Ben Laurie blathering

It’s All About Blame

I do not represent my employer in this post.

Eric Schmidt allegedly said

“The only way to manage this is true transparency and no anonymity. In a world of asynchronous threats, it is too dangerous for there not to be some way to identify you. We need a [verified] name service for people. Governments will demand it.”

I don’t care whether he actually said it, but it neatly illustrates my point. The trouble with allowing policy makers, CEOs and journalists define technical solutions is that their ability to do so is constrained by their limited understanding of the available technologies. At Google (who I emphatically do not represent in this post), we have this idea that engineers should design the systems they work on. I approve of this idea, so, speaking as a practising engineer in the field of blame (also known as security), I contend that what Eric really should have allegedly said was that the only way to manage this is true ability to blame. When something goes wrong, we should be able to track down the culprit. Governments will demand it.

Imagine if, the next time you got on a plane, instead of showing your passport, you instead handed over an envelope with a fancy seal on it, containing your ID, with windows showing just enough to get you on the plane (e.g. your ticket number and photo). The envelope could be opened on the order of a competent court, should it turn out you did something naughty whilst travelling, but otherwise you would remain unidentified. Would this not achieve the true aim that Eric allegedly thinks should be solved by universal identification? And is it not, when spread to everything, a better answer?

Of course, in the physical world this is actually quite hard to pull off, tamper-proof and -evident seals being what they are (i.e. crap), but in the electronic world we can actually do it. We have the crypto.

Just sayin’.


  1. “Governments will demand it.”

    Governments never “demanded” that the internet, web, email, etc. exist (yes I know it was largely grant-funded). In fact, many/most governments “demand” that it not work as it does in one sense or another.

    The problem is that there’s no party which would be trusted to implement the “on the order of a competent court” part of it. Those types of systems have a long and very mixed history in the US. Any number of ways are found to bend the rules such that government entities are able to cast wide nets through the data, or the rules are simply ignored and the data is accessed unlawfully with no consequence whatsoever. If I recall correctly, the Aurora incident revealed the existence of a self-service portal which allowed free access to every Gmail user’s inbox (at least the to/from/subject lines).

    I think this is an interesting idea you’re proposing here Ben, but I don’t think the chances are great it will be implemented. It is to no one’s individual advantage to tag their own packets with their personal identity, however well-escrowed. Neither is it to a governments advantage to set up a system which offers any significant degree of anonymity. The technology exists to provide strong anonymity and it’s easier to implement than an escrowed-identity system which no one would really trust anyway.

    Comment by Marsh Ray — 16 Aug 2010 @ 18:54

  2. I wasn’t intending to suggest that every packet should be tagged, just that contexts you might at first think required identification could, in fact, be implemented in a more privacy respecting way. I was hoping to imply this by giving an example that exists in the real world today (i.e. international travel).

    As for competent courts, I agree it’s a problem, but in the example given it works quite well. In other words, if you restrict the domain of even potential full identification to those areas where concerns are strong enough to get people to agree about how to deal with them, then competence becomes more tractable.

    Comment by Ben — 16 Aug 2010 @ 19:01

  3. Thank you, Ben – it is immensely reassuring to hear the voice of reason (as ever) issuing forth (I’m not going to say “from the belly of the beast”, because that would be (a) gross and (b) a needlessly unfair caricature).

    In my most recent conference presentations, I have been inviting the audience to agree that we should not leave online privacy to the technocrats – especially the ones running large companies. I have every sympathy for you as a specialist whose views diverge from the ones coming out of the boss’ mouth… I was in a similar position (at Sun) when Scott McNealy made his “you have no privacy, get over it” quip.

    The ‘good’ news for both of us is that for every opinion Eric and/or Scott may express about privacy, Mr Zuckerberg usually has one egregious enough to steal the limelight back again… ;^)

    Comment by Robin Wilton — 16 Aug 2010 @ 19:51

  4. “And is it not, when spread to everything, a better answer?”

    Why is it a better answer? I don’t see, a priori, why maintaining anonymity (that can be removed by a competent court) is any better than universal identification.

    Comment by Andy — 16 Aug 2010 @ 19:59

  5. There are circumstances when giving up your whole identity is not reasonable. For example when you only need to prove your age or have to make it plausible that you have the name you claim. Therefor a principle of minimal disclosure should be adopted, only give as much information about yourself as absolutely necessary and only to a party that in turn can prove that they are who they claim.

    What you are suggesting reduce to a key escrow system. You encrypt the necessary parts of your identity and handover the key to a trusted third party that only disclose the key if certain conditions are met. Your encrypted identity is marked by a unique number that is known by all parties. You then give your adversary the unique number and a small part of your identity, for example a name/alias and/or a photograph. If the prearranged conditions are met your true identity is disclosed otherwise you keep your semianonymity.

    First, key escrow systems just don’t work, that have been proven beyond any doubt. Second, there are no trusted parties that are immune against, for example, government pressure. So I can not see how such a system could work. On the other hand if, and only if, the system is applied when you currently have to provide your whole identity it might have some benefits. The very real problem is that when it starts to be applied for one activity it will be applied to more and more activities and can be used to, in all practical sense, forbid anonymity.

    Strong anonymity in an information and knowledge society is a cornerstone to uphold democracy. Freedom of speech, freedom to learn any information and protection of messengers can not be uphold without strong anonymity in a digital world. Anonymity is certainly not possible without taking specific measures to make sure that you are in fact anonymous when both governments and private companies are routinely listening and saving all communications that they can get their hands on. Google is certainly not innocent in that regard… That means that anonymity and for example freedom of speech is not something that you have but something you do. The implications of this with regard to keeping democracy in a digital society is left as an exercise for the reader.

    Comment by Stefan — 17 Aug 2010 @ 0:54

  6. I suppose that rules out truly anonymous online payment systems then. I’ve long thought that the way forward for payments is to have only the payment provider know your identity, then you can anonymously pay for stuff. If there’s a problem that requires blame, the seller can then request identification from the payment provider and go through the appropriate protocol to get it, including perhaps permission from the buyer. I’m sure something like this will be the default for most online services, whether commenting on blogs or gaming, it’s just a matter of building it out. Of course, this won’t stop the government from trying to go fishing for that data, but such abuses are an inherent risk of storing your data with your identity some place.

    Comment by Ruben — 17 Aug 2010 @ 2:48

  7. [...] you are involved in #security and are interested in #anonymity you should read this: [...]

    Pingback by offtopic / Twitter Updates for 2010-08-17 — 17 Aug 2010 @ 8:02

  8. I agree with Ben on this.

    Engineers need to figure out what are the ultimate motives/requirements of all the stakeholders and produce solutions that best serve everyone.

    Vendors really want to maximize profitability. It just so happens that profiling customers works best for them right now.

    Conspiracy theories aside, most governments really want to ensure national security, not so much keep tabs on their citizens. It’s just that right now they don’t have better tools at hand.

    They currently need to rely on aggregating my ‘digital footprints’ to build up my profile, or outright demand that I surrender such information. But they don’t really want my profile, they want what’s above. And yet I, as the source of all this information, should be in the best position to maintain and control my own profile anyway.

    Provide users with the ability to profile themselves, and control such data, and vendors and governments with the tools to achieve their ultimate goals without having directly/full access to the data and it’s a win-win scenario. At the same time users will be able to reap the benefits of having full access to their own data (as in the Mine! project and other VRM-like implementations).

    Finally, I still really like the Identity Oracle idea ( because it illustrates this concept of ‘minimal disclosure’ very well. Vendors achieve their goal without “knowing who the customer is”.

    Comment by Daniel — 17 Aug 2010 @ 17:31

  9. Andy:
    > I don’t see, a priori, why maintaining anonymity
    > (that can be removed by a competent court) is any
    > better than universal identification.

    Because people have the capacity to grow and change and this is an essential element of being human. We can (perhaps imperfectly) judge facts while incorporating concepts like character, personal growth, and other impossibly complex circumstances.

    Computers are near perfect recorders of sterile facts and it is currently much harder to destroy data than it is to collect, preserve, copy, and search it. Apparently, commerce thrives on the ability to pigeonhole and predict people’s future prospects, perhaps stereotyping them for life.

    But the ability of a person to transcend themselves, move beyond past mistakes, and hope for the future requires some other important human abilities: forgetting and forgiving.

    It’s also a critical component of being willing to break the mold, take risks, and generally be a interesting person rather than a sheep.

    At this unique point in history we could easily through inaction lose our souls to some mechanistic demon of our own creation. Thus condemning future generations to live out something between a lab-rat existence and a true Orwellian nightmare.

    Let’s not just stand idly by and watch concepts like ‘transcendence’ and ‘redemption’ be permanently removed from common thought.

    Comment by Marsh Ray — 18 Aug 2010 @ 23:35

  10. I was about to say ‘minimal disclosure’,but Stefan (B.?) beat me to it, and eloquently so.

    @Andy: Full identification as the default for all interactions/transactions is not a desirable situation, I think. For example, showing your passport or ID just to buy some groceries doesn’t make sense.

    Governments can demand all they want, but at some point a significant amount of that government’s subjects will come to the conclusion that they actually *do* ‘have something to hide’ (but by then, sadly, it’s usually too late to vote away that government, since democracy is already lost).

    (A degree of) anonymity is a crucial ingredient for a free society. Very much worth protecting.

    I do agree, in a way, with Eric Schmidt when he says that we are not ready for the technological revolution. We are certainly not acting like ‘ready’. Our perception of privacy and our behavior towards it (on the internet) is certainly not that of a ‘ready’ people. It seems we are still in the ‘look! I’m on the internet!’ phase. No one in his right mind would divulge what many do on Facebook to a print newspaper, just for others to see. Crazy.

    I have no idea where all this is headed. Let’s hope for the best.

    – rzr

    Comment by rzr — 21 Aug 2010 @ 12:01

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress

E-mail It