{"id":1152,"date":"2010-07-15T11:02:24","date_gmt":"2010-07-15T19:02:24","guid":{"rendered":"\/?p=1152"},"modified":"2010-07-15T11:20:42","modified_gmt":"2010-07-15T19:20:42","slug":"stephan-engberg-on-touch2id","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1152","title":{"rendered":"Stephan Engberg on Touch2ID"},"content":{"rendered":"

Stephan Engberg <\/a>is member of the Strategic Advisory Board of the EU ICT Security & Dependability Taskforce and an innovator<\/a> in terms of reconciling the security requirements in both ambient and integrated digital networks.\u00a0I thought readers would benefit from\u00a0comments he circulated in response to my posting on Touch2Id.<\/p>\n

Kim Cameron's comments on Touch2Id<\/a> – and especially the way PI is used – make me want to see more discussion about the definition of privacy and the approaches that can be taken in creating such a definition.<\/p>\n

To me Touch2Id is a disaster – teaching kids to offer their fingerprints to strangers is not compatible\u00a0 with my understanding of democracy or of what constitutes the basis of free society. The claim that data is “not collected” is absurd and represents outdated legal thinking.\u00a0 Biometric data gets collected even though it shouldn't and such collection is entirely unnecessary given the PET solutions to this problem that exist, e. g chip-on-card.<\/p>\n

In my book, Touch2Id did not do the work to deserve a positive privacy appraisal.<\/p>\n

Touch2Id, in using blinded signature, is a much better solution than, for example, a PKI-based solution would be.\u00a0 But this does not change the fact that biometrics are getting collected where they shouldn't.
\nTo me Touch2Id therefore remains a strong invasion of Privacy – because it teaches kids to accept biometric interactions that are outside their control. Trusting a reader is not an option.<\/p>\n

My concern is not so much in discussing the specific solution as reaching some agreement on the use of words and what is acceptable in terms of use of words and definitions.<\/p>\n

We all understand that there are different approaches possible given different levels of pragmatism and focus. In reality we have our different approaches because of a number of variables:\u00a0 the country we live in, our experiences and especially our core competencies and fields of expertise.<\/p>\n

Many do good work from different angles – improving regulation, inventing technologies, debating, pointing out major threats etc. etc.<\/p>\n

No criticism – only appraisal<\/strong><\/p>\n

Some try to avoid compromises – often at great cost as it is hard to overcome many legacy and interest barriers.\u00a0 At the same time the stakes are rising rapidly:\u00a0 reports of spyware are increasingly universal. Further, some try to avoid compromises out of fear or on the principle that governments are “dangerous”.<\/p>\n

Some people think I am rather uncompromising and driven by idealist principles (or whatever\u00a0words people use to do character assaination of those who speak inconvenient truths).\u00a0 But those who know me are also surprised – and to some extent find it hard to believe – that this is due largely to considerations of economics and security rather than privacy and principle.<\/p>\n

Consider the example of Touch2Id.\u00a0 The fact that it is NON-INTEROPERABLE is even worse than the fact that biometrics are being collected, since because of this, you simply cannot create a PET solution using the technology interfaces!\u00a0 It is not open, but closed to innovations and security upgrades. There is only external verification of biometrics or nothing – and as such no PET model can be applied.\u00a0 My criticism of Touch2Id is fully in line with the work on security research roadmapping<\/a> prior to the EU's large FP7 research programme (see pg. 14 on private biometrics and biometric encryption \u2013 both chip-on-card).<\/p>\n

Some might remember the discussion at the 2003 EU PET Workshop in Brussels where there were strong objections to the “inflation of terms”.\u00a0 In particular, there was much agreement that the term Privacy Enhancing Technology should only be applied to non-compromising solutions.\u00a0 Even within the category of “non-compromising” there are differences.\u00a0 For example, do we require absolute anonymity or can PETs be created through specific built-in countermeasures such as anti-counterfeiting through self-incrimination in Digital Cash or some sort of tightly controlled Escrow (Conditional Identification) in cases such as that of non-payment in an otherwise pseudonymous contract (see here<\/a>).<\/p>\n

I tried to raise the same issue last year in Brussels<\/a>.<\/p>\n

The main point here is that we need a vocabulary that does not allow for inflation \u2013 a vocabulary that is not infected by someone's interest in claiming “trust” or overselling an issue.\u00a0<\/p>\n

And we first and foremost need to stop – or at least address – the tendency of the bad guys to steal the terms for marketing or propaganda purposes.\u00a0 Around National Id and Identity Cards this theft has been a constant – for example, the term “User-centric Identity” has been turned upside down and today, in many contexts, means “servers focusing on profiling and managing your identity.”<\/p>\n

The latest examples of this are the exclusive and centralist european eID model and the IdP-centric identity models recently proposed by US which are neither technological interoperable, adding to security or privacy-enhancing. These models represent the latest in democratic and free markets failure.<\/p>\n

My point is not so much to define policy, but rather to respect the fact that different policies at different levels cannot happen unless we have a clear vocabulary that avoid inflation of terms.<\/p>\n

Strong PETs must be applied to ensure principles such as net neutrality, demand-side controls and semantic interoperability.\u00a0 If they aren't, I am personally convinced that within 20 or 30 years we will no longer have anything resembling democracy – and economic crises will worsen due to Command & Control inefficiencies and anti-innovation initiatives<\/p>\n

In my view, democracy as construct is failing due to the rapid deterioration of fundamental rights and requirements of citizen-centric structures.\u00a0 I see no alternative than trying to get it back on track through strong empowerment of citizens – however non-informed one might think the “masses” are – which depends on propagating the notion that you CAN be in control or “Empowered” in the many possible meanings of the term.<\/p>\n

When I\u00a0began to think about Touch2Id\u00a0it did of course occur to me that it would be possible for operators of the system to secretly\u00a0retain a copy of the fingerprints and the information gleaned from the proof-of-age identity documents – in other words, to use the system in a deceptive way.\u00a0\u00a0I saw this as being something that could be mitigated by\u00a0introducing the requirement for auditing of the system by independent parties who act in the\u00a0privacy interests of citizens.<\/p>\n

It also occured to\u00a0me that\u00a0it would be better, other things being equal, to use an on-card fingerprint sensor.\u00a0 But\u00a0is this a practical requirement<\/strong>\u00a0given that it\u00a0would still be possible to use the system in a deceptive way?<\/em>\u00a0 Let me explain.<\/p>\n

Each card could, unbeknownst to anyone, be imprinted with an identifier and\u00a0the identity documents could be surreptitiously captured and recorded.\u00a0\u00a0Further, a\u00a0card with the capability of doing fingerprint recognition could\u00a0easily contain a wireless transmitter.\u00a0 How\u00a0would\u00a0anyone\u00a0be certain\u00a0a card\u00a0wasn't capable of surreptitiously transmitting the fingerprint it senses or the identifier imprinted on it through\u00a0a passive\u00a0wireless\u00a0connection?\u00a0<\/p>\n

Only through audit of\u00a0every technical component and all the human\u00a0processes associated with them.<\/em><\/p>\n

So we need to ask, what are the respective roles of\u00a0auditability and technology in providing privacy enhancing solutions?<\/p>\n

Does it make sense to kill schemes like Touch2ID even though they are, as Stephan says, better than other alternatives?\u00a0\u00a0 Or is it better to put the proper auditing processes in place, show that the technology benefits its users, and continue to evolve the technology based on these successes?<\/p>\n

None of this is to dismiss the importance of Stephan's arguments – the discussion he calls for is absolutely required and I certainly welcome it.\u00a0<\/p>\n

I'm sure he and\u00a0I agree\u00a0we need systematic threat analysis combined with analysis of the possible mitigations, and we need\u00a0to evolve a process for evaluating these things which is\u00a0rigorous and\u00a0can withstand\u00a0deep scrutiny.\u00a0<\/p>\n

I am also struck by Stephan's explanation of the relationship between interoperability and the ability to upgrade and uplevel privacy through PETs,\u00a0as well as\u00a0the interesting references he provides.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

Stephan calls for more discussion about the definition of privacy and the approaches that can be taken in creating such a definition<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[48,6,76,11,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1152"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1152"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1152\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1152"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}