Consult Hyperion

You don’t have to be psychic, but it helps

By Consult Hyperion posted 31/07/2012 at 11:29. Write a comment

[Dave Birch] When I said that I was genuinely surprised to find my talk on digital identity featured on TED, I meant it. I've really enjoyed the conversations that it has sparked with colleagues and clients alike, particularly around the issues of anonymity and pseudonymity. I think that some people find these issues a little esoteric when first raised, because we're not accustomed to think about identity as a spectrum. We're used to the idea that you have an identity and that's that. But as the real world continually shows, the more sophisticated view of identity gives us a better framework for dealing with problems and that suggests, to me at least, that digital identity is the way forward.

The Times points out that Inspector Winter, the anonymous police blogger and Twitterer who made such a name for himself with his "front line" accounts of the London riots in the summer that he got commissioned by this newspaper for a first-person piece, is in fact not a policeman at all. He is a man called Ellis Ward, a 29-year-old fantasist and fraudster who is in jail for credit-card fraud and is under investigation for impersonating a police officer.

[From The Times continues its tradition of revealing the identity of police bloggers – Telegraph Blogs]

Here is a perfect example of how cryptography can help. The newspaper needed proof that a blogger was a policeman, but should not be able to identify that policeman or collude with (potentially corrupt) third-parties to uncover the policeman's identity. (The policeman will not blog if his identity can be uncovered but society as a whole is better off if he does.) How does psychic identity achieve this? It's through a technique called "blinding". This is not even remotely new or innovative: It's twenty years since the cryptographer David Chaum published his seminal article in Scientific American on "Achieving Electronic Privacy" (August 1992, p.96-101) in which he said...

I have developed an extension of digital signatures, called blind signatures, that can restore privacy.

[From Achieving Electronic Privacy]

The idea is this: Alice is a policewoman. She generates a random number: let's call it her WHISTLEBLOWER key. She multiplies this by a number known only to her, the blinding factor, to form the blinded product. She signs the blinded product with her Police Federation key and sends it to them. They know she is a policewoman from the signature.

They extract the blinded product to make a new certificate containing the blinded product and sign it with their key to create an IS_A_POLICEOFFICER certificate which they send back to Alice. Alice divides out the blinding factor so that she now has an IS_A_POLICEOFFICER certificate that contains her WHISTLEBLOWER key but cannot be traced back to her.

Now, let's say Alice has to prove to The Times that she is a police person. So she pops in to an internet cafe and creates a Hotmail account. She sends a message to The Times signed with the WHISTLEBLOWER key together with the IS_A_POLICEOFFICER certificate. The newspaper checks that the Police Federation's signature is valid. It is, so they know that owner of the WHISTLEBLOWER key is, indeed a police officer. But even if they send the certificate to the Police Federation, they do not know who Alice is.

Now when the newspaper wants to communicate with Alice they encrypt the message using her WHISTLEBLOWER key and send it to her Hotmail address. Since Alice has the private key that belongs to the public WHISTLEBLOWER key, she is the only person in the world who can read the message. The message can be published on The Times website or in a blog or anywhere else. It doesn't matter, because no-one else can decrypt the message. Under this kind of scheme, it would be very difficult to forge an e-mail because any newspaper you send it to would expect your to provide a certificate attesting some relevant attribute: that you are an MP or you are French or you have a Portugese fishing licence.

The forged email, sent in May, was subsequently “leaked” to the Independent newspaper, which exposed the message as a fake after attempting to trace the sender.

[From Tory MP caught up in Syrian propaganda row with fake 'colonialist' email - Telegraph]

This may seem complicated, but it isn't really and, what's more, it could easily be under the hood. You could image seeing a menu on your phone that says "create a new identity" and then being offered the choice of a personal identity, a persona (an identity used to create pseudonyms) or a "whistle blowing" identity as described above. Perhaps this might be a corner of the new digital economy that it makes sense for newspapers (and other news sources that want to be trusted) to invest in. After all, they have a direct interest in sorting real from fake sources as well as a tradition of protecting those sources. Why not issue blinded certificates to sources and have them mutually-recognised by news organisations that belong to some kind of international OIX-style group?

Digitally-signed e-mail has been around for years and virtually no-one uses it. But perhaps using cryptography to prove who you are is not as interesting as using it to prove what you are.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

Comments

License

The English language version of this work is licensed under Creative Commons Attribution-ShareAlike 3.0 Unported License. If you wish to acquire the rights to make a foreign language translation of the work, please contact Consult Hyperion.

Please note that by replying in this Forum your comments become the property of Consult Hyperion and you assign all rights in your comment to us. Your comments may be edited for length and used online and in print but will always be attributed.

• Latest news
• In the News
• Opinion Articles
• Blog
• Twitter
• Case Studies
• Podcasts
• Chyppings
• Document Library
• Press Contacts
• Tomorrow's Transactions Forum

Meet us at:

Blog Categories

• People
  • Identification and Authentication
  • Social Media and Organisations
  • Political, Legal and Regulatory
• Networks
  • Finance and Banking
  • Retail and Transport
  • Public Sector and NGO
  • Telecoms and Media
• Money
  • History and Future
  • Payment Systems
  • Cash Replacement

Blog Archives

• May 2013
• April 2013
• March 2013
• February 2013
• January 2013
• December 2012
• November 2012
• October 2012
• September 2012
• August 2012
• July 2012
• June 2012
• May 2012
• April 2012
• March 2012
• February 2012
• January 2012
• December 2011
• November 2011
• October 2011
• September 2011
• August 2011
• July 2011
• June 2011
• May 2011
• April 2011
• March 2011
• February 2011
• January 2011
• December 2010

Subscribe to RSS