Recent Posts

A National ID Card? - Why it Might Merit Another Look

Friday, May 30, 2014

As news about Edward Snowden continues to drip out, it is helpful to remind ourselves how we got here - especially as the latest government scandal tends to drown out the earlier ones.  The National Security Agency (NSA) collects usage data on tens of millions of cell phones.  It is important to note that they do not "listen in" on the calls, but they do keep records such that the volume, time and duration of calls - the 'metadata' - remain available for analysis.

I blogged earlier about this, providing Chapter 9 of my book as a sample.  We have to start asking questions about "data ownership."  There is very little economic activity which does not originate data on a computer network somewhere.  When you swipe your credit card, data is originated on the network (e.g. Visa or MasterCard) and the issuing institution (your bank or credit union).  When you use your ATM card, you originate data on your bank's system, and maybe on another network system if you are using a network ATM.  When you check a book out of the library, you originate data on the library's computer system.  And when you place a call on your cell phone, you originate data on the carrier's network.  And so on, throughout almost our entire daily economic life - web browsing and email included.  And then there is this new frontier of genetic medicine - in the near future your genetic code might exist in some computer network as bits and bytes.

It might come as a surprise, but you do not own this data.

As for your cell phone usage, in most cases, that data is addressed in the fine print of some privacy policy. Most privacy policies allow the carrier to share the data - over which they claim ownership - with government in response to "legal process."  Of course we have heard the uproar over 4th Amendment protections.  But the 4th Amendment protects our person and property from unreasonable searches and seizures.  So again, the question is this: Who owns the data?  If the data is not our property - and it isn't - the 4th Amendment does not protect us here.

This is why I argue for a constitutional amendment stating the following:
All data pertaining to the identity and economic activity of a person, including any information obtained from the data, shall remain the property of the person.
But there is another, related issue we have to tackle.  And this one is generally a very big no-no to conservatives.  I'll argue below why a national identity card is actually crucial to our civil liberties.  I'll show how it can provide - literally - the "key" to establishing intellectual property rights over data originated by our economic activities.

A Term Only a Geek Could Love: "Public Key Infrastructure"

Allow me to whip out my pocket protector and don my beanie - you know, the one with a propeller on the top.  (If you're a jock, I'm that guy your grade school teacher used to talk about - the one he said you'd end up working for some day.)

In the computing world, the "Public Key Infrastructure" (PKI) is a set of hardware and software standards that allow for the creation of "tokens" - physical things which can be used with computers to identify the user.  The most common "tokens" are the "smart card" (like the photo featured in this post) or a specialized USB "thumb drive".  Because the "smart card" is the more common of the two - and is the model for what a national identity card might look like, I'll try to discuss how it works without getting my beanie's propeller spinning too fast.

A smart card can be placed in a USB card reader.  Alternately, keyboards are available with built-in smart card readers.  The card reader reads the small yellow "chip" on the card, which is capable of storing a small amount of data.  In the PKI, special files called "digital certificates" can be created and stored on this chip.  Generally, there are two main kinds of certificates: one used to "sign" emails and another used to otherwise identify a person.  Standard Internet website hosting technologies allow a web site to require the submission of the user's digital certificate.  This is often done in place of the traditional username and password.  Often, the digital certificate is written to the card to require a PIN.  All major operating systems either come pre-engineered with the ability to prompt for this PIN, or a utility can be installed to provide this functionality.

But the propeller is really starting to spin on the beanie, so let's get to the heart of the matter.

Anonymity, Privacy and a National ID Card

One of the aspects of the Internet which has been prized since its inception is anonymity.  While this has certainly been abused, that has always been the case with freedom.  But as the Internet has developed into an engine of economic activity, we choose to give up anonymity (necessarily) when it comes to things like banking, retirement accounts, email, etc.  But we do not choose to give up privacy.

Or do we?

The answer to that question hinges on the question of data ownership.  If we do not own the data, when we originate it on the vendor's computer system (be it an email provider, a bank, a cell phone carrier or what have you) we give up privacy to the extent that the privacy policy allows the data owner to make whatever use of the data specified in that policy.  It is unlikely most of us wade through all that fine print.  If we did, we would realize that unless we "opt out" - in most cases by ending the business relationship - we have given up our privacy.

There is a better way.  And we need not wait; the technology already exists in the PKI.

Remember here that the crux of this proposal is to establish - in the Constitution outside the grasp of politicians - that data originated by our economic activity remains our intellectual property.  But if this is going to work, we have to have a way to digitally identify what belongs to us.  Enter PKI and a National ID Card.

We could revise our amendment as follows:
All data pertaining to the identity or economic activity of a person, including any information obtained from the data, shall remain the property of the person.  The Congress shall have the authority to establish a digital identification card for the purpose of establishing intellectual property rights over such data.  Congress shall make no law respecting use of a national identification card for any other purpose.
What this does for us is allow us to identify ourselves - selectively giving up anonymity - for the purpose of establishing our property claim over data originated on the system to which we have identified ourselves.  It is important to note that websites can optionally require a digital certificate.  We can still retain our anonymity elsewhere on the Internet.  But when we are anonymous, we make no claim of ownership over any data which might be created.

It is important to understand that it is precisely a national digital identification card with PKI digital certificates which makes actual privacy in the digital age possible.  We already recognize that in order to pay bills, bank online, manage a retirement account, send and receive email, etc., we have to identify ourselves - usually with a username and password.  With a standardized way to replace the username and password - the digital certificate - and with a constitutional guarantee that data originated on systems we have identified ourselves to with that certificate remains our property, we now have complete control over our personal information.  In order to make any use of it, the vendor will have to obtain a license from us.  And in order to access it for any purpose, the government will be subject to the restrictions of the 4th Amendment.

Lastly, I'll make an observation as a computer security professional.  The proliferation of systems with usernames and passwords has made our identity and privacy less secure.  Most people will use the same password for different systems, so once one is compromised, others easily follow.  Or if different passwords are used, because there are so many, people tend to write them down.  Lose the Post-It note, and there goes your bank balance.

A national identity card with a digital certificate secured by a PIN can replace every username and password with one PIN.  It also has the advantage of adding a true "second factor" to security.  The first factor with a PKI "token" like a smart card is that you have physical possession of the card itself - cyber-security professionals refer to this first factor as "what you have."  The card is physically placed in the card reader and read by the operating system.  The second factor is knowledge of the PIN.  Cyber-security refers to this as "what you know."  An analogy would be a door with two padlocks.  One uses a 4 digit code to open the lock, the other a key.  In order to open the door you have to "know" the combination of the first and "have" the key to the second - two factor security.  Many website are now periodically challenging the user with a security question.  This adds an extra layer of "what you know" and can continue to provide extra security against the possibility that the smart card would be lost and the PIN disclosed to the same malevolent impersonator.

An amendment to the U.S. Constitution both establishing our ownership over data about us and authorizing Congress to issue a national id card would be a huge step toward bring the concept of individual liberty - and the privacy it requires - into the digital age.

No comments

Post a Comment

Don't Miss