It is hardly controversial to say that in the last few weeks - in the wake of Edward Snowden’s revelations about the US Prism programme snooping on websites and social media - that online anonymity or the lack thereof has become big news, says bobsguide blogger Dave Birch. Indeed real issues ranging from online bullying to the interaction between political activism and financial services tracking mean that society needs to think long and hard about what it wants from the emerging technology infrastructure, and how anonymity should work - or even exist - within that infrastructure. Cryptographic blinding might be the answer but society needs to have a debate first.
People increasingly think that they want anonymity, but I’d like to suggest that’s because they don’t really understand it. The public say it is important they can pay for something in cash without it being tracked and traced by the government. They say it’s important they can vote in a secret ballot without their choices being observed by party activists (or spouses). They say they should be able to login to a website about trade unionism, or diseases, or pornography or anything else that they might not want other people to know about, without having to worry about being spied on by technology. I read the Daily Mail website, for instance, and I certainly don’t want anyone to know about that.
However, if people think about it, they may expect society to provide privacy rather than anonymity: It’s important to remember they’re not necessarily the same thing. Here, online at least, technology may be able to help with this distinction.
Anonymity may mean that transport for London (TfL), the UK capital’s transit authority, cannot track you when you use the contactless Oyster card to gain admittance or exit the system. But it also means that when you drop your Oyster card down the drain, you cannot get the balance back.
Actually the present Oyster contactless card system represents a very good way of balancing privacy and security. When you use your TfL Oyster card in London, UK, the record of the journey is kept for a few weeks and then it is anonymised for use in statistical analysis and calculations. If a crime is committed on the system then the police can go to TfL with a warrant and ask for a list of all of the people who had been through such and such a ticket barrier, at such and such a time. What they cannot do, legally or otherwise, is trawl back through the data. I would have thought that most people would find this reasonable.
Anonymity v Privacy
Anonymity only sounds good to people who don’t consider its implications - privacy is often a better option. Let’s take cash. Is it right that a corrupt politician can take cash bribes and hide them? Is it right that criminals can engage in kidnapping or tax evasion or money-laundering? Should people be able to engage in commercial transactions that can never be traced? At first glance it is very tempting to say yes because the alternative, which is a big brother government in a big data world eradicating any element of individual privacy sounds so horrible. But I don’t think I want to live in a world that allows anonymous transactions – and nor does the US government given their recent actions against Liberty Reserve. I think I want to live in a better world.
The answer is privacy. Anonymity is a clumsy hack that we have to use because we don’t yet have proper control over information. It does rather annoy me when people, politicians especially, frame this discussion in terms of finding the right balance between privacy and security. I don’t want a balance, I want both and I’m not sure if the politicians and regulators understand the technology well enough to realise that the capabilities of modern communications and cryptography make this possible.
Let’s take payments as an easy example of developing identity recognition and tracking technology. My bank could let me choose any name I like to go on my debit card. I might decide on ‘Johnny Mnemonic’. I stroll down to Marks & Spencer’s and I buy myself a nice pair of trousers with my debit card. When it’s time to pay I put in my card and punch in my PIN. I take the trousers home but when I go to put them on I discover that they don’t fit. So I take them back to Marks & Spencer’s and I get a refund by presenting the same card. At no point during any of these transactions does Marks & Spencer’s need to know that I’m actually Dave Birch. They don’t know who I really am but - crucially - they know that Barclays do and rely on this.
It’s not as if I can do anything bad with that card and get away with it. If I do, the police can go to Barclays with a warrant and ask them who Johnny Mnemonic is and where he lives. Barclays will tell them that it’s me.
The point is that there are very few transactions that any of us do that require identification. By and large the digital world that we will be living in will be a world in which transactions are between my phone and someone else’s phone, not between me and someone else. What seems complicated – i.e. storing keys, issuing certificates, managing reputations - for individuals is trivial stuff for apps.
Modern smartphones are perfectly capable of dealing with digital signatures, trust chains, electronic identities and similar constructs. Therefore you can turn up at my door claiming to be an employee of the electricity company and I can use my phone to read your phone and tell me whether that’s true or not. I do not need to know who you are, but I do need to know what you are. And if you do something bad, the electricity company knows who you are.
Conclusions: Cryptographic Blinding
I call this what you are approach ‘smash the glass’ privacy. You have privacy so long as you behave, but if you do something bad then the authorities can ‘smash the glass’ to sound an alarm. The technology to do this is easy - it is called cryptographic blinding and it is well known even if the metasystem is still not fully there yet. We may, however, be getting there slowly with the National Strategy for Trusted Identities in Cyberspace (NSTIC) in the US and the similar IDA scheme in the UK.
I imagine that, just as you have a few different payment cards in your wallet today, in the future you will have a few different identities. A work identity, a personal identity, a hobby identity, a self-certified ‘John Doe’ identity and so on will all be accessible. While I am walking down the street, my phone will set to the John Doe default identity. When I walk into the shopping mall, the shopping mall will know that I am John Doe and that last time I came in I went to Starbucks, so if they want to send me a coupon for money off at Costa Coffee, that’s absolutely fine. I sit down for a coffee and I use my hobby identity to post a few comments on a newspaper article about contactless payments (my hobby). When I go to John Lewis, my John Lewis app will open up and use my personal identity, with my permission. I have an identity that is partitioned, with a simple remote control (my mobile phone).
This paradigm shift from transactions based on identity to transactions based on credentials represents a very straightforward way to handle privacy in a realistic way and it applies to financial services, retail and any other aspect of our digital lives. Technology does not need us to choose between security or privacy; it can provide both.