{"id":197,"date":"2017-07-31T12:20:59","date_gmt":"2017-07-31T16:20:59","guid":{"rendered":"https:\/\/dwan.org\/?p=197"},"modified":"2019-10-25T15:15:02","modified_gmt":"2019-10-25T19:15:02","slug":"identity","status":"publish","type":"post","link":"https:\/\/dwan.org\/index.php\/2017\/07\/31\/identity\/","title":{"rendered":"Identity"},"content":{"rendered":"<p><a href=\"http:\/\/thehackernews.com\/2017\/07\/sweden-data-breach.html\">Another day, another data breach.<\/a><\/p>\n<p>The Swedish government has apparently exposed personal identifying data on nearly all of their citizens.  The dataset came from the ministry of transportation.  It included names, photographs, home addresses, birthdates, and other details about citizens \u2013 as well as maintenance data on both roads and military and government vehicles.  Perhaps most squirm-inducing, the dataset included active duty members of the special forces, fighter pilots, and people living under aliases as part of a witness protection program.<\/p>\n<p>The data has been exposed since at least 2015.  We\u2019re just finding out about it now.<\/p>\n<p>I have written in the past about <a href=\"https:\/\/dwan.org\/index.php\/2017\/06\/26\/a-cautionary-tale\/\">the perils of compiling this sort of dataset.<\/a> This particular ministry has a good excuse: They print identification cards. The fact that they emailed the information around in clear-text and handed management and storage off to third party processors with little or no diligence?  That\u2019s another story.<\/p>\n<p>It provides a decent opportunity to talk about identity and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Zero-knowledge_proof\">zero knowledge proofs.<\/a><\/p>\n<p>Identity is one of those concepts that appears simple from a distance, but that aways seems to wriggle out of any rigorous definition.<\/p>\n<p>For today, let\u2019s say that identity is a set of properties associated with a person.  We use these properties (or knowledge of them) to verify that someone is who they say they are.  We can deal with group identities and pseudonyms in another post.  Let\u2019s also agree to defer metaphysics and philosophy around any deeper meaning of the word \u201cidentity,\u201d at least for the moment.<\/p>\n<p>My name, birthdate, address, social security number, fingerprints, bank account numbers, current and past addresses, first pet, high school, mother\u2019s maiden name, and so on are all properties attached to and supporting \u201cmy\u201d identity.  This list includes examples commonly used by banks and websites.  When someone calls my bank on the phone and claims to be me, the bank might ask for any or all of the above.  As the answers provided by the caller match the ones in the bank\u2019s database, the bank gains confidence that the caller is actually me.<\/p>\n<p>Once a birthday, address, or other similar fact is widely known, it becomes substantially less useful in demonstrating identity. It also becomes substantially easier for people to fake an identity.<\/p>\n<p>This data breach brings a particular problem into stark relief: Our identity cards have all sorts of identifying information printed on them, and that information is available to anybody holding the card (or the database from which it came).<\/p>\n<p>The bartender doesn\u2019t need to know my birthday \u2013 they need to know that I am of legal age to buy alcohol.  They <em>certainly<\/em> don\u2019t need to know my address or organ donor status.<\/p>\n<p>This is where zero knowledge proofs come in.  A zero knowledge proof is an answer to a question (\u201cis this person of legal drinking age?\u201d) that does not expose any unnecessary information (like date of birth or address) beyond that answer.<\/p>\n<p>In order to implement zero knowledge proofs we usually need a trusted third party who holds the private data and provides the answers.  Instead of printing dates of birth on ID cards, we might print a simple barcode.  The bartender would scan the barcode with a phone or other mobile app, and receive a \u201cyes\u201d or a \u201cno\u201d answer immediately from the appropriate agency.  In some cases, the third party might send me a message letting me know that somebody scanned my ID card.  In some cases (like financial transactions), they might even wait for me to validate the request before sending the approval.<\/p>\n<p>If the third party is trustworthy, having them in the loop can radically increase our information security \u2013 both by reducing information leakage and by providing a trail of requests for information.  Imagine a drivers license that did not contain your private information, and could be invalidated as soon as you reported it lost.<\/p>\n<p>Blockchain technologies seem likely to provide a robust solution to the question of a trusted third party in a trust-free environment.  More on that in a later post.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Another day, another data breach. The Swedish government has apparently exposed personal identifying data on nearly all of their citizens. The dataset came from the ministry of transportation. It included names, photographs, home addresses, birthdates, and other details about citizens \u2013 as well as maintenance&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,13],"tags":[3,19,18],"class_list":["post-197","post","type-post","status-publish","format-standard","hentry","category-blockchain","category-infosec","tag-blockchain","tag-identity","tag-privacy"],"_links":{"self":[{"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/posts\/197","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/comments?post=197"}],"version-history":[{"count":3,"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/posts\/197\/revisions"}],"predecessor-version":[{"id":1160,"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/posts\/197\/revisions\/1160"}],"wp:attachment":[{"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/media?parent=197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/categories?post=197"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/tags?post=197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}