patrick.net

I was going to post this in another thread, but it deserves its own thread.

Eventually the nation will have to adopt a single person ID that protects against forgery, impersonation, and non-reputation while also protecting privacy and access to information about a user, giving each person a single place to correct, challenge, or refute any information about him.

The technical problems are hardly that difficult. The problem is the lack of political will to empower individuals to have control over their lives and to force suppliers of data to prove their statements about others are accurate. The burden of proof must always be on the person or group making statements about the subject. Furthermore, all access to this information must be logged and the logs and the data available in real time to the subjects. None of this, you get to check your credit report once a year for free. You should be able to check your credit report and all other data on you once a second for free. You should be able to subscribe to a secure RSS feed and have a bot monitor all data on you without cost to you. That's the check and balance on abuse of information and it falls under your right not to be libel by someone.

Here's how I would design the system. Let's call the system the Secure Anonymizing Yet Identifying Technique or SAYIT.

1. Every person and every legal entity (corporation, government agency, etc.) gets a unique and permanent ID. This ID is not used for anything itself. The IRS does not use it for a tax ID. The DMV does not use it for a driver's license ID. The voting poll does not use it as a voter ID. It is used for nothing but being an anchor for all other IDs. This root ID is never published and it's illegal to use any root ID by any person, corporation, or government agency except SAYIT. Lookups using the root ID are not supported by SAYIT except internally.

2. Every entity (person or legal entity) that wants to look up any information about another entity in the SAYIT system must also be in the SAYIT system and thus has a root ID. For example, Joe the cop has a SAYIT root ID. So does the police department for which he works.

3. Every entity also has at least one query ID associated with its root ID. Every entity gets a self-lookup query ID by default and this cannot be deleted. A police department would also get other query IDs such as one for criminal history requests related to active cases and one for background checks for employment in the police department.

4. Query IDs are used only by the entity owning them and it is illegal to even request a person's query ID. Query IDs can be temporary and can be revoked and replaced if necessary. Only soft deletes of query IDs are allowed.

5. Whenever an entity requests information, it provides it's query ID. SAYIT knows who the person is because the root ID is accessible to SAYIT and only SAYIT from the query ID. More importantly, SAYIT knows the justification for the query based on the query ID and will log this request using the query ID.

6. Permissions on what information can be retrieved are based on the query ID. This query ID also lets the subject know who is requesting information on them, what information was requested, what information was received, when the request was made, and when it was fulfilled. This is all done without revealing the query ID of the querier to the subject.

7. Every entity also has a self ID which the entity uses to identify itself to SAYIT. No entity knows its root ID. Self IDs can be revoked and replaced if compromised. It is illegal to even ask an entity for its self ID or to use self IDs in any system outside of SAYIT. Not even a cop can ask you for your self ID.

8. When an entity X needs IDs for other entities, and entity ID is created for use by entity X alone. For example, the IRS needs a tax ID for every tax payer or dependent regardless of citizenship. The IRS requests a tax ID from SAYIT providing
- the IRS's self ID
- a query ID created for this purpose and only this purpose
- the self ID of the IRS agent or automated system (yes, even automated systems have self IDs and SAYIT accounts)

The tax payer or dependent sends his self ID, never revealing it to the IRS, to SAYIT as part of this request. I'll give the details of how this works mechanically later. In the case of a child, the parent sends a child ID, which only guardians of minors know, instead of the self ID as well as the parent's self ID. This may sound complicated, but it's a lot simpler, faster, and easier to do than registering your child in the current system. Everything can be done in seconds at the hospital with the swipe of a card and a few keystrokes.

The consequence of this is that the IRS has a unique ID for every tax payer, but that ID can ONLY be used by the IRS. Other people and entities cannot use your tax payer ID or even know what it is. Nor can the IRS find any IDs you have from the tax ID. So the tax ID can be used for one and only on purpose.

Also, you never need to know your tax ID. You only ever need to know your self ID, and no one else knows that. If anyone finds out your self ID, you get a new one within seconds at no expense. It's just data.

Finally, it's not just taxes that are serviced by these entity-specific IDs. Your Social Security account has an entity ID that's only used for Social Security. Every bank you do business with has an entity ID for you that's only for you and no one else and no other bank or entity uses to identify you. The upshot of this is that it allows for automatically policing the sharing of information about you and informing you of what information is shared by whom and when.

9. A single smart ID. Instead of carrying various cards, driver's license, passport, health insurance, auto insurance, work badge, credit cards, shopper loyalty cards, etc. you carry a single smart card. That smart card has on it only your picture and legal name. No address. No phone number. No ID number. No nothing but your picture and name.

This smart ID has a microchip, memory, and full support for RSA encryption like an RSA keychain. The smart ID also has a micro USB port -- yes, the smart ID is slightly thicker than a credit card, but it's the only card you need -- or similar port for performing two-way data exchange and for being powered by the machine it connects to. Smartcards are off when not connected to a SAYIT terminal. No wireless scanning of them.

10. As soon as a smartcard is connected to a SAYIT terminal, SAYIT logs the access, the logged in user, and any requests made by the user. The SAYIT terminal can be a secure browser calling a SAYIT web service, but I'll ignore that for right now because it just adds a bit of complication but does not really change anything.

11. SAYIT terminals and SAYIT communicate with each other using the strong encryption that protects against man-in-the-middle attacks and provides the other standard security you expect from modern Internet applications.

Here are some real world examples.

Example 1: Traffic Stop

Let's say a cop pulls you over. You hand over your SAYIT smart card. He inserts it into a PDA/tablet. From this tablet he looks up all information about you that he is allowed to do so for a traffic stop. This would include the status of your driver's license, insurance, and vehicle registration. It does not include where you work or live or what bank accounts you have as these are not relevant to a traffic stop.

Example 2: Criminal Stop

Let's say a cop is in the process of a criminal investigation. Now from your SAYIT card he can get additional information because his tablet uses a query ID for criminal investigations. So now he can request your home address and, depending on the investigation, your bank account information or other necessary things. However, whatever he requests is logged and must be justified. If he wrongfully requests information that he should not have access to, say your bank account information while investigating a shoplifting accusation, then you can sue and you have proof of what he requested. The police have some discretion, but not free reign.

Example 3: Making a Purchase

You buy something at a store, online, or in a restaurant. You insert your SAYIT card in a POS terminal, click which CC or debit account you want, enter a password or pin that you chose, and confirm the purchase. Then remove your card and you're done.

Behind the scenes, the merchant (company, not individual) has a self ID and a query ID it sends to SAYIT. Your smart card sends its card ID to SAYIT which can then match it to your root ID and then to your bank's entity ID for you and thus your accounts with them. SAYIT sends your bank this entity ID and gets back a one-time token that it sends to the POS. The POS uses this one-time token to perform a credit card charge. Also, it doesn't matter if you have multiple credit cards with multiple companies because multiple tokens, one for each bank, can be generated in a fraction of a second. Of course the tokens expire in ten minutes as well.

This would make credit card translations infinitely more secure than they are today. Credit card fraud would be virtually impossible.

Example 4: Lost Card

Your card is lost or stolen. No problem. No query can be done by anyone without your confirmation via password or pin except for law enforcement or court ordered queries.

Report a lost card and it is immediately invalidate. A new card is sent to you at no cost or you can pick one up at any bank -- let's require banks to provide this service at any brick-n-mortar site for their banking license as it would cost them basically nothing to do so and they save tons of money on CC fraud. Any attempt to use the lost card triggers an alarm.

Example 5: Compromised ID

If any ID is compromised, say a self ID, then simply request a new self ID and it immediately takes effect. Your self ID is not stored on the SAYIT card. Only the card's ID is stored on the SAYIT card. The SAYIT system keeps your self ID internal.

Example 6: Voting ID

Your smart SAYIT card can be used as a voter ID. Just slide it into the voting machine. Your voter ID is also a kind of ID used in the SAYIT system, and it's used for voting and nothing else. A voter ID is automatically generated for every legal voter. No need to even register to vote. You're automatically registered. Just pick a party if you want to. The SAYIT system will enforce all laws. No person will be allowed to deny anyone the opportunity to vote. Any illegal vote will be automatically detected, logged, and not included in the tally. The government will have an exact measure of voter fraud, and the voters will have the ability to confirm that their vote was registered. (Yes, electronic voting merits its own thread, so I'm not going into details here. The important thing is that it can be done with existing technology.)

Example 7: Cross-Entity Information Sharing

The most complex feature of SAYIT is the ability to share and control sharing of data by different entities. For example, the FBI and DHS can query information that may have been gathered by either agency but only according to well-defined and transparent rules that the public knows about and can debate whether or not to accept. Automated systems can be audited and policed to ensure that any abuses of power are swiftly dealt with. Failures to communicate can also be identified, measured, and reported in real time. None of these things can be done with the current hodge podge of systems.

The government gets to have the information access it claims to need, but the government is also held accountable for use of this information and for any failures. Power with responsibility and accountability.

Example 8: Self Reflection

At any time, you as a SAYIT entity, can without any cost get all the information about you with damn few law enforcement and national security exceptions. The information you get is up to date in real time. You can challenge any information and it's the other side's burden of proof to demonstrate the information is accurate. You can query this information as much as you like, every second of every day if you want. It's as readily available to you as a Google search, but it's only available to you.

You can also see everyone who is accessing your information and when, again with damn few law enforcement and national security exceptions. For most information you have to opt-in to letting entities query your data like you do with a credit check. This can be done on the level of an individual entity like a bank or on a functional area like "all banks". You can also revoke access to your data at any time and no entity can request you to forfeit this or any other rights under the SAYIT system.

Example 9: Anonymity with Uniqueness

Let's say a website wants to ensure unique users and prevent multiple accounts, but still wants to provide anonymity. It would create an entity ID for you through the SAYIT system. The website can use this entity ID as a user ID ensuring uniqueness without knowing anything about you. Of course, this requires trust in the SAYIT system, which is why strong privacy laws would be needed to protect the SAYIT system from abuse in this case.

There are ways for the SAYIT system to generate a unique entity ID for you and ensure that you don't generate multiple entity IDs for a single entity without SAYIT being able to tell which entities you are associating with or what your account is. However, all such solutions do involve either trust in the implementation of SAYIT or making the source code public and transparent. It would also require the government to agree to giving up this power and that's highly unlikely in our culture. But it can be done.

#politics #scitech