Joi Ito's Web

Joi Ito's conversation with the living web.

Happy Birthday Cory!

Yesterday, I gave a talk to approximately 150 IT vendors who will be installing the national ID systems at the local government offices and will the the "privacy advisors" to the local governments.

Almost a year ago, I was handing out leaflets and protesting with a megaphone in Ginza to try to stop the national ID. Then the bill passed and I joined the oversight committee for the national ID to try to increase their awareness of security and privacy issues. Then I started working with the local governments who "opted out" of the national ID. Now that the system is in place full swing, I am working hard to increase the awareness of the people who will be installing and training the people who are in charge of one of the weakest links in the system, the point of entry into the database. At the same time, I am working on educating the ministry and the awareness in the public so that we can prevent "function drift", or the use of the national ID # beyond the scope of its original intent, which is to use it only for government services.

I am supportive of my colleagues who are still working on protesting the system and local governments resisting it, but I am focusing my attention on future systems that the government is planning to implement and to try to do what I can to improve the security and privacy of those systems that have already been deployed or will imminently be deployed.

There is a lot of talk about identity these days. You MUST remember that identities are like names. You are NOT your identity. Your identity points to you. Everyone has multiple identities. Roger Clark describes this as the difference between entities and identities. You are an entity. Your name, your role in the company, your relationship with your child, they are different identities. Multiples identities isn't just about having more than one email address or chat room nym. A multitude of identities is an essential component in protecting privacy and interacting in an exceedingly digital world.

When the privacy guidelines of the OECD were created, (over 20 years ago) we had main frames and no Internet and most of the personal information was collected and kept by governments, banks and very large institutions in big central computers and data mining this data was expensive and clunky. The notion of "data protection" and "control" made sense back then. They no longer do. With ubiquitous computing, decentralize databases, information stored and disseminated everywhere, it is exceedingly important to know that 1) once information is created, it exists forever and can not be "erased", 2) data mining will become cheaper and easier, 3) transborder data flows will become seamless, 4) profiling will become a common way for businesses and governments to efficiently focus their attention on people and groups that meet certain criteria.

What does this mean? The risk now is that you can be profiled and categorized in a variety of ways that can hurt your ability to travel, get a job, get insurance, get married, etc. for things that match a profile that increases risk to the establishment even if only in a statistical way. Interaction with radicals or reading of radical material could get you in this profile so the chilling effect on dissent will be real. It means that trying to "control information" once it is created is nearly impossible. The trick is to create as little information as possible and to make it as difficult to data mine as possible. If you need to prove you are old enough to drink, there should be an ID that does just that. The library doesn't need your national ID, just a membership card with a picture so they can authenticate you. If you're doing a cash/cash foreign exchange transaction, you should only need to prove that you have the cash or the underwriting of an institution with the cash to complete your end of the transaction. (Don't get me started on why I think money laundering laws are stupid. I'll do that in another post.)

My point is. We should have different ID's for our different roles. Each of these ID's will have a different bit of authentication and collateral attached to it.

If you deconstruct the different types of ID (got this from Eric Hughes) you get 4 basic types. Your physical ID (doctors knows this best), your network ID (phone number or IP address), financial ID (your bank has this info), and your legal id (government, school. IE are you married? A citizen? A graduate?) Different transactions require different attributes. If you're getting married, you probably care most about whether they are married to someone else. If you're doing a financial transaction, you are probably most concerned about whether they can cover their end of the transaction. If you are trying to identify a blogger, you probably care if they are the owner of the URL. You don't care if my real name is Joi Ito or where I live exactly. As a blog reader, you probably care if it is the same blogger that has posted all of the other blog entries on this blog.

That's why I have a problem with central ID systems. If some gives me a certificate from Verisign that says, "I Verisign assert that this is Joe Shmoe from the Canary Islands and I Verisign do not guarantee or offer any liability coverage if he hurts you or even if it turns out that he's not REALLY Joe Shmoe." How much use is that? Even if he IS Joe Shmoe, I don't care where he lives if I can't do anything about it. I'd much rather see a link from a blog that I know saying, "this Joe Shmoe and I vouch for him!" Or go to a party and have everyone say, "you should meet Joe Schmoe, I've know him for years and I think he's great." Or if I'm trying to have a financial transaction, have his bank provide my bank with a guarantee. You get the idea. The only people who need access to your "entity" are people who have the power to throw you in jail or need to collect on long term contracts and liabilities. for MOST transactions, your physical location is not relevant or useful.

The other important thing from a privacy perspective is that you don't want all this stuff getting linked together. Organized crime is already using personal information to blackmail people. One common "query" is, "find me all company directors who are in debt and have families." They buy these liabilities and "collect" using blackmail. Your "I'm a papa" ID and your "I've borrowed money" ID and your "I am a board member of Foo. Co." ID don't necessarily need to be linked. Life would go on without these links. Yes, it would slow down projects like TIA and yes central id's are convenient, but traditional investigative crime fighting has more tools than ever before without making it so easy that criminals can use it and political groups in government can abuse it.

In Japan there is a left-wing newspaper called Akahata. The list of subscribers is tracked by the police and leaked to big company HR divisions. If you subscribed, you often can't get a job at a big company. If your parents subscribed, you can't become a public prosecutor. Now imagine that they do this by hand now. Imagine what would happen if they could instantly come up with "negative profile queries" and "filter." What you read today, write today, who you meet, have lunch with, post on your blog and later erase, where you wandered, who you rented your apartment too. They could ALL cause you children to be "filtered".

There is another issue. Identities are easy to forge. You can make the technology as robust as you want, but the chain is as weak as the weakest link. Biometrics on a ID card only prove that you're the one that the card was issued to. It doesn't prove that the issuer issued it to the right person. (Good article in The Register about this. Thanks Peter.) The point of data entry is still VERY weak in most systems. Over 10% of Canadian SS#'s are fake. These centralized ID systems to be used for "everything" increase the value of compromising the point of entry into the database. The better architecture is a variety of ID's suited and designed for specific types of transactions and interactions with a distributed network of authenticators and points of data entry.

If you need an id with biometrics and for financial transactions, a bank and a hospital should jointly issue ID's. This would be much more robust than some biometric ID issued at some government office.

Anyway, I rant and rave about this stuff in my "privacy experts" circles, but I realized that I hadn't ranted here recently. So as we think about FOAF, cameras pointing at my face, location moblogging, it is essential not to forget that WE need to be in control of what information we create and how this information is tagged stored and authenticated. Peer-to-peer / end-to-end thinking is essential for privacy as well. Make client software that collects information from catalogs and locally recommends stuff to you, not central servers of user profiles. Empower the people, not the merchants and the governments.

Got the idea for the title of this item when acrobat told Anita that she wasn't Anita, but that was her name. ;-)

Pete made a iJoiTV pop-up window for me!

Thank you Pete!


Lots of Cheese and other goodies at the French Embassy Bastille Day Party this evening. I have no idea who invited me, and I was worried that I wouldn't know anyone. Luckily I knew a few people and got to chat with Idei-san. We talked about blogs. I asked him to be my guest blogger.

Happy Bastille Day!