This year's CACR Workshop on Privacy and Security Technologies confirmed a lot of ideas I had at the outset and provided insight on problem areas that I hadn't considered. It showed not only that the problems of privacy and identity are bigger than I'd thought, but that they are bigger than I could have possibly imagined. This isn't a bad thing, because part of the reason the problem is so big will also form part of the solution. We all place a lot of importance in the problems of privacy and identity, so both the problem and solution require a lot of people in varying roles: technologists creating new tools, policy makers deciding the right (and wrong) way to use these tools, and both governments and companies to implement them into a useful infrastructure.
What I've written here is a summary of the ideas and thoughts on the general topic that I've managed to capture. Most, if not all of these ideas are taken directly from the speakers and discussions that took place so I cannot take credit for them, though I will own up to any errors that have crept in. If you have any comments, I would very much like to hear them.
A few themes came up again and again during the conference. More than anything else, the situation of the average individual was highlighted, and with good reason. The "home user" is targeted most often by identity thieves and online attackers. They're also the most vulnerable to attack. The average person is being pushed more and more to use electronic means in their day-to-day lives. While these new tools have many advantages, including cost and convenience, the average person does not have the tools to protect themselves in this online world nor is the average person being educated on what they can do to protect themselves. This is akin to selling someone a car without an odometer, and expecting them to bring it in for oil changes every 5,000 km without telling them. Things will work quite well for a long time, but when the car eventually breaks down catastrophe will ensue.
"Educating the user" is often thrown out as a catch-all answer. As good as education can be, it's simply not good enough; better tools and a real infrastructure are needed. How can you tell that when you need to do an oil change without an odometer? How can you tell that the site you're on is a phishing scam and not actually your bank? In both cases, you need an indicator of some kind.
Or better yet, some kind of a system that will have the web site authenticate to them before the transaction takes place. The "ritual of the transaction" was discussed only briefly, but it makes a lot of sense. People get used to a certain dance when they go to a bank to do a transaction. Whatever new system we put in place must respect that a ritual is being created, and needs to respect the individual's expectation of this ritual. Context is a vital piece of this ritual. When you go to a bank and speak with a teller, the location, building, decorations, even the uniform of the teller indicates that you need to pull out your bank statements and not your library card to do business. This points out yet another vital piece to this puzzle, or rather pieces that really add to the complexity: we all have multiple identities. Sure, my Driver's License may say "Kareem Shehata," but I'm known pretty generally as:
All of that, and I'm pretty low-key. The point here is that identity is not just one thing. The best way to look at it is the other way around: personal information is identity. Identity is just one instance of a set of information, at the core of which is you, an individual, a person with many facets. When we enter into transactions, do business, and go about our day-to-day lives, this entity must be described by many simpler facts that can then become the identity entered into the records.
There are still some good things about the current techniques for identity, even as we lament its shortcomings. First, we must keep in mind the set of things that are currently allowed, even if there are grey areas. In other words, we must not criminalize what is currently accepted social behaviour (e.g. teenagers buying alcohol with someone else's ID) or we risk the cure being worse than the disease.
Second, we must make sure to keep the assignment of risk sensible. The system will eventually fail, so we must take the risks created into account. The liability for and obligation to mitigate risk must be kept squarely on the entity that created it in the first place. When things do fail, the obligation to make things right must be used to keep things in check. This is actually one of the biggest problems right now, as individuals, governments, and third parties (such as title insurance companies) are currently handling the fallout for many identity related problems.
One of the most depressing stories that came out of this, but the one that serves as the most alarming call to action, is that of the man accused of possessing child pornography. During their investigations of online child-porn-peddling, the OPP found the credit card numbers of a list of individuals who had purchased copies. Having checked that the transactions were valid (i.e. someone did in fact pay for child porn and get it), they contacted the credit card company and got the full information of the people behind the credit card numbers, and then proceeded to lay charges.
During the trial of this particular case, the man lost his wife, kids, job, and just about anything that actually mattered to him. It took over a year, but he eventually proved his innocence and that someone else had fraudulently used his credit card information. Within days of the trial, he committed suicide.
Certainly, the end user should not have born the weight of this extreme failure of the system. It can be argued for a long time as to who should have been at fault, whether the credit card company or the police, since they both have legal precedent that they aren't to blame for this situation, but that's not the point. The point is that the risks present were not dealt with properly, as they were shifted away from those who created it, producing this unacceptable result.
This also points out that the individuals, as hard as they might fight, have neither the tools nor the authority to rectify the situation. We must build these new tools and infrastructure to empower individuals to manage their own identity and personal information, while respecting their current capabilities. I'm looking forward to this challenge, and I'm very glad that I'm not alone. There were many other people at the conference who passionately want to see improvements, and together we can make this happen.