Tage Stabell-Kulø • University of Tromsø, Norway

When I was a student, the field of computer science was presented as purely technical. The marvels of category theory and the duality of memory and communication in implementing a multiprocessor operating system was just what I wanted.

Then came security.

It all started with the theory and practice of authentication in distributed systems. One thing led to another, and before I knew it, I was worried. The thing is, what you see when you view the world from the authentication perspective is quite worrisome, because the line between authentication and identification is being blurred. Let me explain.

Authentication without identification

I have numerous customer cards. I don’t use them to identify myself as a private person but rather to build and maintain a profile. I earn (too many) frequent-flyer miles, I get a (very small) discount when I shop for groceries, and so on. Companies add a financial advantage to the convenience, and I choose to take advantage of it. But if I drop by my local shop to buy contraceptives, I refrain from using my customer card, because then I don’t want to be recognized. At my favorite online bookstore (and too many other places), I have an account that I log into with a user name. These user names, which are password protected, serve the same purpose: to update my profile and load my preferences. The common denominator is that I’m a customer, and the relationship is cordial but very formal: It’s strictly related to business. Because it’s a professional relationship and not a private one, I’m authenticated but not identified. I’ve told my bookstore that I reside in my office at the university (which by some definitions is a sad fact) and I want my purchases sent there. They let me use any address I want precisely because the relationship isn’t private.

But things are changing. Every week I spend (too much) money on the National Lottery (Norsk Tipping), and I have a customer card there as well. The other day, I received a letter from them that said I could get the new “smart” customer card. By means of the new card, they’re offering me new and improved services, and it looks good. But the letter also said that, for my security, I needed to bring some proof of identity to pick it up. For my security? That sounds odd. Some research revealed that the National Lottery is diversifying its business and selling identification services to others. If I go and fetch my new card, they will claim to know my identity. Knowing someone’s identity is an asset that they can sell.

The National Lottery is changing the rules of the game by turning the professional relationship into a private one. They do so by adding my identity to my user profile. The implications of this for my privacy are not at all obvious. In particular: What if, in the future, I want to disavow my earlier (bad) habits? Can I escape my past when it’s linked to my identity?

In addition to my customer cards, I have two credit cards. I use one exclusively when I travel, wine and dine in (too expensive) restaurants, rent (too large) cars, and so on. I use the other only in the little town where I work to pay for such low-cost activities as a train ride. This division is intentional. Both issuers include advertisements when they send me their (surprisingly large) bills. One of them informs me that now is the ideal time to play golf in Dubai or rent a suite in Shanghai. But the other tells me that now, before the busy season, accommodation is affordable in a remote mountain village named Geilo (you’re excused if you haven’t heard of Geilo). Obviously, they believe I’m two different people. In fact, my name is incorrectly spelled on one of the cards, so maybe I am two people.

In any case, I’ve never taken steps to correct this small error. Why should I? It doesn’t cause any problems, and I enjoy confusing customer profile processing. This brings me to the issue’s core: the difference between authentication and identification—or, more to the point, the blurring of the difference between authentication and identification.

Blurring the line

The problem is that our privacy is under great pressure, and privacy is related to identification (not authentication). Here are some examples.

• The road to hell is paved with good intentions. In Norway, where I work, a great danger exists that the authorities will establish a national registry that will contain all information about everyone’s medical history. Not only will it contain the information itself, it will do so in such a way that individuals are identifiable. The argument goes that if researchers in the future find out that you’re at risk for disease, you will want them to contact you. There are no signs of an opt-out scheme. Why would there be? After all, it will be automagically assured that only medical researchers of utmost integrity will be allowed to access your data. However, the staff managing a recent medical study focusing on sexual activity made an error revealing 220 female study participants’ identities—the kind of error we’re assured will never, ever happen.
• According to a press release (pdf) from 23 September 2003, the Scandinavian Airlines System has tried biometry. According to media reports, the scheme worked very well and SAS is contemplating applying it throughout Scandinavia. This will make available to them information not only about their customers, but also about their customers’ bodies. If even an airline knows inescapable facts about your body, how can life ever be the same? This also makes witness protection schemes a joke. They promise not to keep any identifiable information and that they’re as concerned with their customers’ privacy as their customers are. I can promise that the latter, at least, is false.
• Many dream of digital signatures and public-key infrastructure (PKI). However, if some identification authority issues the public key, using it becomes incompatible with separating authentication from identification. This is particularly worrisome in the cases where instead of creating your own “private” key, one is issued to you, as seems to always be the case. In Norway, the agreement you have to sign to obtain access to online banking services states that you have the right to revoke your identity certificate (if you lose your PIN, for example). The bank also has the right to revoke your identity. You do not have the right to refuse to be revoked. Carl Ellison and Bruce Schneier discuss public keys at length.
• One often-heard approach to fighting email spam is to require digital signatures on emails. Add to this a PKI where keys are issued to you, and the distinction between authentication and identification blurs again. I find some comfort in the fact that the emails I sent as a student are clearly marked as originating from a student and that only considerable digging in old password files will reveal that the user name belonged to me. I have a range of email addresses, and I appreciate the inherent difficulty in bridging the gap between them and me. In fact, I believe I would be willing to give up on email if I had to identify myself before sending one.

Lately I’ve scanned quite a few books searching for one to use in a beginners’ course on computer security. It’s hard to find one that both covers the technical material my students must master and makes them aware of how powerful this technology can be in the wrong hands. Part of the problem is that the books I find that cover this material more often than not refer to foreign and vague legal constructs that were amended to some other legal construct. Oh well, I guess this is what we from small nations must learn to live with. In any case, it’s a real challenge to find ways to approach this important field without making students believe that pure technical solutions exist.

Tage Stabell-Kulø is an associate professor at the University of Tromsø, Norway. Contact him at task@ifi.uit.no.

Related Links

• DS Online's Security Community
• "Identity Theft Solutions Disagree on Problem"
• "Network Security Basics"
• "Valuating Privacy"
• "Exploring Privacy Issues in Web Services Discovery Agencies"