The Seven Wonders of the World is an expression that is as old as I can remember but it turns out there are actually multiple lists. Recently a non-profit organization called New7Wonders decided the list needed an update and so they set about to seek nominations — almost 200 came in — and then the list was narrowed to the 11 most-voted by the start of 2006. About 100 million votes were cast "by the Internet and cell phone text messages" and the new list was announced shortly after the fourth of July (2007). As you can imagine, there is a lot of controversy surrounding the list.
The most interesting part to me is not the list per se but the process used to "elect" the winners. According to the Associated Press, "Organizers admit there was no foolproof way to prevent people from voting more than once for their favorite". A simple step would have been to not allow more than one vote from the same email address or cell phone. Of course many people have multiple phones and addresses but at least disallowing clear duplicates would be a step in the right direction. The only foolproof way to assure no duplicates would be to have some form of strong authentication. Authentication is the single most important gap in the integrity of the Internet (and mobile text messaging). If I borrow (or steal) your cell phone I can send a message as though I am you. If you put your login and password on a Post-It stuck to your desk and someone visiting your house "borrows" it, then they become you. The bottom line is "Who are you – really?".
There was a cartoon by Peter Steiner in the July 5, 1993 issue of The New Yorker showing a dog at a PC speaking to another dog watching from the floor. The caption was, “On the Internet nobody knows you’re a dog.” Very true and in fact nobody really knows for sure just who you are when you are online. Nor do you know who is at the other end of an IM, text message, or eCommerce transaction. Technology is available to make things different by using "digital IDs". Unfortunately, there has been a prevailing attitude that digital IDs would mean that the “government” would issue an ID that would then enable them to spy on us; read our email, track what we do on the web, or invade our privacy in some way. I have a much more positive view — that digital ID’s are not to be feared but in fact should be embraced. They represent the empowerment that can unleash the full potential of the Internet. They will allow us establish that we are who we say we are and to validate that the web server we are doing business with is really who they say they are. Security, per se, is not the issue. Authentication is.
Today we use the login ID and password as a substitute for authentication. We all use them every day but the problems with them are non-trivial. First is the password sharing problem that enables someone else to be you. Assuming you keep your password to yourself, there is another set of problems. Web sites have different rules for login Ids and passwords. Some require that you use your email ID as your login, some require you to use your social security number, others allow you to pick anything you want as long as it is at least so many characters or in other cases as long as it is no more than so many characters or that it starts with a capital letter or that it have at least two numbers in it, etc. For good reasons they all require that your ID be unique. Sorry, but jjones is already taken. The same thing is the case for the password. Some require at least so many characters, some require that a password must contain at least one numeric character, some require that it be all numeric, and others require that it contain no numeric characters. The variations are vast and the result is that you end up with a lot of different IDs and passwords. I have more than 200. Digital IDs to the Rescue.
There are basically two common ways to deal with the problem of authentication and neither of them is a good solution. First is to devise an ID (and password) that conforms to nearly all web site rules but which is also unique. Maybe you design an ID or password something like K7jyt14s that seems to work just about everywhere and surely nobody else will already have it. On the surface your multipurpose universal ID or password seems to be a good idea until you realize that if one of your web merchants turns out to be a scofflaw or if their website gets hijacked or if someone somehow steals your ID and password he or she now has access to your bank account, brokerage account, and every other web site where you have registered! By making things simple for yourself you have compromised yourself with every web relationship you have.
The other potential solution, which many people use, is to create a small database of all your IDs and passwords. Where to put it? On a piece of paper? Where to put that? On the desk. Then it falls off of the desk and the dog eats it. You now have No ids or passwords! Then you decide to get serious and buy some database software and create a PC database of your IDs and passwords. Hmmm, this is a really important database –. maybe you need an ID and password for your ID/password database? Hmmm. Maybe you need a backup and recovery scheme? You have now become a database manager!
In case you are not discouraged about IDs and passwords yet there is one more peril. Whatever your ID and password are, when you send them they are often sent “in the clear”; i.e. not encrypted. Even sites that use encryption for all transactions often do not use encryption to receive your ID and password. This means that an unscrupulous person might be able to “sniff” your ID and password from the Internet. They wouldn’t need to even know who you are. They just know they have a way to gain access to many web sites as an impersonator of you. There has to be a better way. Fortunately there is.
In the near future most people will have a digital ID along with an accompanying biometric link such as a fingerprint, vascular scan, face print, voiceprint, iris or retina scan. The combination of digital ID and a biometric match will enable you to establish yourself as a completely unique person. At last you have the ability in the digital world to establish that you are who you say you are just as you can in the physical world! Step one is to get a digital ID from someone that knows for sure who you are and who is trusted by others as a reliable source for authenticating you. And who would this someone be? The Certificate Authority, or CA, is the place. The CA will ask you for information to validate that you are who you say you are. The degree of certainly they require will depend on your intended use. For routine things like email perhaps asking your mailing address and mother’s maiden name will be adequate. If you are going to use your digital ID to make millions of dollars worth of purchases for your employer then an employment verification process or even a personal appearance may be required where you show multiple forms of identification and then the CA gives you a memory key or other form of digital ID.
Over time there will be many CAs. Governments will operate them as will banks, companies, and institutions of all kinds. In theory there could be one CA that authenticates everyone and you would have just one digital ID. In theory also you could have a “national” drivers’ license in your wallet (actually, most countries outside of America do) or a “universal” credit card and that one card could be used for all purposes. In theory, but not in practice. Can you imagine that VISA or MasterCard or American Express will give up their logo on the card and be part of a generic ID? I don’t think so either. Not only do they not want to give up their marketing presence on the card they also don’t want to take on the liability for providing a general purpose digital ID that you could potentially use to go to the hospital for a leg amputation. If the hospital happens to take the wrong leg off of the wrong person the credit card company will surely not want to be liable for having validated that you are who you say you are. Just like we have multiple physical id’s in our wallet we will have multiple digital id’s. The important thing is for a CA to be able to be quite certain that you are who you say you are before they issue you a digital ID. This can happen in various ways.
For example, Equifax is a consumer credit reporting company that has information about 200+ million people. They know your name, your last few addresses, your phone number, and in many cases your mortgage balance! So when they ask you for certain information they can compare it to what is in their database and if there is a match the odds are very high that they can indeed be sure that you are who you say you are. With this assurance they could issue you a digital ID or provide the information to another third party who could then issue you the digital ID. Digital IDs are actually being issued already in many parts of the world. Singapore and Taiwan have established guidelines that provide for CA’s. Europe has established a directive that will enable CA’s across the continent. In fact the Ministry of Finance in Spain issues digital ID’s that allow citizens to make their tax payments over the Internet. A Spanish citizen can log on to the site by entering their password into their browser. The digital ID is stored in the browser and does not have to be passed over the Internet in the clear. Once authenticated, the Spanish citizen can pay taxes or check the status of tax payments. Generally speaking, digital certificates are being used on many servers and can allow the user to be confident that the server is who it says it is but the use of authentication for the user themselves is not very far along. In my opinion it is because of the legal industry slowing it down. Many of them still think in terms of 8 1/2 x 14 yellow lined tablets and many do not want to see digital ID’s used until the issue has been to the Supreme Court.
Once you get a digital ID, where do you keep it and how does it work? There are two parts to your digital ID; a public part and a private part. The public part is something you want to make easily available to anyone. The private part of your ID is something you will keep very private and never share it with anyone. Where will your digital ID be stored? There will be a lot of choices including on our PC hard drive, in our mobile phone, in smart cards in our wallet, in a memory card, in an electronic ring on our finger, or in a token we wear around our neck. Some people (not me) advocate implantable chips.
Does a digital ID mean we lose our privacy? No, quite to the contrary. By having a Digital ID you can establish not only who you are but what privacy preferences you want. If you choose to be anonymous you will be able to. There are five important attributes in a world of digital IDs.
First is authentication. Once you have a digital ID you will no longer have to send your login ID and password over the Internet. Your password goes no further than your smart card, token, or your PC. Instead you will use your password to enable an encrypted exchange of digital data between your PC (or phone or other information appliance) and the other party. The result of the exchange is that both parties will be able to confirm that the other party is indeed who they say they are. If you have also provided biometric data the person will know not only that it was your ID but that it was actually you who initiated the transaction and not someone who may have “borrowed” your login/password. Digital IDs are stored in a digital certificate (hence the origin of the certificate authority) and during the initial exchange of information you will see some of the data that is stored in the other party’s certificate. For example, you will see who issued the ID to them and you can use this information as an additional input to determine whether you want to trust the other party. Authentication is the beginning. If you want to be really sure you can examine the other party’s “fingerprint”. This is analogous to the small key number embossed on your house or car key. Your credit card statement, for example, may have the “fingerprint” printed on the statement so if you wanted to you could check it against what appeared on the web page to be 100% certain that the credit card company’s web site was indeed them.
Authorization (who can do what) Now that you have established that who you are who you say you are (been authenticated), various service providers such as banks, merchants, and others can authorize you to do various things. This might include reading a subscription to a publication, banking, investing at an on-line brokerage firm, establishing an account with a merchant so you can buy things without having to register each time you purchase something, or voting in local or national elections. Authorization goes deeper however. Since you are authenticated, you can be authorized to authorize others! Let’s suppose your company has an intranet application that allows you to enroll annually for various medical and dental benefits. Suppose you wanted to allow your spouse to do this for you. How would that work? In today’s world, unfortunately, many people don’t think twice about giving their password to a friend, colleague, or relative. In tomorrow’s world that is not a good idea. A digital ID gives each of us great power and enables us to establish our privacy at the same time. Sharing our password with others dilutes that power. An alternative approach is simply to have a web application that allows a person to authorize someone else to do something on their behalf without giving up their own identity. You authenticate yourself and then you authorize your spouse to be able to enroll or change your medical and dental plan benefits. Then the health care provider or insurance company knows not just that a valid ID and password were used to enroll, but that in fact, a second authenticated person using the application was authorized by an authenticated person. If you read the fine print at on-line banking sites you will find that you agree that as long as your ID and password was used to execute a transaction that they are not liable for it not being you. If one of your children finds your ID and password and sells your portfolio (or doubles the size of it on margin) the on-line brokerage is not liable. It was you!
Confidentiality (only the intended recipient can read your messages) The killer application on the Internet is arguably still email. Unfortunately of the trillions of emails sent each year, in addition to being 75% spam, are mostly sent “in the clear”. In other words they are not encrypted. Think about writing your most sensitive personal thoughts about someone on a plain postal card and dropping it in a postal box or the slot at the post office. You would have no idea who might be able to read it as it travels from postal box to post office to post office to mail room to intended recipient. That is how it is with all the emails you send! You really have no idea who can read them. When we all have Digital IDs there will be a better way. If you want to send Josef a very private message that nobody but Josef can read you will go to a Certificate Authority and get a copy of Josef’s public key. You will then use your email program or other encryption software such as PGP (Pretty Good Privacy) to encrypt your message to Josef. When Josef receives the scrambled message he decrypts it using his private key. Nobody has Josef’s private key but Josef so you and Josef both know that nobody but Josef was able to read the message.
Integrity (you both know nothing got changed) How does Josef know that the email really came from you and that it wasn’t altered in some manner on its way to him? A by-product of using the encryption keys is a function called “hashing”. A calculation is made based on all the characters in the message you create. This calculation is encrypted along with the message. After the decryption takes place, the calculation is compared to the one that was made at the time of the encryption. If they agree then your software will in effect tell both you and Josef that the message was not altered. Also, the message was “signed” by you using your private key. Josef gets your public key from the CA and decrypts your digital signature to confirm that it was actually you who “signed” it.
Non-repudiation (no one can deny a conversation or transaction) Have you ever been told, “We did not receive any request from you to make that stock sale” or have you had to say, “I did not receive that confirmation notice”? If you receive an encrypted message from someone that is “signed” with their Digital ID (with their private key) and you are able to decrypt it with their public key then you know that the message must have been signed with their private key. Only they have their private key, so they must have signed it. They cannot deny it. This works in both directions, of course. Many major countries of the world have now passed legislation that makes digital signatures as good as signatures with ink. They will ultimately stand up in court. Soon we will realize that they are actually much better than ink.
Digital signatures are not perfect. Bruce Schneier, founder and CTO of Counterpane Internet Security Inc., has pointed this out in great detail in various writings. The basic point Bruce makes is that computers and computer software are not yet perfect. In order to trust the digital signature, we implicitly trust the hardware and software that enabled us to use our digital ID to create the digital signature. In spite of the imperfections there are a preponderance of instances where digital signatures are adequate and in fact a clear advantage in efficiency and effectiveness versus current methods. Where the dollar value that depends on the signature is very high, strict security measures need to be taken in proportion.
Also we need to compare electronic methods for many financial transactions to the dominant method of today — the fax. Authentication? The bank looks at your driver’s license and puts a rubber stamp on the fax request form. The only difference is the time and convenience and the need to operate 9-5 M-F. Authorization? Yes, the bank can authorize you to make a transaction because once they received the authentication they could look up your account, see that you have adequate funds, and therefore authorize the funds transfer. Confidentiality? Sort of. If you call the bank and the person you are talking to is standing at a fax machine and you are standing at a fax machine and you say “Ok, here it comes” and they say “Ok, I see it coming” then arguably we could say it is a confidential transfer of information. In reality faxes tend to go from an outbox to an assistant who takes it to a fax machine where someone could be looking over their shoulder. And then the document is faxed to a number and received in a “fax room” to be read by anyone who happens to pick it up. And of course there is the hassle of finding a fax machine and the time delay. Hardly a mouse click. Integrity? Definitely not. This is the real flaw in the manual paper based process. When the fax was taken by you or someone else to the fax room you may have placed it in on a table and made a quick run to the restroom or gotten distracted by a phone call. Meanwhile someone sees the wire transfer form and changes $500 to $50,000. Then the form gets faxed. What amount gets wired? $50,000. No integrity. Non-repudiation? You bet. The transaction will stand up in court. As far as the bank is concerned you requested the wire transfer of $50,000. You were authenticated, the transaction was authorized and the fax form was transmitted “confidentially”. If you contested the transfer you might actually lose in court. So what is missing? Why can’t you have bank transfers on the web with a few mouse clicks or mobile phone clicks? Technology problem? No. Security problem? No. It is time for the leadership of institutions of all kinds to move forward to make digital IDs available to their constituencies so that Trust can be achieved.