January/February 2013 (Vol. 11, No. 1) pp. 96
1540-7993/13/$31.00 © 2013 IEEE
Published by the IEEE Computer Society
Published by the IEEE Computer Society
Identity as Privacy
PDFs Require Adobe Acrobat
The class structure of the future is based not on money but on privacy.
A conservative is a socialist who worships order. A liberal is a socialist who worships safety. —Victor Milán
Living in the wilderness or living in a cardboard box under the bridge once got you a kind of privacy, but "in public" now means "privacy-free." You know all that, so is there anything new to say here in S&P? That depends on your definitions of security and privacy. Are the definitions in flux? They are.
No society, no people need rules against things that are impossible. We're making impossible things possible at an accelerating clip; ergo, things that have no rules against them get ruled out only after unhappiness has accrued—like "Bertie Bott's Every Flavour Beans" in Harry Potter, a new flavor every day guarantees tasting ear wax, dog snot, and ipecac.
Today, I observe a couple in flagrante delicto on a rooftop in circumstances where I can never know who they actually are. Do they have privacy? The answer is "no" if your definition of privacy is the absence of observability. The answer is "yes" if your definition of privacy is the absence of identifiability.
Technical progress in image acquisition guarantees observability now; technical progress in standoff biometrics guarantees identifiability real soon now. Venture capitalists regularly hear new ideas in standoff biometry, and Moore's law is its friend. What new flavor does standoff biometry bring to table? We will soon live in a society where identity is not an assertion ("Call me Dan") but rather an observable ("Sensors say that's Dan"). Your breath, the microwave emissions of your beating heart, the idiosyncratic anomalies of how you type, talk, and walk say who you are. Standoff biometrics are labor camp tattoos without the need for ink.
If privacy both as impossible-to-observe and impossible-to-identify is dead, then what might be an alternative? If you're an optimist or an apparatchik, your answer will tend toward rules of procedure administered by a government you trust or control. If you're a pessimist or a hacker/maker, your answer will tend toward the operational, and your definition of a state of privacy will be mine: the effective capacity to misrepresent yourself.
Misrepresentation means paying your therapist in cash under an assumed name, swapping affinity cards at random with like-minded folks, and keeping an inventory of misconfigured webservers to proxy through. It means putting a motor generator between you and the smart grid, hiding in plain sight when there's nowhere else to hide, and having not one digital identity that you cherish, burnish, and protect but as many as you can.
The call for "trusted identities in cyberspace" is case in point; if you can trust identity, then it can't be faked, and vice versa. Smartphone users not only carry a radio beacon but an accelerometer proving who they are by gait analysis and where they are in a fine-grained calculus. Gamers' haptic interfaces prove who they are. There are 3+ billion new photos online each month, spiderable by better, faster, cheaper facial recognition. Multibiometric systems complete the picture: your identity is a question only if you work to make it be.
Standoff biometry terminates the argument over whether security and privacy are a zero-sum game—the sum is nowhere near that good, and it's the surveilled who are capitalizing the system and providing much of its labor. Shoshana Zuboff said "[W]e anticipate surveillance and we conform, and we do that with awareness. ... Once anticipatory conformity becomes second nature, it becomes progressively easier for people to adapt to new impositions on their privacy, their freedoms. The habit has been set."
Will Americans' ability to improvise, adapt, and overcome cement anticipatory compliance in place, or sweep away the voyeurism of those who worship safety and/or order?
Daniel E. Geer Jr. is CISO for In-Q-Tel and past president of the Usenix Association. Contact him at firstname.lastname@example.org.