Identity on the internet

January 2016

PassportTony Proctor looks at the idea of an ‘internet passport.’

When a wise man suggested the idea of an ‘internet passport’, it attracted a largely critical response. The main objectors focused on the viability of the suggestion; how would it be implemented and how could it be assured and secured? These are indeed obvious questions. But might the critics be missing a trick?

Let’s begin by considering the situation. If we are honest about it, currently anybody can commit any action (within their capability) on the internet. So the mitigations against ensued chaos are the detective and defensive measures deployed, enforcement action against offenders, security by obscurity and to some extent a simple dependence on the majority ‘doing the right thing.’ (Incidentally, this last assumption often accounts for poor software development practices which create weaknesses in software and hence vulnerabilities).

Factor into this the broken nature of what is still the primary authentication method (password use) and it becomes easy to understand why there might be a lack of confidence in cyber security more generally.

The original intent of a passport was to provide safe passage when visiting a foreign country. If, in a similar way, safe passage across the internet could be facilitated then this would surely achieve a desirable goal. It has to be accepted that some of the useful activities that we engage in can under certain circumstances present a risk to others.

Hence we are required to be identifiable in order to undertake such activity. A driving licence to use the roads and a national insurance number to undertake legitimate employment are just two examples.

Clearly, there are those who demand the right to anonymity and this is a subject of conjecture. It is no doubt reasonable to make the assertion that many of our daily activities are indeed transacted in anonymity. But in certain situations there is a requirement for our identity to be verified (one example is if we are stopped and questioned by a law enforcement agency).

Given that the internet has the potential to be used for significant harm, are the objections at attempts to try and provide a greater level of identity assurance so unreasonable? Perhaps there is a need to determine under what circumstances we should be assured or denied anonymity.

Even the most vehement advocates of privacy would surely agree that there are numerous situations in which it is preferable/essential to verify identity on the internet?

PKI

In principle, the technology to support the primary ‘internet passport’ processes already exists. For example, public key infrastructure (PKI) is an established approach for verification of servers and the clients who are connecting to them.

This was specifically developed with the aim of being able to not only identify what is being connected to but also to reliably identify the client connecting (clearly, an internet passport process would be further required to assure the identity of the user of that client).

However, PKI has not been widely implemented. The primary reason for this is because of the cost and time that such implementations require. There is no doubt that a public-wide PKI would be a massive undertaking.

So practice has instead focused on attempting to ensure the legitimacy of the systems that we are connecting to and coupled this with the use of verification services for selected services (where it is actually the financial status of a claimed identity that is most often being verified rather than the identity itself).

For the past five years, the U.S. government has been undertaking a major project aimed at assuring identity on the internet.

Having undertaken a number of pilot activities, the National Strategy for Trusted Identities in Cyberspace (NSTIC) is a voluntary scheme that has been developed around four guiding principles of privacy-enhancing; secure; inter-operable and cost-effective.

A realisation of the vision of this is expressed as, ‘a user-centric identity ecosystem, an online environment where individuals and organisations are able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities and the digital identities of devices’1.

Internet passports in practice

How might the internet passport work? One of the difficulties is that we can only consider this in light of the current state and availability of technology. The means by which this could be implemented effectively may require innovation.

Alongside this exist a number of key practical considerations. For example, would this ‘electronic identity’ be issued on the register of a birth? Or might it be something that happens post age 16, or is it processed in a similar way to a passport? One of the main concerns with such a system would be security.

No doubt these fears would include a potential increase in identity fraud. But might not such an approach also help to reduce this type of problem? Whatever the methods used, reliable revocation and replacement would constitute an essential requirement.

Real world passports

The use of real-world passports presents an interesting comparator. They do not appear to deter crime in an obvious way. Moreover, supply of falsified documents is a criminal trade in itself. However, they probably reduce the amount of crime that might otherwise be committed (there are often issues associated with criminality where borders are open).

It is difficult to determine whether establishing an ‘internet hygiene’ through education and awareness would be more effective than increasing the legislative requirements (history suggests that some things will just not happen unless they are forced). I offer the suggestion that addressing the issues requires a combined approach.

The message here is that were there any easy method of assuring identity on the internet, it would have already been implemented. Whilst the physical world provides us with a precedent, the implementation of an internet passport might well present an insurmountable challenge considered in the light of currently available technology.

But when Eugene Kaspersky discusses the concept of internet passports2, should we dismiss the idea out of hand and, if we do, what is the alternative? Perhaps we should not be too quick to criticise if we cannot think of anything better!

References
 

Image: iStock/476674560

Comments (7)

Leave Comment
  • 1
    Steve Boronski wrote on 13th Jan 2016

    Fascinating blog thanks.

    I'm sure there are those who will have strong views on both sides.

    We don't allow complete freedom anywhere if you use any technology at all. All cars must be registered and we are required to hold a license. So unless you walk everywhere you are not free. Public Transport? Unless tickets are purchased with cash you are not free either (you could argue that the ticket is your passport but it doesn't know who you are)

    So why do we allow anonymity on the internet? Are we ever really anonymous anyway? It is not hard to track most IP packets.

    Interesting though.

    Report Comment

  • 2
    Kumara Badhuge wrote on 14th Jan 2016

    When the humanity is not able to find a solution for fundamental reason of all issues around us, i.e. "Absence of truthfulness and honesty", the humanity itself is forced to look for solutions such as Internet Passport.

    The acceptance of Internet Passport among all stakeholders will again depend on the trust among ourselves, that is again directly linked to truthfulness and honesty. So no solution will ever become an ultimate solution.

    In the absence of solution to the fundamental issue, "Internet Passport" will be a better option rather than living with no solution in order to save us from ever increasing cyber criminals, who are utterly dishonest.

    Report Comment

  • 3
    Mikal Dunne wrote on 14th Jan 2016

    Over 10 years ago I helped run a web site which had a forum. The forum was abused a lot so we changed the policy and published the originator IP address. Nearly all the abuse went away over night. Why IP addresses and not published as a matter of course on social media I don't know but it would reduce some of the more extreme behaviour based on past experience. Some sort of web identiity may be necessary eventually but some organisations are now using dual key systems. So I log on and part of the process is a key sent to my mobile phone. There are many ways to reduce illegal/anti-social behaviour out there. The impetus is lacking.

    Report Comment

  • 4
    Birch Thompson wrote on 15th Jan 2016

    Whilst I am generally in favour of having a means to assert identity, I'd like to pose a contrary view.

    With the two factors that "the Internet never forgets" and big-data analysis such a move would expose users to all sorts of risks and completely destroy any semblance of privacy.

    Once a precedent is set, do you honestly believe that retailers wouldn't start demanding to see the 'approved' identity details? or service providers?

    Given a potentially useful unique key for each users it would then become easier for anyone to link names to bank details to transactions to travel plans ....

    A real harvest for organised crime [knowing your spending patterns would allow more 'under the radar' fraud; knowing your whereabouts makes burglary easier]

    As for the plague that is advertising and marketing, having all of your transactions available would only make matters worse.

    I may be an anomaly in the narcissistic "broadcast all to the world" era that is social media but I'm not convinced that making it even easier for anyone, with whatever agenda to track you is a good idea. It allows those with specific agendas to identify traits and either exploit or victimise as they wish; the end result being an ever restrictive form of groupthink and social conformity.

    As I said at the outset I can see that there may be some advantages (though these are always couched in generalities rather than specifics) but there are certainly opportunities for exploitation leading to big disadvantages.

    Finally, to forestall the "if you've done nothing wrong you've nothing to hide/fear" arguments:
    1) If I've done nothing wrong, you don't need to monitor me
    2) In that case, please post your entire shopping history, bank details, home address, family movements and itineraries, tax details.... online for all to see -- after all you've nothing to hide --have you?

    Report Comment

  • 5
    Matt Palmer wrote on 15th Jan 2016

    I think analogies with things like passports and driving licenses can be dangerous and misleading.

    You only show a passport when moving from one jurisdiction to another, and only show it to authorised personnel. I don't need to "show my papers" in normal life to do everything. I don't need one at all if I'm not travelling abroad. Would an internet password allow anyone to see who was doing what at all times?

    Driving licenses are only required when using a potentially dangerous vehicle. I don't need one to ride a bicycle on the roads.

    And even if we go down this road (sic!), is an identity even generally required? Couldn't there be an anonymous authorisation to conduct certain activities, which could be revoked if needed? That authorisation may ultimately be linked to a real world identity by some suitable provider, but there is no need for the world and his dog to know who I am when going about my daily business.

    Report Comment

  • 6
    Kay Hughes wrote on 18th Jan 2016

    Matt Palmer is absolutely right. Passports are not needed for everything we do in life.
    I would go further and point out that passports alone are not sufficient to visit many countries: nation-specific visas are needed. This is because each nation or group of people has different ideas about who should or should not be trusted.
    A 'one-size-fits-all' identity 'document' does not work in the real world. It is even more inappropriate in the world of cyber-space, where we may connect with very diverse groups of people and wish to share different information with them depending on what we want from the relationship (health, business, pleasure etc.) and how much we trust them.
    Much could be done to improve the ways that we identify ourselves in cyber-space, including more widespread use of trusted third parties to broker new relationships... but that would be an article in its own right.

    Report Comment

  • 7
    Mike Lee wrote on 27th Jan 2016

    A bit behind the times and quaintly out of touch. Whereas in the real world, personal digital certificates already serve the purpose where the applications demand it. What is needed is the political will of governments, international concensus, infrastructure and regulation. Good luck on that.

    Mike

    Report Comment

Post a comment

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.