When a wise man suggested the idea of an ‘internet passport’, it attracted a largely critical response. The main objectors focused on the viability of the suggestion; how would it be implemented and how could it be assured and secured? These are indeed obvious questions. But might the critics be missing a trick?
Let’s begin by considering the situation. If we are honest about it, currently anybody can commit any action (within their capability) on the internet. So the mitigations against ensued chaos are the detective and defensive measures deployed, enforcement action against offenders, security by obscurity and to some extent a simple dependence on the majority ‘doing the right thing.’ (Incidentally, this last assumption often accounts for poor software development practices which create weaknesses in software and hence vulnerabilities).
Factor into this the broken nature of what is still the primary authentication method (password use) and it becomes easy to understand why there might be a lack of confidence in cyber security more generally.
The original intent of a passport was to provide safe passage when visiting a foreign country. If, in a similar way, safe passage across the internet could be facilitated then this would surely achieve a desirable goal. It has to be accepted that some of the useful activities that we engage in can under certain circumstances present a risk to others.
Hence we are required to be identifiable in order to undertake such activity. A driving licence to use the roads and a national insurance number to undertake legitimate employment are just two examples.
Clearly, there are those who demand the right to anonymity and this is a subject of conjecture. It is no doubt reasonable to make the assertion that many of our daily activities are indeed transacted in anonymity. But in certain situations there is a requirement for our identity to be verified (one example is if we are stopped and questioned by a law enforcement agency).
Given that the internet has the potential to be used for significant harm, are the objections at attempts to try and provide a greater level of identity assurance so unreasonable? Perhaps there is a need to determine under what circumstances we should be assured or denied anonymity.
Even the most vehement advocates of privacy would surely agree that there are numerous situations in which it is preferable/essential to verify identity on the internet?
In principle, the technology to support the primary ‘internet passport’ processes already exists. For example, public key infrastructure (PKI) is an established approach for verification of servers and the clients who are connecting to them.
This was specifically developed with the aim of being able to not only identify what is being connected to but also to reliably identify the client connecting (clearly, an internet passport process would be further required to assure the identity of the user of that client).
However, PKI has not been widely implemented. The primary reason for this is because of the cost and time that such implementations require. There is no doubt that a public-wide PKI would be a massive undertaking.
So practice has instead focused on attempting to ensure the legitimacy of the systems that we are connecting to and coupled this with the use of verification services for selected services (where it is actually the financial status of a claimed identity that is most often being verified rather than the identity itself).
For the past five years, the U.S. government has been undertaking a major project aimed at assuring identity on the internet.
Having undertaken a number of pilot activities, the National Strategy for Trusted Identities in Cyberspace (NSTIC) is a voluntary scheme that has been developed around four guiding principles of privacy-enhancing; secure; inter-operable and cost-effective.
A realisation of the vision of this is expressed as, ‘a user-centric identity ecosystem, an online environment where individuals and organisations are able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities and the digital identities of devices’.
Internet passports in practice
How might the internet passport work? One of the difficulties is that we can only consider this in light of the current state and availability of technology. The means by which this could be implemented effectively may require innovation.
Alongside this exist a number of key practical considerations. For example, would this ‘electronic identity’ be issued on the register of a birth? Or might it be something that happens post age 16, or is it processed in a similar way to a passport? One of the main concerns with such a system would be security.
No doubt these fears would include a potential increase in identity fraud. But might not such an approach also help to reduce this type of problem? Whatever the methods used, reliable revocation and replacement would constitute an essential requirement.
Real world passports
The use of real-world passports presents an interesting comparator. They do not appear to deter crime in an obvious way. Moreover, supply of falsified documents is a criminal trade in itself. However, they probably reduce the amount of crime that might otherwise be committed (there are often issues associated with criminality where borders are open).
It is difficult to determine whether establishing an ‘internet hygiene’ through education and awareness would be more effective than increasing the legislative requirements (history suggests that some things will just not happen unless they are forced). I offer the suggestion that addressing the issues requires a combined approach.
The message here is that were there any easy method of assuring identity on the internet, it would have already been implemented. Whilst the physical world provides us with a precedent, the implementation of an internet passport might well present an insurmountable challenge considered in the light of currently available technology.
But when Eugene Kaspersky discusses the concept of internet passports, should we dismiss the idea out of hand and, if we do, what is the alternative? Perhaps we should not be too quick to criticise if we cannot think of anything better!