State In A Box - Identity Services Architecture
State In A Box presents a coherent vision of overhauling the fundamental assumptions made about nation state infrastructure to enable breakthroughs in Security, Stability, Transition and Reconstruction (SSTR) functions in states in crisis. The Identity Services Architecture presented enables low cost, high security financial transaction infrastructure to be rolled out using 2D bar codes, public key cryptography, camera phones and biometrics in a novel configuration which both protects civil liberties and provides strong identity information for legal processes.
Furthermore, an approach to international control of a single international biometric database is presented, based on the chaordic work of Dee Hock, the architect of VISA. The assessment at the heart of this paper is that the benefits of a correctly-designed rights-respecting cross-jurisdictional chaordic governance structure cannot be forgone if we are to see a realistic implementation of biometrics as an enabling technology for development.
We anticipate the cost of issuing an ID using this technology to be less than $1 per head.
This paper covers a lot of theoretical ground. For a quick overview of the ID proposal and links to the demonstration code, see the CheapID Homepage.
You may find the the original word document of this page easier to read. The getting started guide (pdf) which has some diagrams that provide a good starting point is essential reading.
There is also a 35 minute video which explains some of the basic technical ideas behind CheapID, although its scope is far more limited than this paper.
The Civil Liberties PerspectiveAnother way to understand this paper is to look at how the system described in it would be used by ordinary people doing everyday things. People like you and me.
This paper shows how we can manage large scale biometrics databases and increase the amount of privacy we have from government snooping while still having a secure society.
The basic crux of this paper is that you can separate the biometrics database, which simply identifies your physical body, and isn't necessarily any more intrusive than Flickr or any other online photo sharing site, and the reputation database, which stores things like your credit rating, any criminal record, and the suspicions of various government agencies about your intentions.
So when you do something like rent a car, you give them a token which has your face on it. They match your face to the token, and say "ok, this token is valid." But the token doesn't have your name, or your SSN, or anything else on it: it's totally sterile. But if you steal the car, they take the token to court, as well as the proof you gave it to them, and the court uses the token to get your name, SSN and other details.
If all that FBI or other government biometrics database stored was tokens, and it required a court order to go from a match in the biometrics database to a name and street address, I think we'd have a fair balance between civil liberties and security. A database of pictures of faces or fingerprints is not the intrusive part: it's the connecting of your face or your fingerprint to your background that is the intrusion, and we can separate the two databases and require a court order (and a crypto key) to reconnect them.
Cheap DNA scanners are coming. We've have to fix how we handle biometric data as a society before they arrive.
The Security/Stability/Transition/Reconstruction (SSTR) arena offers an opportunity to re-examine the fundamental "business processes" of the State.
State In A Box (SIAB) is a set of interwoven concepts which relate to the idea of rebuilding the State from the ground up, from scratch, on modern technological infrastructure.
Much of our thinking about the State derives from historical accidents like monarchy, gold and paper ballots. The structures of our democracy rest on foundations built when travel was slow and before the invention of public key cryptography. Taxation rests on a framework which predates credit cards and electronic bank records. Security rests on organizational structures which are still recognizable from Rome or Babylonia.
In the commercial sector, areas which have these kinds of deeply embedded but no longer valid assumptions go through periodic restructuring. These processes of "creative destruction" re-optimize the business processes, frequently by moving the divisions between one business and another through processes like integration and disaggregation.
In government, short of the collapse of nation states, the pace of innovation is much, much slower.
It is my contention that this fact obscures one or possibly two order of magnitude cost and capital savings in providing State services to citizens. The price paid for stability, in this instance, is inefficiency.
However, in countries that do not even have stability, this inefficiency can scarcely be afforded. By thinking about redesigning the structure of the State around modern technology, we may be able to design a robust new technological infrastructure to run a State upon.
This effort is called State In A Box because the likely form factor of a deployable solution is actually about 20 trucks, and State in About Twenty Trucks is somewhat unwieldy.
The Hacker Lowdown
In straight, one-hacker-to-another terms, here's what we've got.
Take a piece of paper. Print a digitally signed 2D bar code on the piece of paper. The bar code contains a picture of the person, and an encrypted block of data which identifies that person to a court. To check an ID, you take a picture of a the bar code, and it displays an image of the person on the ID card.
A person carries a handful of these documents, each one bitwise-unique. They are used a bit like business cards, but for transactions that need hard identity information, like car loans. You leave the ID card behind you with each transaction - but all anybody can read is the image - and they saw that when you walked in the door so no additional information is being revealed.
If there's a problem the document gets decrypted by a court, revealing who you are. If there's no problem, it's like a cheque that is never cashed: the information about your identity sits there, inert and unseen. This document is called a CheapID Identity Card. It's just a piece of paper, the brains is in the crypto scheme.
To make this work you need to split a person's biometric and identity data apart. Nobody has ever done that as far as I know, so this is a novel idea. We don't just split them between two government bodies, but we split them so that the biometric data goes to the international level, and the identity data stays where it is right now, with governments. To manage these interfaces we need standards bodies rather like those that manage the internet.
We rely on a separation of powers to put the specter of unrestrained use of biometric data away, permanently, if we can manage it. Good enough to get you started? This is long...
State in a Box and the Spectrum of Infrastructure
The Spectrum of Infrastructure (SOFI) reflects a different way of thinking about infrastructure systems on both a nation state and local level.
Take electricity demand. You want light. In a conventional infrastructure setting, you buy a bulb, you plug it into a standard fitting (even this standardization is an important utility function) and standard electricity comes down the wire and gives you services.
On the other end of the wire is a trillion dollars and more of power plants, fuel supply chains, national grid finance, building and maintenance and other essential systems working together to get you 110V at 60Hz AC.
Now consider another example: a tiny LED reading light that is powered by turning a handle for a few minutes every three hours.
The problem solved is similar or the same: reading at night.
The SOFI is a way of understanding the architectures of service provision. On one axis there are the essential and non-essential services we need, like water to drink and temperature control. On the other axis, there are different styles and scales of infrastructure.
In a SSTR / HADR (Humanitarian Assistance and Disaster Relief) context, it may prove difficult or impossible to rebuild service provision architectures towards the left hand (large, complex) side of the SOFI. However, the systems on the right (small, simple) side of the SOFI may prove to be durable even in a war because of their self-contained modularity.
The definitive resource for understanding the different scales and styles of infrastructure is Small is Profitable from the Rocky Mountain Institute (http://smallisprofitable.org.) This book focusses on electrical infrastructure but many of the same arguments apply to service architectures of all types.
State In A Box extends conventional thinking about infrastructure into an SSTR context. Much of RMI's work on distributed infrastructure and infrastructure resilience applies directly to SSTR, of course, but the RMI model applies mostly to energy and other "traditional infrastructure" service provision models. SIAB considers financial services and a variety of services traditionally provided by government as "infrastructure" largely to group them together with the other large complex systems that must be repaired or have substitutes deployed in an SSTR context to successfully restore essential services to a nation.
However, the further we extend into subtle services like "voting" the more we begin to push the boundaries of the conventional use of the word "infrastructure." Can we really put a power station and a ballot box on the same "to do" list? From the perspective of a citizen they may be equally important, but we do not typically thing of grouping the provision of those services together.
However, State In A Box does just that because there are synergies between unexpected areas of the service architectures in SIAB that provide for accelerated roll out of normality in an SSTR context.
This paper only covers the Identity Services Architecture concepts in any real depth, but we will examine the minimal household infrastructure package associated with the Hexayurt Project (one of our HADR offerings) to give a concrete example of the Spectrum of Infrastructure concept in action.
The Hexayurt Project and Whole Systems Thinking
In 2003 I redesigned refugee housing and infrastructure systems using a process very similar to the one which I am now applying to the fundamental structures of the State. The product of this process is the Hexayurt Shelter System.
Infrastructure often defines what is and is not possible or economically effective. Modern decentralized infrastructure solar panels can provide limited services without the rigidity, vulnerability and costs associated with heavier weight centralized service architectures like power plants and gas terminals.
The Hexayurt itself is a cheap, lightweight shelter which is remarkable only because it is held together with tape and is easy to field fabricate. There are a number of similar shelter systems in development which are broadly speaking as functional.
The Infrastructure Package which goes with the Hexayurt, however, is unique and valuable. A conventional home has six kinds of pipes and wires running into it to carry services: electrical lines, gas lines, clean water in, waste water out, communications links over copper wire or fiber optics, and storm drains. To this list can be added roads and wireless data services.
The Hexayurt Shelter System provides options for providing all of these basic services on a house by house basis. For example, rather than providing a centralized gas plant and then running gas mains to every $200 shelter, we use a wood gasification stove. This stove is an efficient design that burns wood, dung, coal and many other fuels roughly 10 times more efficiently than an open fire, without producing much smoke because the combustion is so complete. One stove per household effectively substitutes for the centralized gas infrastructure and international gas transport system, as far as cooking and heating needs goes.
Similar approaches provide electrical light and power for small appliances, clean drinking water, working toilets and perhaps even communications.
The bundle, in mass production quantities, including the house is likely to cost less than $500 per household and may cost as little as $150 per household using local labor and vast economies of scale.
In an HADR scenario, the hexayurt-style settlements have some unique properties. Firstly, the quality of life is likely to be much higher because all basic amenities are provided. Secondly, because these amenities are provided at an individual household level rather than from large centralized resources like a central power generator, and the homes themselves are designed to be easily transported, a large settlement can be resettled, family by family, back to their original villages when stable conditions are restored.
This new capability may help ease relationships between refugees and host nations by ensuring that hosts are not stuck with large fixed settlements for years or decades after peace is restored because the refugees have become dependent on the centralized infrastructure provided to them by HADR services. Much of the redefinition of shelter and services which lead to the design of the Hexayurt Shelter System was done by the Rocky Mountain Institute, particularly at the Sustainable Settlements Charrette.
Integrating various disparate aspects of a system to provide breakthrough performance or new capabilities, like transportable infrastructure, is a design approach called whole systems thinking.
SIAB is an attempt to apply whole systems thinking to the nation state, in the hope of providing an accelerated path to restoring nation state services during and after a crisis.
The Leapfrogged State
Leapfrogging is a term used in sustainable development circles to refer to phenomena like Chinese or Indian villages getting their first telephone services in the form of cell phones instead of land lines. Rather than going through the slow evolution of telephone services, from telegraph to manually-switched copper and up through analog, digital and 3G services, these new generations of telephone users simply get the modern systems without the precursors.
Leapfrogging is often efficient for sustainable development because the enormous capital costs of developing these advanced technologies are disproportionately paid for by the competition to provide new generations of services to the highly paying customers of the developed world. The benefits of innovation are global, but the costs are mainly borne in the developed world.
A side effect of this phenomena is that frequently late adopters wind up with much better services than early adopters. In television, the European PAL standard reproduced color considerably better than the earlier NTSC standard adopted in America. In broadband internet, the US customer has speeds around 5% of the average speeds found in countries like South Korea that came to the game late and invested heavily.
The one area where leapfrogging encounters serious issues is traditional infrastructure like water supply and electrical power provision. This is because little developed world money currently goes into refining our solutions to these problems because the existing service provision architectures are perfectly functional, albeit deeply influenced by the Victorian model of infrastructure. The Victorian model is that large factories that produce services, and pipes and wires carry the services to homes and businesses. This is the model we use for drinking water, sewage, gas and electricity supply in the developed world. Because solar panels or composting toilets did not exist, the Victorian model relies on complex centralized facilities to provide the services which we can now provide at or close to point of use.
Backporting to the Developed World
Backporting is a term used in software, and it has been re-applied to "reverse leapfrogging," where leapfrogged technologies are re-imported from the late adopting nations back to the early adopters.
The hope of the State In A Box project is to produce a template for a new approach to statebuilding based on leapfrogging and whole systems thinking. Together, these approaches may reveal a way to run a functional State with new and unusual properties, including an unexpectedly high degree of stability and resilience, for pennies on the dollar compared to traditional approaches.
SSTR provides a rare opportunity to re-examine the foundational concepts on which the state is built, and re-examination of these fundamental processes reveals the same things seen when one re-examines the electrical services provision architectures we use in the developed world: the are inefficient because they are stepwise refinements of architectures that were created when science and technology were dramatically less capable.
A fresh start allows us to design a new architecture based on full application of modern understandings and capabilities. The leapfrogged state may be as different from conventional state architectures as the jet plane was from horseless carriages.
It is my sincere hope that if the State In A Box model turns out to be useful, any aspects of it which are suitable for backporting can be brought into service in the developed world.
Identity Services Architecture
Identity services architectures are commonly discussed in the context of providing single sign on (SSO) services on the internet, and other identity management services. In the context of the State, there is usually a duplication (or worse) of effort between private identity credentialing services and the State's own systems.
State services like taxation, criminal justice and voting revolve around the idea of a person being clearly identified. Indeed, the very boundary of the State is partially defined by a list of persons who are members of that State.
Identity fraud at the State level is most typically seen by illegal immigrants and criminals who use multiple State-issued identities to evade the controls at the borders of a State to prevent unauthorized entry.
Identity theft indicates that our old approaches to providing identity backbone services is encountering problems and is probably due for an upgrade. RealID, a proposed US Govt. standard for identity cards, is one model for that upgrade.
In voter fraud, inaccuracies in the match between who is meant to be able to vote, and who actually votes, can contribute to the perception of corruption and resultant loss of faith in an electoral process Ð a major issue in fledgling democracies.
At a fundamental level all these services hang off an identity backbone Ð a centralized facility which allows the State to identify internally which one of their citizens a specific fact or credential pertains. In the USA, this is the Social Security Number plus the associated authentication services infrastructure, like driver's testing and licensing facilities.
The SIAB Identity Services Architecture is designed to be an expedient way of rebuilding this identity backbone and enabling a troubled state to regain the ability to provide its citizens with identity services in all their forms. By extending the scope of the traditional state identity services architecture, we hope to also offer some additional leverage against international terrorism, civil unrest and foment economic growth by providing identity credentials that are reliable enough to give confidence to financial institutions.
Locality, Scope and Architecture
Business process re-engineering and software architecture often make a big deal out of locating systems, processes and services at the right level in an architecture. A software architecture that locates a critical process at the wrong architectural level can wind up with serious performance or reliability issues. A business process can wind up uneconomic or unworkable if processes and especially decision making are carried out at the wrong level, either too slow at the top, or without authority at the bottom.
The SIAB design gains much of its leverage from moving various aspects of the system either up to higher, transnational levels, or down to extremely local levels. SIAB often pushes municipal services down to the household or the individual, and national services up to transnational levels where the international community can stabilize them.
Because we operate in an increasingly globalized world, bodies like international standards committees exert an increasingly large degree of international influence on the activities individual nation states. At a technical level, standards like the internet protocol are default realities for every government on the earth, and they have no direct control of those standards. Access to the international services requires conformity international standards.
This has massive advantages for all parties. A close parallel is the VISA system, which was formed after years of failure to get banks to agree on how to allow customers to make electronic payments across bank boundaries. VISA relocated the problem from being a massively interconnected mass of agreements between individual banks to creating a new body, in which all participants had some influence, but which was immune to capture by any individual group. This new body set the standards, operated the agreements and did the branding of what became VISA. This was in essence an architectural solution. The problem which was insoluble at one architectural level, that of bank-to-bank agreements, became profitably soluble when it became bank-to-VISA agreements.
Likewise, SIAB and particularly the Identity Services Architecture relies on locating problems at the right architectural level to provide clean solutions. Some aspects of the problem are best handled by as-yet-non-existent international bodies. Others are handled by commercial infrastructure, particularly those parts of the system which exist to absorb risk.
The ISA, like the hexayurt, relies on a few small enabling technologies. In the case of the hexayurt, the enabling technologies are industrial box closure tape and individual systems in the infrastructure pack, most of which rely on small scientific insights and basic engineering. The performance of the whole system greatly exceeds the sum of its individual parts because it fulfills all the basic requirements for infrastructure, and therefore gives the solution new attributes Ð transportability and scalability.
If the Hexayurt Infrastructure Package did everything except one critical piece that required centralized infrastructure, we would not get those new capabilities. Everything has to work together to get breakthroughs in capability.
The ISA is a whole systems thinking solution to providing an identity backbone just as the Hexayurt is a whole systems thinking solution to shelter and household infrastructure. State In A Box as a whole requires a myriad of other components, each designed as a whole system, and also designed as a component of a larger whole system, the State itself.
The ISA also draws inspiration from the structures of VISA and the Internet in terms of how operational processes cross organizational and jurisdictional boundaries, and also various architectural levels of the system to effect jurisdictional arbitrage. Processes which are impossible in one jurisdiction are easy in another, and control of the system and division of power within it is carefully balanced between architectural levels and stakeholders.
The design of systems like this is known as chaordics and is a field pioneered by Dee Hock, the architect of VISA. ("The Birth of the Chaoridic Age" gives more details.)
Fusing Technology, Politics and Law
One of the historical accidents which contributes to our current muddles over identity is the historical separations between technology, politics and law. In prior ages technological progress happened at a pace which broadly speaking matched the ability of governments and courts to keep up. Technology was largely contained and managed by political and legal concerns. Law and policy acted as brakes on change.
Now the situation is different. Technological progress is outstripping the ability of governments to make accurate policy on all fronts, and the courts are repeatedly mishandling cases with a technological component so badly that they look ridiculous. The entire arena of software patents is a quagmire caused by using 200 and more year old conceptions of the role of law in an arena with entirely different dynamics.
The future is a foreign country. If the social values which we respect are to live in that country there needs to be an almost diplomatic process by which relationships with the ways of the future are established in the present and emigration to the future done with as few losses as possible. This sounds abstract but it has acute practical implications.
The market is inevitably bringing improvements to our current basic systems. Some improvements are, linear and others, discontinuous. Computing power gets cheaper, disks get larger, and once in a while radical new technologies like cheap video projectors come along. We assume that the slowest part of the systems is the State's ability to use the available technologies effectively, and to plan and respond. Technology marches forward, and the State plays catch-up, trying to effectively port concepts about society forwards on to the new substrate, layer by layer.
This embrace of constant change, of constant progress in technological capability, against the apparently relatively static background of natural laws and human nature is a radical new condition against which all national governments must function. Being 5% faster than the Soviets was enough for the USA to win the Cold War. It is not fast enough to maintain the integrity of American society as we move ever faster into the future.
Development is usually thought of as being about how we export the present (cell phones) and the past (plumbing.) But SIAB is about exporting the future Ð a set of systems that our own bureaucratic incapacity is likely to make impossible to adopt domestically may still turn out to be the best match between available technologies and human welfare. SIAB is "exported leapfrogging." Perhaps we can learn to learn better from smaller and less stable societies as they leapfrog their basic infrastructure, and step firmly away from governmental protectionism of social constructs which are now untenable due to technological change.
We have to face the probable reality that the most technologically advanced societies on the planet will soon be the societies that came last to the table, spent their scarce capital on the most effective technologies yet produced, and reap the benefits in increased leverage for their dollars of capital invested. By strategic trail blazing through this new technological landscape, we can affect the course that these societies will travel, simply by making our preferred options available more reliable, cheaply and easily than other, less preferable options.
The developed countries of the world would rather that the Global Poor did not all drive cars as soon as the option becomes available, for three reasons: fuel availability, environmental concerns, and land use problems due to urban sprawl. Yet how much work do we do on making sure that the most advanced engineering goes into making better bicycle designs for the developing world?
Our policy objectives and our technological development pipelines are currently at two different architectural levels in government. Is that an accurate and effective model any more? We attempt to police proliferation of some technologies, like cryptography, super computers and weapons technologies.
On the other hand, do we attempt to consciously foster adoption of technologies which are supportive to goals like reducing global environmental impact? We have restriction of what is bad, but no political capital invested in active promotion of what is good, as far as technology goes. This is irrational in a technological age.
Bridging Technological Activism, International Relations and Business Process Re-engineering to Create the Just Future
The set of technologies which are outlined in this paper are relatively simple combinations of existing off-the-shelf systems to create an Identity Services Architecture with radical new properties. It is a whole system.
The individual system components are vastly more complex and sophisticated than, say, a wood gasification stove. But these individual software or hardware systems are, to those skilled in the relevant arts, off the shelf items or will be in the two or three years it is likely to take to begin serious work on the global build out if the scheme is adopted.
You only get whole systems performance if every component is right. Omit the water purification technology with the hexayurt, and refugees remain tied to their new clean wells and cannot return home without losing access to clean drinking water.
Similarly, a single broken subsystem within the ISA will produce a working system, but it will not achieve the breakthroughs in privacy and security that will allow the system to compete in the free market, and thereby get the leverage required to effect a global transformation in how identity services are provided by government.
In the hexayurt, all of the pieces of the whole system are at the same architectural level Ð they are all bits and pieces of equipment which can be thrown in a truck and unpacked to form a whole. This is a convenient and easy situation. Everybody involved in the design is basically an engineer.
The Identity Services Architecture is not like this. It is a whole system comprised of parts which are radically unlike each other, as different as international agencies and strange little bits of software which run on camera phones. A whole system with parts from different architectural levels is an extremely hard case because it requires such a wide variety of different people to work together to make the entirety function as intended. Compound this by the internationalism required to get the global solution that is the payoff at the end of this process, and it is unlikely to be possible to implement this system successfully in any kind of coordinated fashion.
This is not to say the system is unimplementable, however. It just means that the traditional approach to development is unlikely to be effective.
How, then, to build the Identity Services Architecture?
VISA and the Internet are two global systems which function as whole systems, and are comprised of diverse actors united through standards organizations, supported by private companies out of intelligent self-interest. These commons are incredibly important because the value of the network increases rapidly with the size of the network. This network effect enables multi-party, cross-level cooperation because it is in the interests of all parties for the system to work and any steps against that goal are suppressed by all other parties, and by the marketplace (i.e. collective free will) itself.
This likely means that only a commercial implementation of these systems has any realistic chance of success. It is extremely notable that large international network-based service architectures like VISA and the Internet are watched over by states, but not operated by them.
Because of the security aspects of the ISA, governments must be involved. Because of the financial services aspects, private companies must be involved. Think of it as a system that compliments and extends the VISA payment architecture (and its rivals and descendants) and the Internet Ð a third leg in the tripod of global interconnectedness technologies: communication, trade and identity are natural partners.
The hope is that the SIAB-ISA can be incubated within the SSTR arena while the technological substrate is built. Once the basic tools are available (and, as stated before, they are COTS technologies for the most part,) it may be possible to begin to build the framework of alliances necessary to take this simple and direct approach to solving the liberty / security / privacy equation and turn it into a global solution to the dangerous mismatch between technology and policy in the arena of personal and government identity management.
Technology is policy. Biometrics is far to dangerous a technology to be allowed to develop in directions that thwart broader policy goals like civil rights and personal freedoms.
Enumerating the Stakeholders
Earlier presentations of this system marched directly on to the technology and tended to leave people somewhat lost. I apologize for further preamble, but it is necessary to correctly contextualize the relatively simple technological core.
Like VISA and the internet, the SIAB-ISA is relatively simple at a technological level. However, the genius of VISA and the internet lies in the governance structures that allow disparate parties to work together. The same technologies with a rigid hierarchical control structure would likely never have been adopted. The governance framework is inseparable from the technology. These are whole systems.
The stakeholders who must be represented at the governance level of the ISA are:
Transaction Coparties (those who sign contracts, like utilities)
Banks and other Conventional Financial Service Institutions
Small Nation States
International Policing Bodies
New Classes of Business which arise from the ISA
This diversity of stakeholders is not surprising because we are dealing with an infrastructure system. Imagine how long the list of stakeholders is for the electrical supply system, for example.
An easier approach, then, is to divide the stakeholders into four architectural levels: international bodies, governments, companies and individuals.
The ISA envisages two interlocking international bodies that collaborate with governments and other international bodies to operate the highest level parts of the system. One of these entities is modeled on the standards bodies of VISA and the Internet, and the other is akin to Interpol, or some of the nation-state identity databases that include significant data on non-citizens.
The first body is the ISA Standards Board. It manages selections of basic technologies like which 2D bar code standard, what image compression format, which digital signature algorithm and other basic technology selection choices. This body is for technology.
The second international body is the International Phenotype Database. The International Phenotype Database maintains an identity record for every single human being enrolled in the system, and possibly eventually for every human being alive. The majority of the work in this paper goes into ensuring that this Leviathan is blind and helpless without the active support of individual nation state governments.
One critical detail is that the International Phenotype Database stores only biometric information: no name, no reputation or criminal data or any other fact is stored in this database. It is made to check if a person is in the system already, and if they are, to indicate an ID has already been issued. Other than that, the database is essentially useless. It is like a sea of faces and fingerprints with no context to other added value. Not even names are in the system.
The architectural firewall separating the biometric information in the International Phenotype Database from the reputation and identity information stored by the National Government is a key innovation. The National Court System is the only entity in the ISA which has the capability to reunite biometric data with identity data to convict or exonerate a person.
Both of these entities are expected to deal politically mainly with Global Powers and other international bodies like the UN.
To gain any credence at all, the ISA has to be endorsed and initially operated by at least on Global Power. Given that we are discussing what is essentially commercial infrastructure with an identity foundation, there are probably five or six possible implementors, including of course the USA, the European Union, and some of the larger trading partnerships.
Global Powers do most of the talking about technical standards, and operate the International Phenotype Database at a technical level. They pay most of the bills for that service and reap the most tangible security benefits, much like the Internet and VISA are useful to everybody, but mainly governed and paid for by G20.
Other Nation States can operate in one of two ways. Firstly, they can choose to allow their citizens to get an ISA identity if they wish to. Secondly, they can merge their own identity infrastructure with the ISA identity infrastructure, and rely on the International Phenotype Database to issue IDs from.
What kind of states would do this? Poor ones.
The issues here are similar to the issues of pegging currencies to one another, or the adoption of international currencies like the Euro. Complex arguments are made for all points of view, and the entanglements of sovereignty and convenience make for rich debate. There is no uniformity in these issues across nation states, but rather a landscape of response to perceived opportunity and risk. A critical feature is that the ISA comfortably functions with this degree of adoption diversity.
One of the critical features of the ISA scheme is that it accepts states with a sharp division of powers between Courts and Governments and is therefore compatible with the American model, although it does not require it.
The majority of the routine contact between the International Phenotype Database and the citizens of a country is mediated by the National Court System.
National Governments make the agreements.
National Court Systems implement them, and in cases where there is no division between the two, the system operates without disturbing those pre-existing equilibria.
There are four classes of company involvement in the ISA.
Technology Vendors implement international standards for private companies and governments.
Contract Co-parties rely on the identity backbone to reduce their contract risks when dealing with individuals and companies.
Financial Services Institutions rely on the identity backbone to satisfy Know Your Customer and other legal requirements while the privacy features of the ISA protect their customers from unwarranted intrusion into their personal lives.
Professional Witnesses offer contract signing services, including (in some implementations) access to a secure and reliable electronic voting infrastructure. An individual presents a contract to be signed, and the Professional Witness essentially notarizes the assent to the contract and verifies the person presenting against the individual's biometric ID. These companies absorb misidentification risk by indemnifying Contract Co-parties from losses associated with the Professional Witness making a mistake by mistaking one person as another in a contract signing situation. Note carefully that the Professional Witness is verifying the Phenotype of the person signing the contract - their physical body - but has no access to name or other information.
Consider the example of a car lease. A person presents a Professional Witness with a car lease they want to sign and a copy of their ID. First the witness matches you to your ID to make sure it is you. Then the witness records your assent to the contract, and signs the lease on your behalf, escrowing identity credentials with the National Court System in the process.
Suppose that the lease is unpaid, and upon investigation it is discovered that it was not you who signed the lease but unknown identity fraudster who defeated the Professional Witness systems with the help of a member of their staff. The Professional Witness is liable for all associated costs to you, to the car lease company, and any additional injured parties because they made a professional error.
Professional Witnesses must bear the full burden of proof in all cases. It is up to them to prove that the person they say signed a document actually signed it, and they are responsible for presenting incontrovertible evidence to this effect. Professional Witnesses have a peculiar exposure to risk: they are liable for the costs of a crime (identity theft) and are also witnesses to the fact a crime has been committed. Only a strong judicial system can keep them honest. Otherwise, Professional Witnesses will rapidly become corrupt, unreliable, and the systems will fail because of the misalignment of their incentives and the whole system requirements. They will start to present shoddy evidence, and the system will collapse.
In this scheme, the needs of the Professional Witnesses for reliable identification are the primary drivers for biometric security standards because they are the ones with the primary exposure to pervasive misidentification risk. By collecting all of the misidentification risk in the system in a single location in the architecture, we create the financial incentives to hire engineers to keep the systems secure.
Individuals come into contact with the ISA in one of three contexts: voluntary, default and compulsory use of the system.
Voluntary use is where the ISA services are offered perhaps as an aid to doing international business, or in a context like getting a permit for entry to a foreign country. An oppressive system will not get used as people would rather avoid the activity than submit to intrusive identification.
Default use has more implications. Perhaps one needs an ISA-type identity to get a passport, or the ISA-type identity is your passport. Perhaps it is required for opening a bank account, or for driving. Sufficiently motivated and desperate people can avoid the net but almost nobody will choose to do so. An oppressive system could well be used even by people who hate it.
Compulsory use is quite simple. You have an ISA-type ID or you go to jail.
The only reason that I can write this paper is because I believe that the ISA scheme proposed is the least bad of the available options for managing biometrics. I believe that, in the long run, security in the 21st century is going to critically revolve around actually knowing who people are and that, in fact, we can no longer afford to have nameless, faceless people shuffling around the world as human traffickers move them across borders, or as international terrorists move around the world as if the nation state did not exist.
Hence the goal is to create a system which, even if it becomes compulsory in a few generations time, is not oppressive. We work not for today, but for our descendants in seven generations or more.
This is due prudence. Financial instruments like cheques have been in circulation far longer than that. Concepts like interest on loans go back even further. Design decisions made casually by engineers working on the internet protocol will likely affect all digital systems build from now until the end of foreseeable human culture, if only through enshrining architectural distinctions embedded in the OSI models through generation after generation of culture and language.
If this seems unrealistic, consider the distinction between "organic" and "inorganic" chemistry is a historical accident caused by the supposed impossibility of converting inanimate materials into any compound found in organic life. That barrier was crossed nearly two centuries ago by the synthesis of urea, but the divide created around it remains to this very day in university departments, language, terminology, technology and culture among chemists.
We have to be sure that any system we are architecting with intentions of global effect is something that the future can live with because success is always an option. But success is no proof of quality, only of immediate fit and timing. We must strive for excellence, particularly in the political aspects of this system, if the system is adopted some of the abstractions it is built on may last hundreds of years.
In short, whatever model of the Rights of Individuals we choose to enshrine in these systems may become the laws we, or our descendants, must live under.
The Exercise of Individual Rights through the ISA
Where do we find a template for thinking about the Rights of Individuals in the context of designing biometric infrastructure?
Why, back to the Framers and the historical thinkers on Liberty, of course. It is necessary when designing technologies with such massive political implications (if they succeed) to consider the political levels explicitly at every major turning point to make sure that we have not designed a system for freedom, and accidentally engineered one for compliance.
The watch word must be "would you be comfortable with your own children and grandchildren living under a system of the kind we are working on?" If the answer is "no" the system must be improved or abandoned, and certainly you cannot ethically support it.
I would suggest that the ISA must implement technological versions of three fundamental rights. They are
The Right to Privacy Ð The system should protect an individual from being identified except by legally appropriate powers. This right has to be extended using public key cryptography and other techniques to counterbalance the extensions in surveillance possible through biometrics, databases and network monitoring.
The Right to Identity Ð This is analogous to the various discussions of rights to a citizenship without necessarily requiring a nation state implementation. For instance, perhaps an NGO could be authorized to issue ISA identities in instances involving stateless individuals, giving them an identity without a citizenship.
The Right to Anonymous Free Speech Ð A combination of the right to privacy and the right to free speech. One of the natural consequences of the ISA is the capability to generate single sign on accounts for use on the Internet. Additional architectural levels are required to protect people's right to speak anonymously, while also preserving the recoverability of hard identity information when addressing hard cases like child pornography and international terrorism. If we do not build in these protective architectural levels from the start, states which opt for the compulsory approach to adoption will face human rights issues from the start.
It's important to understand that these rights are not granted by the system, but recognized (in the grand fashion) as being inherent within the individual. Although governments may choose to implement systems compatible with the ISA standards and protocols in such a way that their citizens are deprived of these rights, it would behoove free governments to be prepared to use considerably political leverage to ensure that such an approach is at least penalized, and preferably outlawed.
Architectural Location of Rights
In the ISA system, rights are located in at least five locations. Firstly, the are present in the documents which frame the system including this document. Secondly, they exist in the technological substrate of the system, particularly how information about a person is scattered across architectural levels to protect people from the system as a whole (hopefully.) Thirdly, the emphasis on the participation of the court system ensures some protections in at least some nations. Fourthly the ability for third parties to absorb risk and issue cryptographically secure identities allows people to veil the identity of another person if they are willing to take responsibility for doing so. This is a key principle. Finally, the fact that this system is being developed in an American context and from a theoretical base close to fundamental American political theory increases the odds of conscientious implementation at every level, guaranteeing a fifth level of protection. Getting biometric digital identity wrong ushers in some extremely unpleasant possibilities, including global totalitarian control of people from morning to evening through a mix of ubiquitous computation and radio frequency identification (RFID.)
For this reason alone this work exists: to bar the gateway to biometric totalitarianism by presenting a better option in the public domain.
A Final Word on Rights
At a realpolitik level, getting a healthy and private global identity infrastructure in place is going to require something approximating a miracle. Fighting non-state actors of various kinds is hard without the ability to definitively identify and locate persons but the risk of enabling and empowering totalitarian regimes is so great that getting the necessary levels of international cooperation in the places where it counts (the Gap) is nearly impossible. We need new approaches based on the most advanced technology available, be it biometrics or our fundamental politics.
In a whole systems thinking context, the performance of the system as a whole is ensured by designing not just the components of the systems, but by carefully working to understand their interactions. In this sense, object oriented programming and database architecture are close relatives of whole systems thinking.
Fortunately the individual components of the SIAB-ISA are relatively simple to describe, although some subsystems contain considerable technological complexity.
The deliverable is an Identity Services Architecture which supports an identity standard called CheapID. CheapID is designed to be the cheapest and most robust possible personal identity card.
We will briefly examine three core technologies, then move on to detail the system as a whole, working towards the CheapID towards the end of the paper.
Briefly, we assume four or five levels of biometric identification of a human being, ranging from a simple picture like a passport photograph through to a complete set of biometrics perhaps even including a DNA sample.
The basic CheapID Identity Card envisaged later on contains a digitally signed picture of the person. Optional higher security credentials would include increasingly large amounts of identifying biometric information, often encrypted so that it could only be read by authorized parties.
I believe it is important that system enrollment uses a full set of biometrics, in some implementations even including DNA, because the consequences of having a single individual with two or more globally recognized ISA identities are extremely serious. The strong protections we generate for privacy and free speech rest on our ability to absolutely pin down individuals who abuse these protections by, for instance, committing acts of terrorism. A person with two identities can do something horrible under one identity, then slip away under another. The system must be robust enough to compete in the policy marketplace and displace other candidate systems with less protection for human rights.
2D Bar Codes with Digital Signatures
2D bar codes can store digital information in surprisingly large quantities, up to around 3Mb on an 8.5" x 11" or A4 sheet of paper. Writing such bar codes is simple and economical: laser or ink-jet printers, label printers and card printers are all reasonably cheap.
Reading back data from these bar codes can be done in one of three ways. The simplest, cheapest and slowest is the flatbed scanner as found in any office. Cheap models are well under $50. Resolution is excellent (well above 300 DPI) and bar codes read this way could likely be at close to full theoretical data density. Of course this currently requires a computer to be present at the station.
Next there are commercial 2D barcode readers. Most of these systems are designed for relatively small data sets Ð a few hundred to a few thousand bytes at most. Many of these systems are designed for extremely high speed operation which leads to a different set of design criteria than are ideal high data density. However, there are many vendors and a good deal of variety in available commercial readers.
Finally there is the humble camera phone or computer-connected camera. This is the likely workhorse of common CheapID transactions. The best of the current generations of camera phones are capable of capturing enough data from their cameras, and have sufficient processing power to get just under 600 bytes back from a single image using standard black and white bar codes. Non-standard color systems may triple that data density.
The limitations are largely optical. Many camera phones do not have a "macro" capability for the necessary detailed close ups of the ID card, or have a focal length of around one meter. As a result an identity document, even on Letter sized paper, fills only a small part of their field of view and so very few pixels are translated into data. However, given a camera phone that has a good close up camera mode it may be possible to extract significantly more information from CheapID Identity Cards.
One of the critical distinctions between CheapID and simpler approaches to identity is that in CheapID, the identity card contains a variety of fields, each of which may be signed and optionally encrypted by a different party, all within the broad standard of the ISA. The complexity of the international agreements and so on is reflected all the way down into the identity documents and the legal process that produces them.
Dependence on network infrastructure and centralized identity databases is greatly reduced because certifications of facts like "of drinking age" or "has driving license" are stored encrypted on the card rather than pulled in over the network.
The technology naturally supports this outcome, unlike approaches like RFID-based identity documents that more or less require constant central database access to turn the ID number on the RFID tag into meaningful information about the person in front of you.
In the long run, it may be that the 2D barcode aspect of the CheapID system is temporary. Better local data exchange mechanisms are certainly being worked on, although perhaps not less expensive ones. However, the conceptual and legal framework embedded in each card may turn out to be endure through many successive implementations.
The Identity Services Architecture revolves around Court-like entities that manage private keys for encrypting and decrypting identity information under legal (or other) authority.
Security in the system comes from the completeness of the records in the International Phenotype Database. Privacy comes from the architectural separation of that biometric data and the identity and reputation data held by nation states. Although a court cannot request the release of biometric identity records for its own use, it can submit biometric evidence to the International Phenotype Database and request a search. Such a search can pair evidence with an identity record, but the court cannot simply pull records from the International Phenotype Database. It can search and get identity information back in results, but not request biometric information directly.
Only the court can take an encrypted CheapID Identity Card, and recover fields like the individual's name or their government-issued identity number, if one exists. These fields are private even from police in most cases. This allows these cards to be used for many purposes that a less private identity card could not be used for. The common practice of matching a face to an identity card, but not being able to recover any additional information about the individual without a court order, is the key novel transaction in our system.
A Brief Recap
Before we wade into the guts of the system design in detail, let us briefly recap.
The goal is to produce an Identity Services Architecture which provides a nation state level identity backbone that has some interesting new properties, and that is broadly speaking affordable. One of these properties is being able to uniquely identify individuals.
The goal beyond that goal is to re-implement the fundamental processes of the nation state on a modern technological base, with the objective of reducing the overhead of running a state by 90% and steering the way that other states adopt information technology in their own operations by providing a worked example in an SSTR context. We propose that by doing so we can cut "canyons" through the cost landscape in the areas where useful and rights-protecting technologies lie by paying the costs of R&D and early adoption, and thereby steer other nations away from implementing biometric totalitarianism, which we regard as an ever-present threat.
Because we are consciously attempting to re-engineer the processes of the nation state, the political considerations are not secondary to the system but integral to it at every level.
Biometrics are not morally neutral technology.
Correctly applied cryptography can counterbalance most of the negative effects of biometrics while preserving their most useful properties.
At the heart of this system is a cryptographic schema for implementing an international, cross-jurisdictional legal process for managing personal information securely, with appropriate levels of individual protection, while recognizing that many states afford their populations less freedoms (or freedoms of a different type) than the American system. We must honor local diversity in order to create an internationally interoperable system.
Finally, there is one technological gimmick which sits at the heart of the system: printing everything needed to identify a person on a digitally signed 2D barcode and reading it back with a camera phone. That's a technology with a relatively short life-span. There are twenty years at most before it is replaced with something better.
The durable component of the system is the scheme for managing personal information, not the "hack" for getting it to be cheap in the here-and-now.
This gets pretty involved, so try to put yourself in the political position of each entity in the process. My assertion is that the system works well for every constituent entity in the system and therefore is viable, once established. I may be wrong, but this is the reason I believe that this system is workable while most other proposed schemes are not. A system without losers can usually out-compete a system with winners and losers.
The International Phenotype Database
The International Phenotype Database is the only entity in the ISA that has access to biometric information in bulk. No other entity Ð not national court systems, not governments, not private companies, not individuals Ð is empowered by the ISA scheme to hold personal biometric information. This entity is a singular planetary repository for biometric data. As such it is about the most dangerous entity on the planet from a civil liberties perspective, and is expected to be under constant political pressure from totalitarian forces.
Remember that the keystone of the ISA is that this database does not contain names, biographical or reputation data about persons. The only tie between the biometric data in the phenotype database and the biography of the individual in question is an encrypted unique identifier operated by the National Court System of that individual. And even that court does not have the right to retrieve individual biometric records, only to search the database to bind pre-existing biometric information relevant to an investigation to an individual. If this rule is broken, the system collapses into totalitarianism very easily.
To understand this risk, examine minor areas where we see just how much power lobbying groups can have over international policy. Consider the so-called "copyright lobby" and how their desire to maintain the current status quo on intellectual property works its way into international treaties under the auspices of groups like the World Trade Organization. The copyright lobby is fighting for the past and is willing to sacrifice the future to get there, and they are succeeding in several key areas, although the measures being taken are perhaps becoming increasingly repressive in the manner of entities falling out of history. Digital Rights Management technology threatened to restrict the freedom of speech of digital technology users in the name of protecting business models that were designed around the same time the printing press. How much more serious is the threat from the combined might of the national security groups of many nations?
The threat to the integrity of the International Phenotype Database is pressure from abusive governments, corrupt secret services, international mafias and every other power-grabbing totalitarian agenda on the face of the earth. Everybody who wants control, everybody who wants to fight the future, everybody who is (rightly) scared of biometric technology in the hands of totalitarian regimes collects in one place and fights for control, some pulling for commercial interests, looser privacy standards, the others fighting for individual rights. This is the obstacle to creating the International Phenotype Database.
To solve this problem we must rely on the formation of a trans-ideological consensus on identity management. When the engineering and policy are sufficiently advanced, it is possible for all sides to agree that the proposed solution is right. In such cases the proposed solution is hardly ever understood as having been a negotiable policy decision, but is more usually simply seen as being "how the world works."
Good examples of this are: paper currency, numerical telephone numbers, energy efficiency.
Nothing which is not extremely flexible and sophisticated will get past this gauntlet of public opinion and private fear: it is the primary roadblock to overhauling the global identity services systems, and applies to all candidate systems. Maybe SIAB-ISA is good enough. Probably not, though. It may have insufficient assurances of privacy.
Without a mandate from a group of rights-respecting military powers with the capability to defend the International Phenotype Database from corruption and coercion the scheme is simply inoperable. Institutions with little respect for fundamental human rights cannot operate a system like this, and precious few of the governments of the world take human rights seriously at the level required to make this scheme operable. But there is one very large encouragement for such a combined effort to institute the system described.
To get the greater security which a global biometric database gives, you must give the greater liberty which comes from that database being well managed by institutions that the global population can trust with their very lives, and those of their children for untold future generations.
With sufficiently refined engineering, Security and Liberty are not enemies. By recognizing the individual right to privacy, a deal can be struck between governments and their respective people that will result in a way to adopt biometric technology in a beneficial way. One way of thinking about this is to say that Security + Privacy = Liberty.
The repository of that rights-based idealism is the International Phenotype Database.
The International Phenotype Database is an international body that exists initially by fiat. In order for the system to be trusted it is operated by an international technical coalition including a reasonable number of representatives from nations who do not trust or like each other. The balance of power at the heart of the system is that each nation state group cooperating to manage the system is doing so partially to protect its own citizens form unwarranted surveillance and monitoring from the security forces of the other groups present. Because any country can run searches against the database on an equal footing, there is a strong incentive for every country to restrict the database to its due bounds, simply to protect the privacy of their own citizens.
To attain this kind of balance of powers, the system must be simple, transparent and auditable, and groups like Amnesty International should be able to review or even help operate the system.
The parallel with VISA is that banks are competitors who had to learn to cooperate to get an international payment system working. The mutual tension around protecting the biometric privacy of your citizens from The Bad Guys Over There (i.e. national rivals) applies to all sides equally, and maintains the integrity of the system.
There is no parallel with the Internet because the Internet has no fundamental competitions at its heart. Peering issues between backbone providers are the closest analogs, and are a poor fit.
The treaties under which the International Phenotype Database is created must explicitly recognize the rule of law in the nations who are working with the system. The International Phenotype Database can be seen as an organization convened by the court systems of various nation states working together.
The International Phenotype Database has one basic purpose: when shown a set of biometric information it can search through the biometric data of every human enrolled, and possibly every human on the planet in later years, and return a set of matching records.
However, these "matching records" consider of only two fields: a National Government identifier ("is an American") and a block of data encrypted encrypted by that government and given to the International Phenotype Database when this person was enrolled in the system.
The International Phenotype Database is blind. It can see the "body"Ð a person's biometrics Ð but not their identity, not their reputation, nothing except a citizenship and a block of data it cannot read.
Because of other features in the ISA, it is likely that this search will be performed initiated once per lifetime for the average individual - on enrollment, and never again, although searches related to criminal cases may be common. A search can only be initiated upon request of a National Court System. Police forces, for example, have no direct access to the system and neither do governments.
Furthermore there is no use case which results in the return of biometric data to a National Government from the International Phenotype Database. It is a "roach motel" for biometric data as far as governments are concerned, as it must be.
An individual can request that the International Phenotype Database releases their biometric records to them.
Biometric Enrollment Process
This is the process that stores the individual's data.
An individual presents at a CheapID Issuing Station and requests an ID be issued.
The International Phenotype Database receives a request to add a new person to the database.
If the request is from an authorized Issuing Station then a set of biometric information is send to the International Phenotype Database to process.
The data is compared to all of the biometric records in the International Phenotype Database. If there are matches on the personal data sent in, one of three things happens.
A request for additional information is returned, and more biometric information is sent in until there are no more matches. Typically this would consist of a DNA sample being processed to disambiguate similar fingerprints.
A list of possible matches is generated, and a complex legal process of ruling out each possible match without undue invasions of privacy is begun Ð this is a serious process and to be avoided where possible. The case of identical twins with closely matched fingerprints would be about the only case where I can imagine this being necessary, but biology always surprises us.
A pre-existing identity record is discovered for the person who is currently being enrolled, and a report is returned that will allow them to get their original ID reissued. Further investigation may also be required.
Once it is settled that this person is to be enrolled with the set of biometrics submitted, the International Phenotype Database encrypts an identifier for this individual using the International Phenotype Database's public key, then re-encrypts this identifier using the public key of the relevant National Court System and returns this document, the Statement of Biometric Enrollment, to the Issuing Station to be presented to the enrollee. This is not yet an identity document, it is simply a statement of fact: this individual's data has been stored. Note that it contains no personal information whatsoever.
It is my firm conviction that the International Phenotype Database is going to be more-or-less inoperable without using DNA fingerprinting for everybody. However, I am not an expert in biometrics, and it may be that an adequate level of uniqueness can be obtained from, say, 10 fingerprints plus both irises. But if DNA is not commonly stored a wide range of questions cannot be answered using the SIAB-ISA and inevitably parallel, less secure, less useful systems will spring up to handle DNA-based identity issue, resulting in a fragmentation of biometric security applications, a reduced global value, and competition.
One system should exist, and it should be extremely heavily oriented towards individual liberty. Therefore, to maintain the unitary nature of the system, it must deal with DNA either now, or as the technology for handling DNA biometrics improves in future.
Note that we are not assuming a single standardization for biometric records. There are too many instances where a person's morphology grossly changes (accidents, particularly burns) and new oddities of human genetic makeup are constantly discovered, including chimeras, who are single individuals with two sets of DNA, related to each other as if one part of their body was the sibling of another. We cannot assume standardization. Rather we need the records in the SIAB-ISA to allow a Professional Witness or other individual to securely verify that the person in front of them is the person on the ID card presented.
DNA is the most unique and standard biometric data currently known, and logical pressure towards using DNA to identify people is likely to be inexorable as genetic technology improves and brings the cost of analysis down. Better to design a system to be secure enough to handle DNA properly from the very start.
Legal Enrollment Process
This process binds the bare biometric data in the International Phenotype Database to an individual's national identity number, and is the next step before a CheapID Identity Card can be issued.
An individual takes their Statement of Biometric Enrollment to their National Court System and presents it, with appropriate identity credentials proving who they are (in the nation state records) to the Court's satisfaction.
The Court then prepares an Identity Packet which is a unique identifier for this individual at a National Government level, similar to a Social Security Number as it is commonly used. This Identity Packet is encrypted using whatever cyphers are deemed appropriate by the National Government and then re-encrypted with the Court's public key.
This document, plus the Statement of Biometric Enrollment is submitted to the International Phenotype Database. The International Phenotype Database then adds this Identity Packet to the information it is storing about this individual. This completes the enrollment process but no ID has yet been issued.
Note the open question of how the Statement of Biometric Enrollment is tied to the individual, given that it has no biometric data visible. Ideally this entire process is done in a secure facility where there is no doubt about who is who during the issue process: the person remains in front of the issuing personnel for the entire process. However, a more liberal setting is possible if the Statement of Biometric Enrollment is somehow tightly tied to the individual during the issue process, perhaps by placing temporary biometric information on it.
The primary operation of the International Phenotype Database is to run searches, and when it finds a match, to take the stored Identity Packet that it acquired in this transaction, salt it (adding noise to the encrypted block to prevent message matching), re-encrypt it with the National Court key, and send it back to the National Court System of the individual located in the database along with whatever additional information pertains to the identity request, such as the contact information for the National Court System making the search request.
The National Court System of the citizen involved is then responsible for liaisons with the court making the request. This will be covered in more detail below, but note that the access of the International Phenotype Database to information about the person is extremely limited: it knows nothing about them other than the shape of their eyeballs or fingers.
Likewise, has the National Court System seen any biometric information? No, nothing has been divulged to any court, other than the primary evidence used to run the search.
So if - and it is if - the Issuing Stations do not improperly retain a person's biometric data then a very private system has been created. Nobody single party has the ability to tie a person to their biometric profile, or retrieve their biometric profile from their name or other personal information like their Social Security Number.
Can the same be said of any other proposed scheme?
Identity Issue Process
Finally we issue the actual CheapID Identity Card to the person who made the initial request.
An individual asks the National Court to issue them a CheapID Identity Card.
Note the praxis here Ð the court or government does not issue an ID, an individual requests one. This is the Voluntary or Default enrollment model. In the Compulsory model, the agency is reversed, and the court or government initiates.
The court submits the Certificate of Biometric Enrollment to the International Phenotype Database, stating that the individual wants an ID issued. Again, note the flow Ð the National Court System is attesting that the individual in question wants something done.
The International Phenotype Database keeps a copy of this digitally signed request from the court, and takes the biometric information which the court has requested, encrypts it with key provided with the request, and returns it to the court.
This is a subtle and important point. In the simplest implementation of this system, the National Court System uses its own key for this request, and therefore is in a position to illicitly copy the biometric information passing through its hands during this process. A more sophisticated cryptographic protocol removes that temptation, but at the cost of a much more involved process that may be vulnerable to cryptographic developments which break the RSA cryptosystem, as quantum computing is likely to.
The National Court System then takes this information, decrypts it, and matches it to the individual making the request. If there is a mismatch, we have malfeasance.
There is also the possibility of collusion between the International Phenotype Database and this individual, to return false information. How do we get around this? Remember that the biometric information is initially collected by an Issuing Station which signs the data which is initially passed to the International Phenotype Database. These signatures are passed transparently through to the court to verify. This adds one additional party to the list of those who have to collude to commit identity fraud.
However, this set of exchanges needs extremely tight cryptographic analysis to get the precise set of transactions refined to an optimal balance between security and privacy. I believe that a system reliant only on digital signatures (as this outline does) is actually suboptimal and, in fact, if the exchanges are reworked using a cryptographic blinding approach (Chaum's approach, perhaps?) something significantly better emerges. This remains a task for the future. It is discussed in more detail in a subsequent section of this paper.
If all is well, and the individual matches the data returned from the International Phenotype Database the court proceeds to take a subset of the biometric information returned from the International Phenotype Database and create a set of CheapID Identity Cards.
Each card contains the following information:
Biometrics on the individual who owns the card. For typical purposes, this is simply a high quality facial image like those found on passports and perhaps one fingerprint.
The fingerprint may be encrypted with a key, perhaps the court key or a special security forces / police key. The fingerprint and other data may also be stored in a non-recoverable form that allows matching against a presented finger, but not retrieval of the fingerprint. Secure "biometric hash" algorithms do exist and are an area of ongoing research. (Nalini Ratha of IBM is one researcher in this area.)
An court key encrypted unique identifier for the individual.
Note that all data on the card is stored in a 2D bar code. The card itself looks like a mass of black and white squares. Also every field on the card is salted, so bitwise comparison between cards is impossible. Also note there is no name or other identifier on the card, other than the salted unique identifier placed there by the court. Some variations of the card may also allow areas of the card to be removed (tear off areas) to remove some information before the card is used. We will cover the exact construction of the card later on.
Something like a hundred of these cards are prepared and printed. Think of them as secure business cards. There should be no picture on the card, although there may be some additional elements to help people tell one person's cards from another (a recognizable logo or personal mark, perhaps, but nothing that can be used as an identifier for the person.)
This is because people are lazy. If you print a picture of the person on the card, people will inspect the image rather than showing the card to a machine which can verify the digital signatures.
The court now deletes all of the biometric information that passed through its hands, leaving what is on your ID cards as the only biometric information existing outside of the International Phenotype Database.
Without this step, we have an Orwellian 1984 database scenario. There are a variety of work-arounds which all greatly complicate the card issue process by splitting the process across yet more actors, or using more sophisticated cryptograph.
But if you cannot trust the National Court System to do its job effectively in protecting individual liberties, then the fact it has access to biometric data is a minor issue compared to the existing issues in the nation state. A technical work-around for an untrustworthy court is a classic example of solving a problem at the wrong architectural level. We should, of course, be belt and braces about this: secure protocols, and trustworthy courts.
Now this is an awful song and dance for a process that, in a biometric totalitarianism, can be reduced to a few simple steps: take their DNA and digitally sign it. Take a picture, digitally sign that. Stick it on one single card and shoot people if they lose their card.
All of this vouching by the National Court System and shuffling around encrypted bits so people cannot peek is what separates this instantiation of biometrics from a totalitarian one. Human rights and especially democracy involves an enormous amount of paper shuffling with ideas about privacy and rights wired into every step, and that is what ensures that the will of the people is at least notionally expressed through their government, and that they have at least basic safety and security.
So let's zoom back for a moment and consider this again. What is actually being done?
Biometrics are collected. They're sent to a repository. They are then used to make an ID card.
The song and dance with the courts and diffusing the process across both jurisdictional and architectural levels is where the civil liberties are put into the process. That song and dance with the courts and jurisdictions is your rights and mine in this model system.
Most rights-respecting processes involve a lot of legal song and dance. Part of the reason we are having such a lot of trouble with privacy and identity theft right now is that the Social Security Number has become a de facto unique identifier that a person has no control over and furthermore that identifier has no cryptographic features to restore a measure of privacy. There is a profound absence of legal song and dance around use of the Social Security Numbers. As a result this current generation of American identity infrastructure is a personal liability in the financial domain through identity theft, and a liability to American democracy through various kinds of attempts to pervert democracy by attacking the identity infrastructure and having both additional votes cast, and votes denied, based on false identity information anchored by the insecure Social Security Number infrastructure.
I do not believe, at this point, that a simpler system than the one I am outlining here can work and not be tip the balance towards totalitarian use of biometrics. It has many stages as an internet-age implementation of the principle "checks and balances."
A Note On Practical Implementations
In an SSTR context this entire ID issue process is expected to be compressed down to a processing center. Individuals come in at one end, have their biometrics taken, run against the big database in real time, and then have their CheapID Identity Cards printed on the spot. The legal formalities are exactly that: they are the superstructure on which the system is built. They do not get carried out by a formal court setting, but are discharged with paperwork performed under the notional auspices of the National Court System. In day-to-day SSTR operations, the majority of these legal processes may in fact be carried out as function calls between computer systems.
As normality is restored and the SSTR phase closes, the National Court System explicitly takes over the entire process and, as problems occur, every step in the process has a valid legal foundation and issues can be resolved through the normalized rule of law which is one of the crucial goal states of SSTR.
If biometrics are used in a field expedient fashion without secure legal foundation at every step, the odds of them being normalized into a legal framework at the end of the transition period is extremely low. Either they will continue to be used in a rights-stripping fashion by the new government, creating the temptation of easy totalitarian rule, or the biometrics system will fall out of use because they represent an illegal or even unconstitutional intrusion into people's lives. Biometrics technology must be given legal footing in order to become a valid part of the SSTR process.
A National Court System submits a request to the International Phenotype Database to identify a person based on a fragment of biometric information, like a finger print or a DNA sample.
The International Phenotype Database performs the search (perhaps charging the relevant National Court System for the computer time) and generates a set of results.
Those results that are citizens of the nation state of the requesting court are returned to the National Court System. All that is returned is the Identity Packets of those involved, not additional biometric matching information.
Upon request, the International Phenotype Database will contact the National Court System of the country of each person found to match the sample and inform them of the biometric match, and of the request from the National Court System that initiated the search that contact is made about this case. The expectation is that the person's National Court System will cooperate with the National Court System that initiated the search within the framework of any agreements between the two countries.
One nice thing about this system is that it makes it very easy to define one kind of state sponsored terrorism. When biometric information about a terrorist is submitted to the International Phenotype Database and they match it to a nation state, if that National Court System simply never returns any further data, you have clear evidence of state sponsored terrorism by virtue of identity protection.
Note that in the best form of this system, the International Phenotype Database never returns any information on matches outside of the jurisdiction of the National Court System that raises the query: it does not reveal the nationality or even the existence of any additional matches. The relevant courts are contacted, but nothing is relayed back to the originator of the query.
This is likely untenable in the real world, but is how the system might operate in an idealized form.
There are three classes of technical challenges at the International Phenotype Database level.
Searching six billion biometric records including issues like false positives and simply handling that much data.
Securing the system, including audit trails, physical security, and prevention of an attack on this critical facility resulting in a global failure of the capability to search biometrical records or generate new identities, although existing CheapID Identity Cards would continue to work.
Building out the technical infrastructure for the exchange of information and management of cryptographic keys within each National Court System.
Obviously in an SSTR context, SIAB-ISA is about equipping some number of facilities in the host nation with the necessary technology and keeping it running for them as well as rolling out the associated financial services and contract validation services outlined later on in this paper.
All of these services can be provided with technologies that are either common items or near-market refinements of existing systems. Based on my current exposure to the technology even the large scale biometrics matching appears possible given a few years for hardware to get faster and algorithms to grow more sophisticated.
A lot of what makes this possible is that searches against this database are infrequent: once per lifetime upon enrollment, plus criminal investigations.
However, one trade being made is full database searching without narrowing the dataset based on factors like proximity. We are not permitting operations like "search for records in the London area" because the International Phenotype Database is not allowed to know who lives in London. The narrowing is done after the biometrics matching step, and it is done by the local courts, not the biometrics database. This is extremely inefficient, but bigger computers are coming.
The National Court System
By definition, one nation state, plus any areas that state is providing legal services for.
In this context, the National Court System provides controlled legal access to the International Phenotype Database, and the various Issuing Stations and other parts of the ISA.
All common operations with a technical component are covered under the International Phenotype Database above. They are documented as a set of interactions between the International Phenotype Database and the court because the court has little or no direct access to biometric data except through that intermediary.
Deploying PKI in a court context and associated procedural changes are major issues, as is building judicial understanding of how the system affects their role. There are additional challenges in building a framework within existing legal systems to identify what is and is not rational and appropriate when dealing with biometrics in general. These challenges are not unique to the SIAB-ISA, however.
One plausible approach is that each National Court Systems has a single national decryption center that manages the court's private keys, and then additional PKI to manage transfers of data to and from that center, and authorization and authentication. This is a major project, but considerably more tractable than the obvious alternatives.
Authorized by the National Court System, may be operated by an arm of the court, an NGO, or third parties like hospitals and Professional Witnesses.
The issuing station exists to take a person's biometric information and relay it securely to the International Phenotype Database. It takes legal responsibility for the honesty and integrity of this task, and staff should be clearly identified and criminally liable, with a solid audit trail.
As documented under International Phenotype Database.
It's worth noting that the security and reliability of the issuing stations is key to the security and reliability of the entire system.
Suppose, for example, the station collects bogus data and transmits it to the International Phenotype Database? This gets caught by the Court, when the Court compares the data coming back from the International Phenotype Database to the person presenting the request. But what if there is collusion between an Issuing Station and the National Court System, to create a bogus identity by sending fake biometric data? This still gets caught when the CheapID Identity Card is presented for use, of course, but it is clearly possible for multi-party collusion to create fake people even if it is very hard to pass them off against challenges. However, the system is many, many times harder to spoof than current systems, where fake people can be created by a single government ad infinitum.
In common use, institutions like hospitals might act as Issuing Stations. The basic mechanics of taking the necessary biometric data, possibly including DNA samples, fit nicely in a medical setting and could, in an SSTR context, be associated with primary health screening and vaccinations for example.
The challenges depend entirely on the level of biometric sophistication required. A basic Issuing Station is a digital camera and a net connection to a web site which provides an interface to the International Phenotype Database.
The CheapID Identity Card
It is important to understand that the CheapID Identity Card reflects the international agreements which form the ISA in its internal structure.
At an abstract level, the CheapID Identity Card has three statements on it, digitally signed by their respective parties. The first is from the Issuing Station, attesting that this is a picture they took and is an accurate likeness of an unnamed person (and the same for any other biometrics present.)
The second is from the International Phenotype Database stating that it has an Identity Packet from a National Court System referring to the unique individual presented on this card. This implies that the individual has been enrolled and that any ambiguity about their biometrics has been resolved.
Finally, there is a statement from the National Court System that it is willing to decrypt the unique identifier present on this card (the identifier is unique to the card) to reveal this person's real identity based on whatever legal criteria that National Court System requires.
The combination of these three statements gives a solid link to this person's identity, protected by the Court's unwillingness to decrypt the identifiers on the card for frivolous or illegitimate purposes.
However, in practice, there are issues with presenting all of this information on the card. Firstly, one may simply run short of bytes in the cameraphone implementation. Secondly, the digital signatures on the image from the Issuing Station and the International Phenotype Database create a de facto unique identifier which is unique to the individual, not to a given instance of their identity card. In naive implementations, the signature on the photograph becomes usable as a sort of substitute Social Security Number. Again, blind signatures may make it possible to carry these signatures from end to end without them becoming illicit unique identifiers in their own right, but is that reasonable? The algorithms allowing a blind signature (that is, for a party to sign a document it does not read, simply proving it was presented at a given time and not altered) are not trivial and begin to lift the system out of the domain in which simple reference implementations are possible.
Finally, those algorithms are dependent to an unknown degree on the particular features of the RSA cryptosystem. In the upcoming post-RSA era (RSA is vulnerable to quantum cryptography) it will become necessary to shift algorithms. Digital signatures will almost certainly continue to exist, but the precise commutative properties of prime factorization may not be replicated in the new systems, killing entire classes of useful algorithms.
Therefore, practically speaking, in a simplified implementation, the card bears only one digital signature: that of the court, attesting that the original signatures were correct. Audit trails may be kept at the court, perhaps involving re-encrypting some of the data in the audit trail with a public key belonging to an auditing agency, the International Phenotype Database, or the Issuing Station to prevent the Court's audit trail becoming an unhelpful store of biometric data.
The Court can be challenged to produce the Statement of Biometric Enrollment for a CheapID Identity Card that is has issued if there are doubts about the legitimacy of the Court.
Alternatively, we simply bite the bullet, carry all three signatures through the entire system, and salt the data from end to end. This approach may require hauling thousands of times more data across the system. The Issuing Station would pass 1000 encrypted packets to the International Phenotype Database which would then sign each one, and so on down the chain to the CheapID Identity Card itself. This is an appallingly inefficient brute force solution but technical history has shown us that brute force often produces correctness in software systems, which is a factor to consider.
In any case, it is certain that the CheapID Identity Card cannot carry any bitwise identical fields which would allow one card to be matched to another. There are a variety of plausible approaches, as outlined above, and the task of the system implementors is to pick a solution that works in practice.
A good enough system can be created by trusting the signature of the Court if you can challenge it and require them to produce the signatures of the International Phenotype Database and Issuing Station. This is a good enough solution to know the scheme is viable, although it can be improved.
Let us revise the physical appearance of the CheapID Identity Card once again. It is a sheet of paper or a plastic card covered in a mass of 2D barcode data and bearing few or no other identifiers. Each individual has dozens or hundreds of cards, each one bearing their likeness in the form of a digital image encoded in the barcode and signed as discussed above. There is no visible picture, so that people must show the card to a device which can check digital signatures in order to see the face encoded on it. No two cards corresponding to a particular individual share any bitwise fields.
The goal is to create a system in which the lives of those who do not break the law are almost entirely private. This means that the ISA has to be able to support some novel operations. The most important is being able to have absolute assurance that a person had committed an act, but no awareness of who they are unless the act turns out to be illegal. This single property is the key to commercial use of the ISA in the context of State In A Box. Because this desirable property did not exist in prior technological substrates, outside of the context of proxies in some kinds of transactions, neither legal nor financial infrastructure has taken advantage of the fact that our technological substrate can now support this property.
This is leapfrogging. In an SSTR context, it becomes possible to rapidly build the new generation infrastructure for CheapID Identity Cards and the necessary legal supports in the National Court System. It seems like a stretch, but the technology is getting easier all the time, and the security requirements for a solid biometric database are unarguable, as are the problems of leaving that database behind when one leaves, or deleting it. By placing the dangerous database in a protected environment like the one the ISA provides through the international framework, the worse abuses can be headed off at the pass, while keeping the system available.
The bonus is a new kind of commercial transaction: Blind Contracts. We will discuss blind contracts in some detail later in the paper, but the core of the concept is that, if the contract is not broken, one or both parties can remain anonymous. If it is broken, the anonymity is compromised, and the legal process can unfold.
A contract that is assented to by a person with a CheapID Identity Card is a blind contract. One of their ID cards stays with the contract, digitally signed in all probability, and acts as a token of their identity. However, until such time as the National Court System becomes involved and chooses to decrypt the ID card, there is no way to identify the signatory. The contract holder has absolute assurance that somebody knows who signed the contract, but no information about that person unless something illegal or dishonest happens.
Doesn't that seem right, as the world would work if we had a just and efficient society? Nobody really wants their grocery store colluding with their mortgage broker and their health insurer to pitch them additional services. In reality, we almost all like our business to be conveniently private, but we are let down by shoddy and outdated pre-database-monitoring identity infrastructure.
However, an entirely private world as I am describing does not work for all political systems, and certainly does not work for all security situations. The goal here is, as always, more privacy for the law abiding citizen, and more ability to identify threats and illegal activity and halt them.
Because of a small feature Ð the Certificate Revocation List Check Ð which we will discuss below, in some implementations it is possible if national security requires it, to trace every instance where an individual has used their CheapID Identity Card. In other implementations, this is not possible. This is an architectural decision which is left with the National Court System.
This is how the cards are used for routine identity transactions.
A person presents their CheapID Identity Card to an identity check of some kind.
The person making the check takes a photograph of their card with a cameraphone, or otherwise gets a copy of it into a computer.
The digital signature on the card is checked against a key pre-loaded on to the device, much as HTTPS X509 certificates are pre-loaded on to web browsers.
The image of the person who should be associated with the card is displayed on the device.
The person making the check compares the image on the screen to the person in front of them. If the two match, then the card has been successfully connected to the individual.
If there is any need for this individual to be re-identified later, the CheapID card is kept by the person making the check, with any additional notes required by the situation.
In future instances, the person is checked against the card stored on file, but because of the "no bitwise identical fields" rule, two entities with cards on file cannot match them without doing full biometric comparisons on their face databases. Of course, they could (if it was legal) run that check from surveillance camera footage, so we have presented no new tools to those who wish to do monitoring.
Note that we assume that CheapID Identity Card checks on photographs will typically be done by a human being rather than an automated system. This is a response to the likely deployment of these systems in the developing world, where human labor is relatively cheap and machinery has a hard time in the physical environment.
If the card had another biometric on it, like fingerprints or a facial biometric, perhaps an automated system would be more appropriate. But for the simple low-tech version, a human comparison is plenty. Also note that there is no database access in this case. In higher security use cases, there is probably a Certificate Revocation List check.
When a person returns to claim use of resources they previously signed up for, the card on file is used exactly as any other card is.
Check Identity as in the previous case, but referring to an ID card kept on file, rather than a new card.
We assume that the common practice will be "one card per contract" or "one card per transaction." No two vendors should ever see the same CheapID Identity Card. This also applies to routine police checks in the event of things like traffic stops. See the following section for an explanation of how this works.
One way of seeing a CheapID Identity Card is as a digital certificate. Certificates, however, typically must be checked against a Certificate Revocation List to be meaningfully secure. Without such a check, there is no way to know if the facts attested to in the certification are still true because the certificate's whole virtue is that it does not and cannot be changed!
One option is to use a field which is unique to each card, say the digital signature of the Court, and submit it to a URL to see if the CheapID card is on a wanted list. If the court returns an "all is well" there is no problem, and other situations would be reflected appropriately.
There are a number of technical approaches one can take to this check which result in different civil liberties landscapes. In a repressive, totalitarian environment, the CRL check could be run through databases which would take the unique identifier, turn it back into a name, and run that name against all the relevant databases.
In a less restrictive environment, the Court could generate a list of unique identifiers which need to be held, and upload that list without further identity information, roughly corresponding to a list of people with outstanding arrest warrants. In this instance, unless you are wanted, the Certificate Revocation List simply has no record on you.
In between, there is a "sweet spot" which seems to me to blend excellent security with relatively good privacy. In this instance, all CRL checks are logged in an enormous database, and a list like the arrest warrant list is maintained. However, in the event of a serious security concern, or an investigation into a person's life in which their privacy is deemed moot, the Court generates a list of unique identifiers pertaining to this individual (in essence, by replicating the process it did when generating the ID cards) and all those transactions are pulled out of the database.
The parties who ran the CRL checks can now be contacted to give a relatively complete picture of the life of the person of interest. However, without the participation of the court, there is very little that can be done with the main database, even if it is obtained by questionable means (like systematic interception of CRL checks.)
If this seems totalitarian, you must ask yourself a simple question: do you think the real systems which are likely in use by security forces are more or less private that the system I am describing here?
My guess, from what I read in the newspapers, is that we are already significantly past this level of monitoring, and that the systems which do that monitoring were constructed with very little fundamental analysis of their effects on society in the long run.
We have shown a system which has both better privacy and better security. The challenge is to deploy it.
The CheapID card itself is perfectly feasible with existing technology. Packing it down into something which can be made to work with the existing generation of cell phones is going to be a work of art, however, and may involve extremely sophisticated facial image compression and tiny digital signatures to work properly. Alternatively, the non-standard color implementation of the Data Matrix 2D bar code standard triples the data density in the bar codes, and puts us in the clear as far as data on the card is concerned, at the cost of breaking compatibility with off-the-shelf Data Matrix reader hardware.
These are questions for the implementors.
Statebuilding with the Identity Services Architecture
Let us recap. We have a scheme for taking relatively straight forward biometrics and implementing them in a way which relies much less on routine access to large databases, leaves plenty of room for different nation states to operate in their own way, and yet is still internationally interoperable.
However, there is little incentive for anybody to get a CheapID Identity Card because, at this point, we are still operating in the domain of international agencies and national governments. This is the domain of the "stick." Nobody wants to change anything just because it is convenient for such groups, which leaves them forced to compel change. This is not the best way to encourage technological (or policy) progress.
To find out why people will use these CheapID Identity Cards, we have to move into the commercial domain Ð the business and individual benefits of the system. This is where we find the "carrot" - the ways that an upgraded identity infrastructure will make people's lives better, and where there is money to be made!
We are going to cover a lot of ground quickly: appropriate technology banking infrastructure, microfinance, a new approach to implementing democracy, and four or five other relatively radical products of having a genuinely modern identity backbone. You may find much to object to in any specific case, and an adequate defense of this picture would require one or perhaps two books. From here on in, the cases are argued much less robustly.
The core transaction is that a person leaves one of their CheapID Identity Cards behind them, and the card cannot be bound to their identity without a National Court System decrypting it. This transaction is novel, and largely what we are doing is examining a few of the new possibilities that it opens up.
One way of thinking about it is that currently identity information is like gold. It's a hard, transferrable, fungible resource. Many small pieces of identity information can be combined for a more complete picture about you, or a single profile can be split into demographic information or other categories.
SIAB-ISA is a "virtualization" of identity. Rather than simply handing over the identity-gold, now we're handing over a document which says "The National Court System Promises to Pay the Bearer My Identity if I Break This Contract."
This is, and I hope you will excuse me one pun, an "Identity Cheque." It is an unbreakable future promise of identity, perhaps more like a banker's draft than a cheque. By introducing new "identity instruments" we expand the range of possible transactions, in the same way that new financial instruments like cheques enabled many new classes of financial transactions.
What is interesting about this is that it also nicely parallels a great deal of work on capability-based financial instruments, and I'm greatly indebted to Alan Karp for teaching me a lot about capabilities in our discussions of this paper and other work. I have not refactored SIAB-ISA around the "capabilities and authorizations" model that is so central to Alan's work, but I believe that doing so reveals another system, one in which identity information goes from being a "cheque" drawn on a central banker to "cash" - autonomous authorizations generated at the edge of the network, near where they will be used. This work will have to wait for another year.
Contract Signing Infrastructure Ð the Professional Witness
Private company operating in the context of one or more nation states.
Contract Signing is Currently a Broken Process
Contract signing Ð verifying the free assent of one entity to a proposal Ð is a fundamental necessity for commerce. Whether it be banking, mobile phone contracts, even tax forms, this assent is a crucial business process.
There are currently two basic approaches to this assent process both of which are broken because they rely on having amateurs do the job of professionals. Note they are not necessarily broken for technical reasons, but because we ask people who are not experts to do something they cannot do reliably or be reasonably expected to absorb risk based on that performance.
The first areas is signing papers. The method is simple: you take a piece of paper with an offer on it, sign your name, and the counterparty responds as if it has your legal assent. The problem is that most signatures are never inspected to see if they are forgeries, and if they are, the check is normally done by a person with no professional training. "Does this look right to you?" is not really an adequate inspection, and most signed documents do not even get this cursory check. The result is forgery is a common attack on both individuals and companies.
Consider how much would forgery be reduced if every signature was inspected by a trained professional before action was taken on it?
It is not necessarily the signature itself that is the problem, it is the context we deploy them in, and the risk management and liability landscape we have created around this form of assurance.
The second area is digital signatures. Here the problem is computer security. Without a professional staff to maintain the integrity of the machine being used to generate the digital signature, the signature cannot be trusted. A claim can be made that the machine was compromised, resulting in a signature that does not signal the assent of the nominal owner of the private key via repudiation.
Would you trust a digital signature generated on a home computer on a document like a mortgage?
As a result of these limitations, we rely heavily on corroborating evidence when preparing a contract: does the Social Security Number match? Do we know this person? Is it a reasonable looking request? In practice, however, fraud prevention, detection, losses and investigation constitute a large tax on businesses because these fraud reduction measures are deeply imperfect.
And this is in the relatively stable, relatively secure societies of the developed world. How much worse are conditions in SSTR situations?
Improving contract signing means putting a professional in the loop to actually verify that something has happened, and be sued for malpractice if something goes wrong. Note that we are not talking about technology yet. Right now, we are talking about professionalization of contract signing and the risk management implications. Having professional standards for contract signing Ð for verifying human assent to a proposal Ð is independent of technology.
A notary public is one step in this direction, but an ordinary notary does not go far enough because of the technological limitations of their context. Without the ability to generate extremely solid identity credentials, a notary can only sign what they see. Furthermore, the actual process of stamping offers no real security in the modern world, certainly not against major fraud attempts.
But the model is functional. Notaries exist because they add value, and an improved and generalized "notary-like" function is not a heavily innovative proposal. Our implementation is a "leapfrogged notary" called a Professional Witness.
Fixing Contract Signing
Let as assume a person walks into my office and says the want me to witness them signing a document. This is a two step process. Firstly, I verify that the person matches the CheapID Identity Card they present. Secondly, I watch them sign the document, and somehow assert this fact in a manner that proves to third parties that I say I saw it. This process is, in fact, equivalent to me creating and signing a document which says I saw the person in my office sign a document.
If I am trustworthy, this second document Ð a signed statement from a professional witness Ð might actually constitute the real legally binding signature on the original contract, rather than the relatively fragile ink-on-paper that is so prone to forgery.
This seems rather round-about, until we get back to the question of putting a liable professional with insurance in the loop as a way of improving the quality of execution of a business process. What we are doing here is creating a new business entity to reduce the risk of contract signing for both parties by taking professional responsibility for the veracity of a signature on a contract. This role Ð the Professional Witness Ð is a pivotal point in bringing a truly digital economy into existence. We stagger along with credit card companies acting as the risk buffers for e-commerce transactions, but the limits this imposes on the digital economy in terms of both overheads and maximum value of transactions are crippling.
You think that digital technology is transforming commerce? Imagine if we actually had the capability to make real payments electronically, to sign contracts remotely in a way which was inherently trustworthy, and to operate without revealing our affairs to every service and infrastructure provider we buy services from.
In truth, the transformation is barely begun.
What does a Professional Witness Do?
The role of the Professional Witness is to prove that something happened. The ability to prove that a "point event" occurred in an extremely legally credible way begins to dismantle the need for the highly invasive "preponderance of contextual evidence" approaches used to verify behaviors like using credit cards or signing a contract applying for financial services. In short, if we can verify point events with some degree of finality, we can largely stop using pervasive monitoring to assure transactional integrity. This is an important point: one good observation can easily substitute for tens of thousands of weak observations, like your previous credit card transactions.
What we hope to establish through the agency of the Professional Witness is a bombproof credential showing what a person chooses in a legally binding fashion. In short, they are there to create a verified, transmittable moment in time that can be used by appropriate third parties in a legally context. The Professional Witness's job is to record evidence and attest to what they have seen.
In theory, this is what your signature on a document is: it records an instant in time when you choose to constrain your future behavior to the terms of the document you sign. It is, in theory, a "transmittable moment in time." Your signature on a document is not an object, but rather it is evidence of an event. The Professional Witness is a high-tech generalization of this function.
However, because people are running around all over the world signing people's other people's names, the "ink-on-paper signature" standard has almost entirely eroded, and now we are using profiling to make up some of the gap. Introduce a better way of signaling assent, and you reduce the risk that profiling is meant to redce. What we are working towards here is a risk-free contract signing environment Ð something which has never existed in history outside of robust personal trust networks, a rarity in an SSTR environment. Note that we are only proving who the entity is and that they assented to this contract - nothing about their ability or willingness is being measured, only that they are who they say they are, and they cannot repudiate this signature.
This is actually a major step forwards, especially when coupled with the persistence of the International Phenotype Database. The problem is that it is too much of a good thing if combined with existing profiling approaches, likely resulting in a rigid and over-controlling business environment. Pervasive profiling is not something that should ever be combined with biometrics, because of the privacy and balance-of-power issues.
Obviously we start with contract signing, but we can expect that once the infrastructure is in place, other ways will be found to use the services of the Professional Witness. One of these possibilities is using this infrastructure to record votes. This is an example of how whole systems thinking saves money. Suddenly we discover that two systems that used to be separate can be combined to provide superior services at reduced costs. Of course, in this instance, the final stage of the action - which vote was cast - is split from the fact that somebody voted to ensure we still have the all-important secret ballot. But in principle, the action is very similar to contract signing.
Risk and Liability Factors
Part of the goal here is to aggregate enough risk that it becomes profitable to pay for the engineering to reduce that risk as far as technically and economically possible. If you have an office which does nothing from day to night but check CheapID Identity Cards and record assent to contracts, they will see enough attempts at fraud to improve security technology and practices if the financial incentives and risk management are right. Correctly aligning the incentives harnesses competitive pressure to produce better services, where misaligned incentives will produce technological stagnation and lackluster performance as we see in many wrongly-regulated, mis-incentivized industries.
My suggested model is that when a Professional Witness documents the signing of a contract, if the signing turns out to be an identity fraud, where the company did not correctly take the biometrics, or was party through collusion to falsifying a contract signing event, the Professional Witness is fully financially responsible for all associated costs, including the original contract. For example, somebody who looks a little like you goes into with a Professional Witness and signs a services contract in your name. You object, the National Court System rules it is not you that signed the contract based on insufficient evidence presented by the Professional Witness. The Professional Witness is now responsible for the services contract that it signed on "your" behalf.
This scheme has two effects. Firstly, companies can feel confident that when they have a signed contract in their hand, somebody is either going to pay, or be legally accountable. Because you have a biometric identity backbone that you can trust, a contract is a contract. If the contract is signed by the person it should be signed by, and the deal goes bad, you take their CheapID to court, recover a real identity and begin proceedings. If the signature turns out to be fraudulent, you can recover your losses from the Professional Witness and their insurers. You never have a contract with a ghost. This is important in an SSTR context where accountability can be hard to come by.
Recording Events and the Burden of Proof
Just as "innocent until proven guilty" and "guilty until proven innocent" are describe two very different legal systems, correctly allocating the burden of proof is very important to the success of the Professional Witness. In the event that a person repudiates a contract signing, the entire burden of proof is on the Professional Witness to prove that the person assented to the contract.
This is an area where risk management and technical measures collide. For low risk contract, perhaps the Professional Witness is willing to use an automated system that, once in a while, gets fooled and when you come back to check the log tapes, there's a person with a rubber mask and a fake finger spoofing the machine. For sufficiently high value contracts, the process might involve taking new biometric data and securely storing it, or encrypting it with the key of the court in a secure archive so that in the event of a problem a solid case can be made, but in the mean time there is no repository of biometric information being built up in the Professional Witness.
Of course, sleazy and unprofessional Professional Witnesses might fabricate evidence. One safeguard against this is for individuals to register their own choice of Professional Witness in a public fashion, automatically repudiating all contracts said to be signed by them which are not signed by that witness. This process helps balance the commercial interests of Professional Witnesses. individuals, and companies. Witness choice is a market decision.
A Brief Recap
The Professional Witness scheme creates the possibility of getting a signed contract with an extremely low risk of misidentification of the party signing the contract. This reduced risk has the following five effects:
In an SSTR context, it makes it easier to do business, particularly international business, in a country where financial records may have been lost or destroyed.
In combination with CheapID Identity Cards we can now create reliable contracts with people who's identity we do not have access to unless we can prove the contract was broken.
A "blind contract" infrastructure helps counterbalance the totalitarian effects of biometrics and information technology. People have complete privacy as long as they obey the law.
Entire classes of fraud become effectively uneconomic because of the extreme complexity of hacking the identity systems.
Transactional costs go down, possibly by as much as 1% or 2% of total economic volume because of reduce risk.
Now we have a convincing driver for the widespread adoption of biometric technology: secure blind contracts which make it cheaper and easier to do international business.
The Professional Witness makes its living by reducing the economic overheads of doing business by as much as 1% of total transactional volume. All of the risk minimization measures that are made obsolete by the Professional Witness cost money or generate additional barriers to successful transactions and this is an extremely large market. What we are doing here is unbundling risk management features into a highly efficient and effective stand along business - a disaggregation to increase efficiency and offer new services.
For example, I think that a Professional Witness could charge $200 to sign a car lease, and that it would be cheap compared to the current anti-fraud measures taken on such a transaction. For a mortgage, the relevant transactional overheads could increase the fee ten fold. The Professional Witness is a viable business entity, possibly even without government-backed identity infrastructure. But with that infrastructure, I expect there to be no issues finding businesses willing to add these services to their product range.
One of the core goals of SSTR operations is to connect areas back to international financial services including foreign investment. This shows up as both direct aid (and the mechanisms necessary to spend it) and programs designed to attract new business.
In this context, the ability to offer extremely secure identification of persons, and a solid legal framework for genuinely trustworthy and enforceable digital signatures becomes a vital part of attracting new business. Imagine you are in the position of an international telecommunications company considering which of two nations to invest in. One operates a reasonable ISA program, and the other does not. Which is a more friendly environment for your business, all other factors being equal? Of course it is the one where you can actually meaningfully identify your customers and your staff in a way which makes them accountable and cuts your losses due to problems identifying who you are actually selling services to.
Now put this in the context of microfinance. Microcredit lending agencies typically charge around 30% interest, largely because of the costs of administering the loans. Some of that money goes into training staff, training loan recipients and so forth. A lot of it goes into identifying whether people are suitable candidates for a loan. One typical requirement is that loans are only given to small groups of women, who mutually guarantee each other's loans in sequential order. If the first loan defaults, the second is never given. These loans repay rate of over 99% in many areas.
Now add a reliable identity backbone. How much easier is it to run a microfinance operation now? What new classes of financial services become possible for the very poor when it is possible for them to identify themselves even if they are too poor to have a home address, a job or even much interaction with their government.
An identity solid enough to get credit is a developed-world luxury. Doing business in countries without reliable identity infrastructure, without meaningful Dun and Bradstreet coverage, has enormous risk and transactional overheads. Cutting these factors to an absolute minimum Ð in fact, to lower levels than are found in the developed world Ð paves the way for international trade in hereto inconceivable ways.
One classical Indian form of identity theft is to declare your relatives dead with a fake death certificate, and then inherit their lands. There are some ten thousand of these people, and they have their own union. Some of them have been "dead" for a decade or more because it is impossible to prove to the government that they are alive. Dead people cannot sue. An upgrade to the identity systems used by the state would not be a bad idea.
Financial Services in the Developing World
With a system like SIAB-ISA in place, the risk of identity fraud when somebody applies for a bank account or a credit card in a poor country is likely to be less than the equivalent risk in the developed world without the ISA. What we are talking about is leapfrogging identity infrastructure to pave the way for leapfrogged financial services.
One example of a leapfrogged financial services is the E-gold company. E-gold is a privately issued currency, with about $70 million dollars worth of gold reserves. It has been possible to transfer $100,000 from one account to another using a cell phone interface since around 1998. The system has been profitable and self-supporting for many years, and was started by a single individual with an Excel spread sheet. E-gold is, in many ways, an ideal currency for international trade because transactions are measured in transfers of allocations of the gold reserve directly: you are paying by transferring a fractional right to take gold from the reserve, exactly as national currencies were when operated on the gold standard. This means that there is very little political risk to storing one's wealth in e-gold: hyperinflation and other effects of government policy may destroy a nation-state economy, but seldom have significant effects on the gold price, except perhaps to raise it.
The final relevant factor is than E-gold supports payments down to around 1/3 of a cent, and transactions costs are extremely low making even $0.05 payments economically viable. Being able to move five cents internationally in an economically viable way is a breakthrough technology for the very poor.
E-gold is currently being severely challenged by the Federal Government over a variety of licensing issues and allegations of money laundering. A cursory examination of the cases seems to suggest that these charges stem from an unwillingness to issue the necessary licenses to let the free market provide currency services, rather than from actual malfeasance, and E-gold's record of cooperation with the authorities in tracking down illegal activity appears to be extremely strong. I hope that these issues will be resolved in a way which leaves a viable and successful company standing.
Imagine, however, the alternative path in which the US Govt. sponsored (or simply permitted) the development of an independent, stable international currency, coupled to the SIAB-ISA. It cannot be the dollar because of the exposure that users, particularly the very, very poor, would have to US Govt. policy.
This trade backbone - identity plus currency - can create transactions than normal national currencies cannot because they have such poor support for international transactions, and low-value electronic payments. An international currency, with strong ISA backup, opens the slums of the world to trade in a way which is currently unimaginable.
Build a leapfrogged trade backbone. The people of the world will do the rest.
Signing A Contract
I physically visit the office of the Professional Witness.
They verify my CheapID Identity Card.
I present them with the contract I wish to sign in digital form.
The Witness affixes my CheapID Identity Card to the contract in digital form.
The Witness records my assent to signing the contract perhaps by video recording the event, having me sign a paper copy and recording the signing event on a pressure sensitive tablet, or other mechanisms. This evidence is probably encrypted with the key of the court and archived.
I now present this signed contract, including the signed ID, to the counterparty of the contract.
In the event of a breach of contract, the counterparty presents the contract to the National Court System which, if the evidence supports it, decrypts my CheapID Identity Card and identifies me. If I contest the validity of the signature, the records showing my signing are decrypted and presented and an adjudication is made.
Voting: A Special Case
Only minor changes are required to have a secure voting system emerge from this infrastructure. The two necessary changes are that the Professional Witness has to verify that I am authorized to vote before allowing me to do so (or invalid votes must be screened out down the line) and my vote has to be concealed from the Professional Witness.
One approach to this might be to have a conventional voting booth and to hand out secret ballots. Alternatively various cryptographic schemes might be employed. Ron Rivest has been doing some extremely interesting work on voting recently, and is certainly the person to read to see some possible solutions to this challenge.
The internal systems of a Professional Witness are not simple. They include monitoring systems, control of their signing keys, repositories for secure data and a variety of other technical infrastructure, none of which ventures deep into unknown territory, but all of which is expensive to deploy as functional commercial systems.
Universal Secure Single Sign-On
Hybrid. Although operated by private companies and NGOs for the most part, in some instances this service might be provided by governments, or across international boundaries in much the same way email accounts are created. This is typical for internet-based systems, of course.
I believe we have less than 10 years of legal anonymous free speech on the Internet. People confuse the "Wild West" style properties of a new frontier with fundamental aspects of the digital space and, as court houses and law get built on the Internet, much of the current wildness is inevitably going away.
However, correctly leveraging PKI and the ISA creates the possibility of preserving the politically critical support of free speech with a reasonable expectation of anonymity, except when criminal acts are being performed.
The benefit in this case is the convenience of single sign on across all Internet (and perhaps other) electronic services.
How is this to be achieved? Consider the OpenID standard, a distributed (or, more correctly, federated) ID system which hangs off the Domain Name System namespace. An OpenID identity provider gives out URLs, each one of which has a username and a password. The URL is given out to third parties as the "identity" and back-channel communication occurs between the third party and the OpenID provider to enable log in.
OpenID has about 10 million operational accounts and is being integrated into projects like Wikipedia. It is likely to succeed widely. If not, something else like it is going to take its place, in all probability. The email address has the same basic properties (of hanging off the DNS namespace) and has been used as a default ID namespace up to this point, with much the same properties Ð for most web sites, if I can read the email associated with Account X, then I am that person.
Hanging off the DNS namespace is an interesting thing, because it basically makes personal identities part of the DNS hierarchy. Part of the freedom people feel on the Internet is that, on the Internet, you are a "citizen" of the DNS Government Ð DNS creates the political unit of your email account provider or, if you operate your own domain, yourself. In the event of an investigation, queries follow the DNS chain of command: first WHOIS to identify the domain owner, then an enquiry to the domain owner about the conduct or identity of a given user.
This usually results in either a real name, or an IP address, which is then mapped back to service providers, then billing records, then an actual hard physical identity. Internet users typically feel rather violated by having their online actions tracked back to their physical location because it is a cross-namespace violation, rather like having a foreign nation state come and enforce its laws on you. These illusions have built up through common custom and the largely privileged academic communication which was the initial environment of the internet. That separateness is largely collapsing as the Internet becomes a part of the "real world" and the new privileged spaces are massively multi-player online roleplaying games like Warcraft, Second Life and Everquest.
Authentication for these systems is extremely problematic. Computer security is very ineffective for most home users, and falsely authorized emails generated by viruses, for example, are a common problem. Online banking security is constantly under attack from criminals compromising home computer security over unaccountable emails. This situation cannot go on indefinitely.
The solution is simple: a special, privileged class of Single Sign On Identity Providers who require an ISA-style blind contract before they will provide you single sign-on services. An identity with these groups is indicated by a cryptographic signature from the vendor attesting that they have a CheapID contract on file and will reveal it under a specified set of conditions, usually a court order in their native jurisdiction.
Ideally, this move would be coupled with a definitive upgrade in authentication. Pseudo-random number generators, when used for security applications like as the common SecureID tag are subject to man in the middle attacks, so probably we are going to wind up with an additional PKI level, perhaps small USB-type tokens. In any case it would be nice to indicate the level of authentication in the account so that third parties could judge for themselves how much trust they want to put into a log in from a particular SSO provider.
Upon display of proof that a given account has engaged in an activity which requires an identity to be revealed (i.e. presentation of a court order) the sign on service returns the original ISA-style blind contract, with associated CheapID Identity Card to the court to decrypt.
With sufficiently secure SSO services, including perhaps specially created government-backed SSO accounts along the lines of the Estonian system, it should be possible to do secure electronic voting over a variety of devices including cell phones. Challenges pertaining specifically to this project will be the subject of another paper. In essence, this discussion is about extending the reach of the Professional Witness to transactions at a remote site like your home, using the media of a cell phone or other computing device as the intermediary. This is non-trivial and may involve windows of revocation in which coercion can be reported, for instance.
There are no difficult technical challenges specifically related to the ISA aspects of this system.
Let's get down to the nitty gritty of implementing a system like this.
The hardest individual project in an implementation is the International Phenotype Database. Even a prototype has to be able to accurately match incoming biometric data against a database we expect to be vast, and provide auditing at a level that makes people like you and me comfortable being in that database.
However, that is a problem which has an enormous number of really smart people working on it. We are minimizing the problem in two ways: firstly, by anticipating seeding the system with very good quality biometric data captured under controlled conditions, with an initial check for false positive matches and refinement of the dataset to reduce these. That's a big step up: being able to flag a person on enrollment as having fingerprints which partially match a bunch of other people helps later on. Secondly, we are not pounding the database every time somebody wants to get access to their bank account. By carrying a card with data on it, and matching face-to-data, we are minimizing the load on the centralized system. It cannot be slow, but it can be non-real-time.
Secondly we have the whole dynamics of the exchange of information between courts and leviathan and issuing stations and so on. For now, this can be done with web services and digital signatures. Perhaps eventually a different architecture is appropriate, but for now? HTTP and XML are sufficient for all of these transactions, as long as the protocols are carefully designed, and all traffic is encrypted at an application level. Audit trails, again, are a lot of the difficulty here.
Then we have the cell phones. 574 bytes is the largest 2D barcode I have been able to get a vendor to sign off on as a workable reality with current generation cell phones. It is not enough to do a general use ID card which is reliable enough for banking because of image compression issues.
However, because we have been discussing a deployment involving perhaps millions of people, we can discuss the issue with cell phone manufacturers. Adding the additional optical elements required to get a good quality close up of an ID card is not a major engineering obstacle, it is just a case of being an item with limited market demand. Likewise, the full color variant of Data Matrix boosts data densities for a given optical system by 3.
So I think that a special run of cell phones with better cameras is perfectly reasonable and, once there is an established application for those cameras beyond taking pretty pictures, the upgrade should become a standard feature relatively quickly if there is market demand. It may even be possible to have the Data Matrix standard extended to include an optional color implementation.
The hardest problem in the entire system is getting banks to allow account access using a CheapID card. Once that problem is solved the systems can be adopted. Until then, it is all theory.
Status of this Work
State In A Box is an ongoing project, and I will continue to release and improve documents related to the work on an ongoing basis.
If you are a commercial or government entity and would like me to present or consult on this work, please get in touch.
This paper is descended from a piece I wrote for the Department of Defence, OSD/NII. That paper was commissioned to be rather narrower in scope than this work, and the origins of this work in that piece should be taken, in no way, shape or form, as any kind of endorsement.