ve made a mess of the pivotal analogue-to-digital conversion of identity. In real life we know identity is malleable and relative, yet online we’ve rendered it crystalline and fragile.
We’ve come close to the necessary conceptual clarity. Some 10 years ago a network of “identerati” led by Kim Cameron of Microsoft composed the “Laws of Identity,” which contained a powerful formulation of the problem to be addressed. The Laws defined Digital Identity as “a set of claims made [about] a digital subject.”

Your Digital Identity is a proxy for a relationship, pointing to a suite of particulars that matter about you in a certain context. When you apply for a bank account, when you subsequently log on to Internet banking, when you log on to your work extranet, or to Amazon or PayPal or Twitter, or if you want to access your electronic health record, the relevant personal details are different each time.
The flip side of identity management is privacy. If authentication concerns what a Relying Party needs to know about you, then privacy is all about what they don’t need to know. Privacy amounts to information minimization; security professionals know this all too well as the “Need to Know” principle.

All attempts at grand global identities to date have failed. The Big Certification Authorities of the 1990s reckoned a single, all-purpose digital certificate would meet the needs of all business, but they were wrong. Ever more sophisticated efforts since then have also failed, such as the Infocard Foundation, Liberty Alliance and the Australian banking sector’s Trust Centre.

Significantly, federation for non-trivial identities only works within regulatory monocultures – for example the US Federal Bridge CA, or the Scandinavian BankID network – where special legislation authorises banks and governments to identify customers by the one credential. The current National Strategy for Trusted Identities in Cyberspace has pondered legislation to manage liability but has balked. The regulatory elephant remains in the room.

As an aside, obviously social identities like Facebook and Twitter handles federate very nicely, but these are issued by organisations that don't really know who we are, and they're used by web sites that don't really care who we are; social identity federation is a poor model for serious identity management.

A promising identity development today is the Open Identity Foundation’s Attribute Exchange Network, a new architecture seeking to organise how identity claims may be traded. The Attribute Exchange Network resonates with a growing realization that, in the words of Andrew Nash, a past identity lead at Google and at PayPal, “attributes are at least as interesting as identities – if not more so.”

If we drop down a level and deal with concrete attribute data instead of abstract identities, we will start to make progress on the practical challenges in authentication: better resistance to fraud and account takeover, easier account origination and better privacy.

My vision is that by 2019 we will have a fresh marketplace of Attribute Providers. The notion of “Identity Provider” should die off, for identity is always in the eye of the Relying Party. What we need online is an array of respected authorities and agents that can vouch for our particulars. Banks can provide reliable electronic proof of our payment card numbers; government agencies can attest to our age and biographical details; and a range of private businesses can stand behind attributes like customer IDs, membership numbers and our retail reputations.

In five years time I expect we will adopt a much more precise language to describe how to deal with people online, and it will reflect more faithfully how we’ve transacted throughout history. As the old Italian proverb goes: It is nice to “trust” but it’s better not to.

This article first appeared as "Abandoning identity in favor of attributes" in Secure ID News, 2 December, 2014.

Posted in Trust, Social Networking, Security, Identity, Federated Identity

On "Trust Frameworks"

The Australian government's new Digital Transformation Office (DTO) is a welcome initiative, and builds on a generally strong e-government program of many years standing.

But I'm a little anxious about one plank of the DTO mission: the development of a "Trusted Digital Identity Framework".

We've had several attempts at this sort of thing over many years, and we really need a fresh approach next time around.

I hope we don't re-hash the same old hopes for "trust" and "identity" as we have for over 15 years. The real issues can be expressed more precisely. How do we get reliable signals about the people and entities we're trying to deal with online? How do we equip individuals to be able to show relevant signals about themselves, sufficient to get something done online? What are the roles of governments and markets in all this?

Frankly, I loathe the term "Trust Framework"! Trust is hugely distracting if not irrelevant. And we already have frameworks in spades.

Posted in Internet, Language, Trust

Identity Management Moves from Who to What

The State Of Identity Management in 2015

Constellation Research recently launched the "State of Enterprise Technology" series of research reports. These assess the current enterprise innovations which Constellation considers most crucial to digital transformation, and provide snapshots of the future usage and evolution of these technologies.

My second contribution to the state-of-the-state series is "Identity Management Moves from Who to What". Here's an excerpt from the report:


In spite of all the fuss, personal identity is not usually important in routine business. Most transactions are authorized according to someone’s credentials, membership, role or other properties, rather than their personal details. Organizations actually deal with many people in a largely impersonal way. People don’t often care who someone really is before conducting business with them. So in digital Identity Management (IdM), one should care less about who a party is than what they are, with respect to attributes that matter in the context we’re in. This shift in focus is coming to dominate the identity landscape, for it simplifies a traditionally multi-disciplined problem set. Historically, the identity management community has made too much of identity!

Six Digital Identity Trends for 2015

SoS IdM Summary Pic

1. Mobile becomes the center of gravity for identity. The mobile device brings convergence for a decade of progress in IdM. For two-factor authentication, the cell phone is its own second factor, protected against unauthorized use by PIN or biometric. Hardly anyone ever goes anywhere without their mobile - service providers can increasingly count on that without disenfranchising many customers. Best of all, the mobile device itself joins authentication to the app, intimately and seamlessly, in the transaction context of the moment. And today’s phones have powerful embedded cryptographic processors and key stores for accurate mutual authentication, and mobile digital wallets, as Apple’s Tim Cook highlighted at the recent White House Cyber Security Summit.

2. Hardware is the key – and holds the keys – to identity. Despite the lure of the cloud, hardware has re-emerged as pivotal in IdM. All really serious security and authentication takes place in secure dedicated hardware, such as SIM cards, ATMs, EMV cards, and the new Trusted Execution Environment mobile devices. Today’s leading authentication initiatives, like the FIDO Alliance, are intimately connected to standard cryptographic modules now embedded in most mobile devices. Hardware-based identity management has arrived just in the nick of time, on the eve of the Internet of Things.

3. The “Attributes Push” will shift how we think about identity. In the words of Andrew Nash, CEO of Confyrm Inc. (and previously the identity leader at PayPal and Google), “Attributes are at least as interesting as identities, if not more so.” Attributes are to identity as genes are to organisms – they are really what matters about you when you’re trying to access a service. By fractionating identity into attributes and focusing on what we really need to reveal about users, we can enhance privacy while automating more and more of our everyday transactions.

The Attributes Push may recast social logon. Until now, Facebook and Google have been widely tipped to become “Identity Providers”, but even these giants have found federated identity easier said than done. A dark horse in the identity stakes – LinkedIn – may take the lead with its superior holdings in verified business attributes.

4. The identity agenda is narrowing. For 20 years, brands and organizations have obsessed about who someone is online. And even before we’ve solved the basics, we over-reached. We've seen entrepreneurs trying to monetize identity, and identity engineers trying to convince conservative institutions like banks that “Identity Provider” is a compelling new role in the digital ecosystem. Now at last, the IdM industry agenda is narrowing toward more achievable and more important goals - precise authentication instead of general identification.

Digital Identity Stack (3 1)

5. A digital identity stack is emerging. The FIDO Alliance and others face a challenge in shifting and improving the words people use in this space. Words, of course, matter, as do visualizations. IdM has suffered for too long under loose and misleading metaphors. One of the most powerful abstractions in IT was the OSI networking stack. A comparable sort of stack may be emerging in IdM.

6. Continuity will shape the identity experience. Continuity will make or break the user experience as the lines blur between real world and virtual, and between the Internet of Computers and the Internet of Things. But at the same time, we need to preserve clear boundaries between our digital personae, or else privacy catastrophes await. “Continuous” (also referred to as “Ambient”) Authentication is a hot new research area, striving to provide more useful and flexible signals about the instantaneous state of a user at any time. There is an explosion in devices now that can be tapped for Continuous Authentication signals, and by the same token, rich new apps in health, lifestyle and social domains, running on those very devices, that need seamless identity management.

A snapshot at my report "Identity Moves from Who to What" is available for download at Constellation Research. It expands on the points above, and sets out recommendations for enterprises to adopt the latest identity management thinking.

Posted in Trust, Social Networking, Security, Privacy, Identity, Federated Identity, Constellation Research, Biometrics, Big Data

Obama's Cybersecurity Summit

The White House Summit on Cybersecurity and Consumer Protection was hosted at Stanford University on Friday February 13. I followed the event from Sydney, via the live webcast.

It would be naive to expect the White House Cybersecurity Summit to have been less political. President Obama and his colleagues were in their comfort zone, talking up America's recent economic turnaround, and framing their recent wins squarely within Silicon Valley where the summit took place. With a few exceptions, the first two hours was more about green energy, jobs and manufacturing than cyber security. It was a lot like a lost episode of The West Wing.

The exceptions were important. Some speakers really nailed some security issues. I especially liked the morning contributions from Intel President Renee James and MasterCard CEO Ajay Banga. James highlighted that Intel has worked for 10 years to improve "the baseline of computing security", making her one of the few speakers to get anywhere near the inherent insecurity of our cyber infrastructure. The truth is that cyberspace is built on weak foundations; the software development practices and operating systems that bear the economy today were not built for the job. For mine, the Summit was too much about military/intelligence themed information sharing, and not enough about why our systems are so precarious. I know it's a dry subject but if they're serious about security, policy makers really have to engage with software quality and reliability, instead of thrilling to kids learning to code. Software development practices are to blame for many of our problems; more on software failures here.

Ajay Banga was one of several speakers to urge the end of passwords. He summed up the authentication problem very nicely: "Stop making us remember things in order to prove who we are". He touched on MasterCard's exploration of continuous authentication bracelets and biometrics (more news of which coincidentally came out today). It's important however that policy makers' understanding of digital infrastructure resilience, cybercrime and cyber terrorism isn't skewed by everyone's favourite security topic - customer authentication. Yes, it's in need of repair, yet authentication is not to blame for the vast majority of breaches. Mom and Pop struggle with passwords and they deserve better, but the vast majority of stolen personal data is lifted by organised criminals en masse from poorly secured back-end databases. Replacing customer passwords or giving everyone biometrics is not going to solve the breach epidemic.

Banga also indicated that the Information Highway should be more like road infrastructure. He highlighted that national routes are regulated, drivers are licensed, there are rules of the road, standardised signs, and enforcement. All these infrastructure arrangements leave plenty of room for innovation in car design, but it's accepted that "all cars have four wheels".

Tim Cook was then the warm-up act before Obama. Many on Twitter unkindly branded Cook's speech as an ad for Apple, paid for by the White House, but I'll accentuate the positives. Cook continues to campaign against business models that monetize personal data. He repeated his promise made after the ApplePay launch that they will not exploit the data they have on their customers. He put privacy before security in everything he said.

Cook painted a vision where digital wallets hold your passport, driver license and other personal documents, under the user's sole control, and without trading security for convenience. I trust that he's got the mobile phone Secure Element in mind; until we can sort out cybersecurity at large, I can't support the counter trend towards cloud-based wallets. The world's strongest banks still can't guarantee to keep credit card numbers safe, so we're hardly ready to put our entire identities in the cloud.

In his speech, President Obama reiterated his recent legislative agenda for information sharing, uniform breach notification, student digital privacy, and a Consumer Privacy Bill of Rights. He stressed the need for private-public partnership and cybersecurity responsibility to be shared between government and business. He reiterated the new Cyber Threat Intelligence Integration Center. And as flagged just before the summit, the president signed an Executive Order that will establish cyber threat information sharing "hubs" and standards to foster sharing while protecting privacy.

Obama told the audience that cybersecurity "is not an ideological issue". Of course that message was actually for Congress which is deliberating over his cyber legislation. But let's take a moment to think about how ideology really does permeate this arena. Three quasi-religious disputes come to mind immediately:

  • Free speech trumps privacy. The ideals of free speech have been interpreted in the US in such a way that makes broad-based privacy law intractable. The US is one of only two major nations now without a general data protection statute (the other is China). It seems this impasse is rarely questioned anymore by either side of the privacy debate, but perhaps the scope of the First Amendment has been allowed to creep out too far, for now free speech rights are in effect being granted even to computers. Look at the controversy over the "Right to be Forgotten" (RTBF), where Google is being asked to remove certain personal search results if they are irrelevant, old and inaccurate. Jimmy Wales claims this requirement harms "our most fundamental rights of expression and privacy". But we're not talking about speech here, or even historical records, but rather the output of a computer algorithm, and a secret algorithm at that, operated in the service of an advertising business. The vociferous attacks on RTBF are very ideological indeed.
  • "Innovation" trumps privacy. It's become an unexamined mantra that digital businesses require unfettered access to information. I don't dispute that some of the world's richest ever men, and some of the world's most powerful ever corporations have relied upon the raw data that exudes from the Internet. It's just like the riches uncovered by the black gold rush on the 1800s. But it's an ideological jump to extrapolate that all cyber innovation or digital entrepreneurship must continue the same way. Rampant data mining is laying waste to consumer confidence and trust in the Internet. Some reasonable degree of consumer rights regulation seems inevitable, and just, if we are to avert a digital Tragedy of the Commons.
  • National Security trumps privacy. I am a rare privacy advocate who actually agrees that the privacy-security equilibrium needs to be adjusted. I believe the world has changed since some of our foundational values were codified, and civil liberties are just one desirable property of a very complicated social system. However, I call out one dimensional ideology when national security enthusiasts assert that privacy has to take a back seat. There are ways to explore a measured re-calibration of privacy, to maintain proportionality, respect and trust.

President Obama described the modern technological world as a "magnificent cathedral" and he made an appeal to "values embedded in the architecture of the system". We should look critically at whether the values of entrepreneurship, innovation and competitiveness embedded in the way digital business is done in America could be adjusted a little, to help restore the self-control and confidence that consumers keep telling us is evaporating online.

Posted in Trust, Software engineering, Security, Internet

Getting the security privacy balance wrong

National security analyst Dr Anthony Bergin of the Australian Strategic Policy Institute wrote of the government’s data retention proposals in the Sydney Morning Herald of August 14. I am a privacy advocate who accepts in fact that law enforcement needs new methods to deal with terrorism. I myself do trust there is a case for greater data retention in order to weed out terrorist preparations, but I reject Bergin’s patronising call that “Privacy must take a back seat to security”. He speaks soothingly of balance yet he rejects privacy out of hand. Ironically his argument for balance is unhinged.

Suspicions are rightly raised by the murkiness of the Australian government’s half-baked data retention proposals and by our leaders’ excruciating inability to speak cogently even about the basics. They bandy about metaphors for metadata that are so bad, they smack of misdirection. Telecommunications metadata is vastly more complex than addresses on envelopes; for one thing, the Dynamic IP Addresses of cell phones means for police to tell who made a call requires far more data than ASIO and AFP are letting on (more on this by Internet expert Geoff Huston here).

The way authorities jettison privacy so casually is of grave concern. Either they do not understand privacy, or they’re paying lip service to it. In truth, data privacy is simply about restraint. Organisations must explain what personal data they collect, why they collect, who else gets to access the data, and what they do with it. These principles are not at all at odds with national security. If our leaders are genuine in working with the public on a proper balance of privacy and security, then long-standing privacy principles about proportionality, transparency and restraint provide the perfect framework in which to hold the debate. Ed Snowden himself knows this; people should look beyond the trite hero-or-pariah characterisations and listen to his balanced analysis of national security and civil rights.

Cryptographers have a saying: There is no security in obscurity. Nothing is gained by governments keeping the existence of surveillance programs secret or unexplained, but the essential trust of the public is lost when their privacy is treated with contempt.

Posted in Trust, Security, Privacy

Are we ready to properly debate surveillance and privacy?

The cover of Newsweek magazine on 27 July 1970 featured an innocent couple being menaced by cameras and microphones and new technologies like computer punch cards and paper tape. The headline hollered “IS PRIVACY DEAD?”.

The same question has been posed every few years ever since.

In 1999, Sun Microsystems boss Scott McNally urged us to “get over” the idea we have “zero privacy”; in 2008, Ed Giorgio from the Office of the US Director of National Intelligence chillingly asserted that “privacy and security are a zero-sum game”; Facebook’s Mark Zuckerberg proclaimed in 2010 that privacy was no longer a “social norm”. And now the scandal around secret surveillance programs like PRISM and the Five Eyes’ related activities looks like another fatal blow to privacy. But the fact that cynics, security zealots and information magnates have been asking the same rhetorical question for over 40 years suggests that the answer is No!

PRISM, as revealed by whistle blower Ed Snowden, is a Top Secret electronic surveillance program of the US National Security Agency (NSA) to monitor communications traversing most of the big Internet properties including, allegedly, Apple, Facebook, Google, Microsoft, Skype, Yahoo and YouTube. Relatedly, intelligence agencies have evidently also been obtaining comprehensive call records from major telephone companies, eavesdropping on international optic fibre cables, and breaking into the cryptography many take for granted online.

In response, forces lined up at tweet speed on both sides of the stereotypical security-privacy divide. The “hawks” say privacy is a luxury in these times of terror, if you've done nothing wrong you have nothing to fear from surveillance, and in any case, much of the citizenry evidently abrogates privacy in the way they take to social networking. On the other side, libertarians claim this indiscriminate surveillance is the stuff of the Stasi, and by destroying civil liberties, we let the terrorists win.

Governments of course are caught in the middle. President Obama defended PRISM on the basis that we cannot have 100% security and 100% privacy. Yet frankly that’s an almost trivial proposition. It's motherhood. And it doesn’t help to inform any measured response to the law enforcement challenge, for we don’t have any tools that would let us design a computer system to an agreed specification in the form of, say “98% Security + 93% Privacy”. It’s silly to us the language of “balance” when we cannot measure the competing interests objectively.

Politicians say we need a community debate over privacy and national security, and they’re right (if not fully conscientious in framing the debate themselves). Are we ready to engage with these issues in earnest? Will libertarians and hawks venture out of their respective corners in good faith, to explore this difficult space?

I suggest one of the difficulties is that all sides tend to confuse privacy for secrecy. They’re not the same thing.

Privacy is a state of affairs where those who have Personal Information (PII) about us are constrained in how they use it. In daily life, we have few absolute secrets, but plenty of personal details. Not many people wish to live their lives underground; on the contrary we actually want to be well known by others, so long as they respect what they know about us. Secrecy is a sufficient but not necessary condition for privacy. Robust privacy regulations mandate strict limits on what PII is collected, how it is used and re-used, and how it is shared.

Therefore I am a privacy optimist. Yes, obviously too much PII has broken the banks in cyberspace, yet it is not necessarily the case that any “genie” is “out of the bottle”.
If PII falls into someone’s hands, privacy and data protection legislation around the world provides strong protection against re-use. For instance, in Australia Google was found to have breached the Privacy Act when its StreetView cars recorded unencrypted Wi-Fi transmissions; the company cooperated in deleting the data concerned. In Europe, Facebook’s generation of tag suggestions without consent by biometric processes was ruled unlawful; regulators there forced Facebook to cease facial recognition and delete all old templates.

We might have a better national security debate if we more carefully distinguished privacy and secrecy.

I see no reason why Big Data should not be a legitimate tool for law enforcement. I have myself seen powerful analytical tools used soon after a terrorist attack to search out patterns in call records in the vicinity to reveal suspects. Until now, there has not been the technological capacity to use these tools pro-actively. But with sufficient smarts, raw data and computing power, it is surely a reasonable proposition that – with proper and transparent safeguards in place – population-wide communications metadata can be screened to reveal organised crimes in the making.

A more sophisticated and transparent government position might ask the public to give up a little secrecy in the interests of national security. The debate should not be polarised around the falsehood that security and privacy are at odds. Instead we should be debating and negotiating appropriate controls around selected metadata to enable effective intelligence gathering while precluding unexpected re-use. If (and only if) credible and verifiable safeguards can be maintained to contain the use and re-use of personal communications data, then so can our privacy.

For me the awful thing about PRISM is not that metadata is being mined; it’s that we weren’t told about it. Good governments should bring the citizenry into their confidence.

Are we prepared to honestly debate some awkward questions?

  • Has the world really changed in the past 10 years such that surveillance is more necessary now? Should the traditional balances of societal security and individual liberties enshrined in our traditional legal structures be reviewed for a modern world?
  • Has the Internet really changed the risk landscape, or is it just another communications mechanism. Is the Internet properly accommodated by centuries old constitutions?
  • How can we have confidence in government authorities to contain their use of communications metadata? Is it possible for trustworthy new safeguards to be designed?

Many years ago, cryptographers adopted a policy of transparency. They have forsaken secret encryption algorithms, so that the maths behind these mission critical mechanisms is exposed to peer review and ongoing scrutiny. Secret algorithms are fragile in the long term because it’s only a matter of time before someone exposes them and weakens their effectiveness. Security professionals have a saying: “There is no security in obscurity”.

For precisely the same reason, we must not have secret government monitoring programs either. If the case is made that surveillance is a necessary evil, then it would actually be in everyone’s interests for governments to run their programs out in the open.

Posted in Trust, Security, Privacy, Internet, Big Data

Attribute wallets

There's little debate now that attributes are at least as important as "identity" in making decisions about authorization online. This was a recurring theme at the recent Cloud Identity Summit and in subsequent discussions on Twitter, my blog site and Kuppinger Cole's. The attention to attributes might mean a return to basics, with a focus on what it is we really need to know about each other in business. It takes me back to the old APEC definition of authentication: the means by which the recipient of a transaction or message can make an assessment as to whether to accept or reject that transaction.

A few questions remain, like what is the best way for attributes to be made available? And where does all this leave the IdP? The default architecture in many peoples' minds is that attributes should be served up online by Attribute Providers in response to Relying Party's needing to know things about Subjects instantaneously. The various real time negotiations are threaded together by one or more Identity Providers. Here I want to present an alternative but complementary vision, in which attributes are presented to Relying Parties out of digital wallets controlled by the Subjects concerned, and with little or no involvement of Identity Providers as such.

Terminology: In this post and in most of my works I use the nouns attribute, claim and [identity] assertion interchangeably. What we're talking about are specific factoids about the first party to a transaction (the "Subject") that are interesting to the second party in the transaction (the "Relying Party" or Service Provider). In general, each attribute is vouched for by an authoritative third party referred to as an Attribute Provider. In some special cases, an RP can trust the Subject to assert certain things about themselves, but the more interesting general case is where the Relying Party needs external assurance that a given attribute is true for the Subject in question. I don't have much to say about self-asserted attributes.

The need to know

As much as we're all interested in identity and "trust" online, the authentication currency of most transactions is attributes. The context of a transaction often determines (and determines completely) the set of attributes and their target values that together determine whether a party is authorised or not. For example, in the retail shopping context, if the Subject is a shopper, the RP a merchant and the transaction a credit card purchase, then the attributes of interest are the cardholder name, account number, billing address and maybe the card verification code. In the context of dispensing an electronic prescription, the only attribute might be the doctor's prescriber number (pharmacists of course don't care who the doctor 'really is'; notoriously they can't even read the doctor's handwriting). For authorising a purchase order on behalf of a company, the important attributes might be the employee position and staff ID. For opening a new bank account, Know-Your-Customer (KYC) rules in most jurisdictions will dictate that such attributes as legal name, address, date of birth and so on be presented in a prescribed form (typically by way of original government issued ID documents).

For most of the common attributes of interest in routine business, there are natural recognised Attribute Authorities. Some are literally authoritative over particular attributes. Professional bodies for instance issue registration numbers to accountants, doctors, engineers and so on; employees assign staff IDs; banks issue credit card numbers. In other cases, there are de facto authorities; most famously, driver licenses are relied on almost universally as proof of age around the world.

Sometimes rules are laid down that designate certain organisations to act as Attribute Providers - without necessarily using that term. Consider how KYC rules in effect designate Attribute Authorities. In Australia, the Financial Transaction Reports Act 1988 (FTRA) has long established an identity verification procedure called the "100 point check". FTRA regulations prescribe a number of points to various identification documents, and in order to open a bank account here, you need to present a total of 100 points worth of documents. Notable documents include:

  • Birth certificate: 70 points
  • Current passport: 70 points
  • Australian driver licence [bearing a photo]: 40 points
  • Foreign driver licence [not necessarily bearing a photo]: 25 points
  • Credit card: 25 points.

So in effect, the financial regulators in Australia have designated driver license bureaus and credit card issuers to be Attribute Providers for names (again, without actually using the label "AP"). Under legislated KYC rules, a bank creating a new customer account can rely on assertions made by other banks or even foreign driver license authorities about the customer's name, without needing to have any relationship with the "APs". Crucially, the bank need not investigate for itself nor understand the detailed identification processes of the "APs" listed in the KYC rules. Of course we can presume that KYC legislators took advice on the details of how various identity documents are put together, and in the event that an error is found somewhere in the production of an identity feeder document then forensic investigation would follow, but the important point is that routinely, the inner workings of all the various APs are opaque to most relying parties. The bank as RP does not need to know how a license bureau does its job.

And yet we do know that the recognised Attribute Providers continuously improve what they do. Consider driver licenses. In Australia up until the 1970s, driver licenses were issued on paper. Then plastic cards were introduced with photographs. Numerous anti-copying measures have been rolled out since then, such as holograms, and guilloche, optically variable and micro printing. Now the first chipped driver licenses are being issued, in which cryptographic technology not only makes counterfeiting difficult but also enables digitally signed cardholder details to be transmitted electronically (the same trick utilised in EMV to stop skimming and carding). Less obvious to users, biometric facial recognition is also used now during issuance and renewal to detect fraudsters. So over time the attributes conveyed by driver licenses have not changed at all - name, address and date of birth have always meant the same thing - but the reliability of these attributes when presented via licenses is better than ever.

Imposters are better detected during the issuance process, the medium has become steadily more secure, and, more subtly, the binding between each licence and its legitimate holder is stronger.

We are accustomed in traditional business to dealing with others on the basis of their official credentials alone, without needing to know much about who they 'really are'. When deciding if we can accept someone in a particular transaction context, we rely on recognised providers of relevant attributes. Hotel security checks a driver license for a patron's age; householders check the official ID badges of repair people and meter readers; a pathologist checks the medical credentials of an ordering doctor; an architect only deals with licensed surveyors and structural engineers; shareholders only need to know that a company's auditors are properly certified accountants. In none of these routine cases is the personal identity of the first party of any real interest. What matters is the attributes that authorise them to deal in each context.

Digital wallets

Now, in the online environment, what is the best way to access attributes? My vision is of digital wallets. I advocate that users be equipped to hold close any number of recognised attributes in machine readable formats, so they can present selected attributes as the need arises, directly to Relying Parties. This sort of approach is enabled by the fact that the majority of economically important transaction settings draw on a relatively small number of attributes, and we can define a useful attribute superset in advance. As discussed previously such a superset could include:

  • {Given name, Residential address, Postal address, Date of Birth, "Over 18", Residential status, Professional qualification(s), Association Membership(s), Social security number, Student number, Employee Number, Bank account number(s), Credit card number(s), Customer Reference Number(s), Medicare Number, Health Insurance No., Health Identifier(s), OSN Membership(s)}

Many of these attributes have just one natural authoritative provider each; others could be provided by a number of alternative organisations that happen to verify them as a matter of course and could stand ready to vouch for them. The decision to accept any AP's word for a given attribute is ultimately up to the Relying Party; each RP has its own standards for the required bona fides of the attributes it cares about.

There are a few obvious candidates for digital attribute wallets:

  • A smart phone could come pre-loaded with attributes that have been verified as a matter of course by the telephone company, like the credit card number associated with the account, or proof of age. A digital wallet on the phone could later be topped up with additional attributes, over the air or via some other more secure over-the-counter protocol.

  • A smart driver license could hold digital certificates signed by the licensing bureau, asserting name, address, date of birth, and/or simpler de-identified statements like "the older is over 18". Note that the assertions could be made separately or in useful combinations; for privacy, a proof of age certificate need not name the holder but simply specify that the assertion is carried on a particular type of chip, signed by the authoritative issuer.

  • When you receive a smart bank card, the issuer bank could load the chip with your name, address, date of birth, PANs and/or certified copies of identity documents presented to open the account. Such personal identity assertions could then be presented by the customer to other RPs like financial institutions or retailers to originate other accounts.

Do we need an "Identity Provider" to thread together these attributes? No. While it is important that RPs can trust that each attribute is in the right hands, the issuance process (including the provisioning of attribute carrying tokens like cards and mobile phones) is just one aspect of the Attribute Provider's job. If we can trust say a licensing bureau to verify the particulars of a license holder, then we can also trust them as part of that process to ensure that the license is in the hands of its rightful owner.

In contrast with the real time 'negotiated' attributes exchange architectures, the digital wallet approach has the following advantages:

  • Decentralised architecture: lower cost and quicker to deploy; we can start local and scale up as Attribute Providers gain ground;

  • Fast: digitally signed attributes presented from smart devices diret to Relying Parties can be cryptographically verified instantaneously, for higher performance, especially in bandwidth limited environments.

  • Intrinsically private: Direct presentation of attributes minimises the exposure of personal information to third parties.

  • ”Natural”: Digital wallets of attributes is congruent with the way we hold diverse pieces of personal documentation in regular wallets; unlike big federation model, no novel new intermediaries are involved.

  • Legally simpler: It is relatively simple matter for Attribute Authorities to warrant the accuracy of separate particulars like name, date of birth, account number, without any making any other broad representations of who the Subject 'really is'. There is none of the legal fine print that bedevilled Big PKI Certification Authorities in the past and which proved fatal in federation programs like the Internet Industry Association 2FA pilot.


  • On a case by case basis, as dictated by their risk management strategies, RPs can revert to an online AP to check the up-to-the-minute validity of an attribute. In practice this is not necessary in many cases; many of the common attributes in business are static, and once issued (or vouched for by a reputable body) do not change. If attributes are conveyed by digital certificates, then their validity can be efficiently checked online by OCSP and near-line by CRL.
  • The patient smartcards already widespread in Europe are an ideal carrier for a plurality of human services identifiers (such as public health insurance numbers, health record identifiers, medical social networking handles, and research tracking numbers; see also a previous presentation on anonymity and pseudonymity in e-research).
  • As other conventional plastic cards are progressively upgraded to chip - such as the proposed US Medicare card modernization - we have a natural opportunity to load them with secure digital assertions too.
  • In the medium to long term, digitally signed attributes could be made to chain through communities of CAs to a small number of globally recognised Root Authorities. For a model, refer to s4.4 "How to convey fitness for purpose" of my Public Key Superstructure presentation to the 2008 NIST IDTrust workshop.

Posted in Trust, Smartcards, Security, Identity, Federated Identity