IP: Re: Ellison's Identity Cards

[David Farber <dave () farber net>]

> From: "Jonathan S. Shapiro" <shap () eros-os org>
> To: <farber () cis upenn edu>
> Cc: "Allen Wagner" <a_wagner () uclink4 berkeley edu>
> Subject: Re: IP: Ellison's Identity Cards
> Date: Tue, 25 Sep 2001 10:41:15 -0400
> X-Mailer: Microsoft Outlook Express 5.50.4807.1700
>
> Dave:
>
> Allen Wagner copied me on the note he sent to you for IP. I think he has
> raised a valid question, and one that has been posed to me privately by
> several others following the original note. I would like to answer it if you
> feel it will benefit the discussion.
>
> >I'm struck by the comparison:  Ellison offers
> >a vision that challenges our technical ability;
> >Shapiro's rejection by raising some obvious
> >questions is twice endorsed.  So where is the
> >academy?  No alternative solution or other
> >positive perspective [to ID cards] is offered.
> >Do the academics' believe there is no feasible
> >technical solution?
>
> I believe that there is no feasible technical solution, because this isn't a
> technical problem.
>
> Few things in the security technology arena are absolute, but let's imagine,
> for a moment, that the technology existed to produce identity cards that
> were perfect. We don't know how to do that in the real world, but we can
> agree, I think that if they existed we would use them. The question to ask
> is: "Would that help?"
>
> The answer is no. The problem lies in the process by which the card is
> issued.
>
> Ellison proposes issuing a card to everybody. This means that there will be
> thousands of people out there with the authority to create such cards. As
> with any other sensitive activity involving large numbers of people, a few
> will regrettably turn out to be people who can be bribed or threatened.
>
> We know now, for example, that one of the people involved in the earlier WTC
> bombing took over an identity by killing a young student and his entire
> immediate family, and removing every photographic and written trace of the
> victim. Place yourself for a moment in the position of the card issuer. Do
> you imagine that a committed terrorist would hesitate to put a gun to your
> child's head, demand that you issue the card, and then kill both of you to
> keep you quiet? If you resist, do you suppose that the next card issuer will
> also resist? How long do you suppose it will take for your body to be
> discovered? Certainly hours, perhaps days. The terrorist only needs one or
> two hours.
>
> So now we have the following situation: the people at the airline security
> gate (or whoever) aren't information security experts, and they don't really
> understand any of this. They *think* they are relying on the cards when in
> fact they are relying on the integrity of the human process by which the
> cards are issued. Unfortunately, but there is a natural human tendancy to
> look at a card that says "secure ID" and believe that it is secure without
> considering the implications. If you are a security guard, and you check
> several hundred of these cards a day, how many times will you stop and ask
> someone "Did you threaten a card issuer to get this card?" When the response
> is: "Don't be silly, do I look like a smiling terrorist wannabe?", how will
> you know?
>
> The card, in short, provides no confidence at all **even if it is
> technically perfect.** It can only mislead the security guard into
> confidence in false security.
>
> And consider something else:
>
> We have seen a tendancy toward rising gun use in petty crimes. Criminals
> know that dead victims don't testify, and they have a pretty clear notion
> that it's very unlikely they will be caught. If you make the price of
> identity theft be murder or bribery, you may find that many criminals are
> willing to pay that price. Viewed from the criminal's eyes, it has the
> potential to be a perfect crime. There is absolutely nothing to link the
> card issuer to any particular criminal. If you are a law enforcement
> officer, all you really know is that you have a dead card issuer on your
> hands, and you don't find this out until it's too late to matter.
>
> > >Those who solve
> > >problems deserve recognition and if that is there motivation let's bless
> > >them with what they seek and not disparage their motive in our time of
> > >need.
>
> Be assured that if Ellison or anyone else actually comes up with a workable
> social system, I (and, I think, others) will be eager to acknowledge and
> reward it. Such a system has serious potential social dangers, but it also
> has very real potential value. This does not mean that we should look
> uncritically at proposals. When we see a skunk in the road, shall we call it
> a skunk, or pretend that it is a cute wriggling puppy? A skunk by any other
> name, I suspect, still smells like a skunk. This is never more true then
> when we were hoping desperately for the puppy.
>
> The thing is: Larry is a very smart guy. He knows everything I've just
> explained to you. So you have to ask: why does Larry want to give out free
> identity cards?
>
>     He gives them all free samples,
>     Because he knows full well.
>     That todays young smiling faces...
>     Will be tomorrow's clientele.
>
>         - The Old Dope Peddler, Tom Lehrer
>
>
> Jonathan S. Shapiro
> Assistant Professor, Department of Computer Science
> Johns Hopkins University Information Security Institute



For archives see: http://www.interesting-people.org/