Report commissioned by:
Electronic Commerce Task Force
Industry Canada
Prepared by:
Angie Barrados, Researcher
Public Interest Advocacy Centre
1204 – 1 Nicholas Street
Ottawa, Ontario
K1N 7B7
barrados@web.net
www.piac.ca
April 2000
Table of Contents
INTRODUCTION
A. OVERVIEW OF DIGITAL AUTHENTICATION
B.SECURITY
B1. Securing Entire Systems
B2. Security Problems with Digital Signatures
B3. Use of Best Available Technology
B4. Social Systems
B5. Security: Conclusion
C. MANAGEMENT OF PERSONAL INFORMATION
C1. Centralization of Personal Information and Data Matching
C2. Certification Authorities
C3. Certificates and Names
C4. Management of Personal Information: Conclusion
D. INDIVIDUAL CONTROL OVER PERSONAL INFORMATION
D1. Choices and Ability to Evaluate Systems and Certification Authorities
D2. Key Rings
D3. De-linking Authentication from Identification
D4. Individual Control Over Personal Information: Conclusion
CONCLUSION
Digital Authentication and Consumers’ Privacy
INTRODUCTION
This paper identifies and discusses the main implications of digital authentication to consumers’ privacy based on two sessions of the Tenth Conference on Computers, Freedom and Privacy (CFP) held in Toronto from April 4-7, 2000: “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication” and “Everything You Need to Know to Argue About Cryptography”(1). The material from the conference is supplemented by selected secondary sources.
The paper provides a brief explanation of what authentication is, and provides definitions of some key terms relating to digital authentication. The main potential problems and issues for protecting consumers’ privacy in the context of systems that use digital authentication are then discussed under three headings: security, management of personal information and individual control of personal information. Experts’ main recommendations on protecting consumer privacy in these three areas are also noted.
A. OVERVIEW OF DIGITAL AUTHENTICATION
Generally, authentication means “the process of establishing confidence in an assertion”(2) and is the basis of being able to conduct transactions of many kinds. Authentication is often related to establishing the identity of someone entering into a transaction, such as when consumers show their driver’s license to have a cheque accepted. Methods of authentication can also be used establish someone’s authority, as in a diploma, or to establish someone’s privileges, as in a membership card. Also, statements can be authenticated as being endorsed by a specific person by means of a signature or a seal.
Authentication methods currently in use for electronic transactions such as magnetic strips on cards, credit card numbers, PINs and passwords share some major flaws. They are not very secure, since they can be stolen relatively easily, either through low-tech methods (looking over someone’s shoulder at an ATM) or higher-tech methods (breaking into someone’s computer). Also, they cannot be tightly bound to one person. Consider buying something over the Internet with a credit card for instance; the credit card number alone does not tell the vendor that you are who you say you are. Added to these problems is the fact that much electronic communication is occurring over relatively insecure media such as the Internet that can easily be eavesdropped on.
Public key cryptography potentially offers a secure way of authenticating digital transactions over the Internet, and thus a great deal of attention is being paid to the development of systems that use public key technology, and the infrastructure needed to support such systems. In particular, digital signatures that use public key cryptography have great potential to facilitate electronic transactions. Generally, “digital signature” means a scheme using public key cryptography that functions much like a physical signature to authenticate the origin and integrity of documents.
Public key cryptography is distinct from traditional cryptography, because traditional cryptography uses the same key to encrypt and decrypt messages, while public key cryptography uses two keys to convey one message: one key to encrypt a message and another key to decrypt the message(3). One key cannot be derived from the other, so that one key can be made public, while the other can be kept secret. The way that public key encryption works is explained by the following example of how it can be used to send a message securely:
Say that Alice wants to send Bob a message. We assume they both own a key pair and they both know each other’s public key. Alice encrypts the message using Bob’s public key, and sends it over an insecure channel. Bob decrypts the message using his private (secret) key.
In this case, Alice can send a message to Bob over an insecure channel knowing that only Bob can read the message. But it does not authenticate the message (ie. confirm that the message comes from Alice). In order to authenticate the message, Alice must use her private key as a digital signature to the message in the following way:
Alice computes the “hash” of the message using a “hash function”(4). She then encrypts the hash with her private key: this is the digital signature. She sends this signature to Bob along with the message.
When Bob receives the message, he computes the hash of the message. He then decrypts the signature with Alice’s public key, and compares the resulting hash to the hash of the message he computed. If they are the same, he can be sure that the message was sent by Alice, and was not tampered with.
In this example, Bob can only rely on the digital signature if he can be sure that Alice’s public key in fact belongs to Alice. Alice’s public key must be tied in some way to Alice herself. This can be done through a certification authority that checks Alice’s identification, and certifies that the “real” Alice owns the public key. The certification authority would issue a certificate that Alice could send with her signature to validate her public key. It would be important that the certification authority be trustworthy, so that a certificate signed by the authority could be relied upon.
The establishment of certification authorities is the main part of the infrastructure needed to support the use of digital signatures (known as “public key infrastructure” or PKI). By and large, PKI is still a conceptual notion and not a reality, but there is a great deal of interest in establishing certification authorities and standards for their operation. Creating PKI may seem like a primarily technical issue, but in fact, once PKI is in place, it could lead to the widespread use of digital signatures. This has quite important implications for consumers. Digital signatures will facilitate the further use of electronic communication and storage of personal information in many fields. The new systems that use digital signatures as authentication will introduce new ways of identifying people, change individuals’ responsibilities and liabilities, and provide new ways to centralize information.
B. SECURITY
Digital signatures have a great deal of potential to increase the security of electronic transmissions, but the reliance on digital signatures in itself would create new security concerns (discussed below). Also, digital signatures will probably facilitate the development of new electronic systems through which to carry out transactions, and these systems in turn will have to be secure.
The importance of system security to the individuals who use these systems was made clear by the hypothetical example that was discussed by the CFP panel. The hypothetical system used public key technology to control access to a database of emergency medical profiles, and was accessible to doctors and insurance companies with certain certificates. Individuals could access their own files using a smart card containing a biometric identifier. An Orwellian scenario was given of an individual finding that her file had been altered without her knowledge. Her private key (the smart card) had in no obvious way been violated, so she had no way of proving that she did not make the changes to her file. If the culprit was not found, she could be held liable for the misuse of her card, and expenses to her insurance company.
B1. Securing Entire Systems
Computer security experts find that people are dazzled by public key cryptography, and that they tend to assume that it can be used to completely secure systems(5). However, most ordinary operating systems are vulnerable to attack by hackers. In many cases using digital signature technology will be “like putting a vault-door on a cardboard box”. For instance, a security expert on the CFP panel explained that in sending a digital signature over the Internet, a user’s browser may have access to the user’s private key. In this case, the digital signature itself may be hard to attack, but it would not be hard to attack the user’s browser and find the private key.
The layperson may assume that one cryptography function is all it takes to secure a computer system, but in actual fact, most security problems require many functions in different parts of the system (a cryptographic protocol)(6). Designing good cryptographic protocols is “amazingly hard”, and applying them to software is even harder, according to cryptographers. However, many systems designers consider security at the last minute, and do not realize how hard it is to apply cryptography to security problems. In many cases, the use of cryptography may give a false sense of security.
In setting up systems using public key cryptography, it is important that the limitations of the technology be clearly understood by both system administrators and users(7). It can never be assumed that systems are completely secure.
B2. Security Problems with Digital Signatures
A digital signature can be less secure in some ways than a physical signature in authenticating a transaction. As discussed above, a digital signature relies on the use of a private key; the private key is actually a string of digits that would most likely be stored on a card accessible with a PIN. Proponents of digital signatures tend to assume that the private key and certificate is controlled by the certified keyholders, but if the private key is kept on a card, there is clearly a danger that the card and PIN could be copied or stolen. Critics feel that the problem with relying on digital signatures is that it would be as easy to steal a signature as it is to steal a credit card(8).
In the case of a forgery of a physical signature, an individual can try to prove that he was not the person who physically signed a document through a number of methods. He can show that the forged signature does not match his real signature, he can call on people who witnessed the signing of a document, and he can try to prove that he was in a different location at the time the document was signed. A digital signature cannot be related to a person in the same way, unless there is a video camera recording who is at the computer monitor conducting a particular transaction.
To tie private keys more strongly to individuals, private keys could be based on biometrics (such as fingerprints, or iris scans). If biometric data was downloaded to a card for use, there would be the same danger of the card being copied or stolen. However, if the public key was an actual scan of one’s fingerprint, for instance, it would be harder to forge, although some computer security experts feel that even biometrics are not secure(9).
An investigation of a fraudulent use of a digital signature would depend on the audit trail of the suspicious transaction. It is, therefore, important that systems be designed to keep such audit trails(10).
B3. Use of the Best Available Technology
Designing secure systems is expensive, and the companies that build these systems may not always have the incentive to use the best available technology(11). The extent to which this incentive is present will be determined by the assignment of liability in the case of a security breach. Contracts between individuals and service providers will likely specify who is liable for misuse of the individual’s private key. If providers bear liability for misuse of the private key, they will have a strong incentive to use the best available technology. This assignment of liability would be analogous to the liability banks have for misuse of ATM cards. Banks bear the liability for misuse of ATM cards provided customers take reasonable security precautions, so they use good security methods such as video cameras at ATM machines.
In future, individuals may be able to choose among different service providers that have varying levels of system security. It will probably hard for individuals to be able to understand and evaluate security issues, since these issues are complex, even for experts. Also, individuals may not understand the potential risks that security breaches pose for them. Therefore, consumer protection laws should clearly place responsibility for security on service providers.
B4. Social Systems
Even if technology can provide good security for a computer system, there may be serious security problems if the people using the system are not security conscious. The CFP panel on authentication discussed the difficulty of ensuring security of medical files in a hospital or clinic setting. Typically, security is based on a “firewall” concept, that allows the insiders (say hospital staff) to have access to all files(12). This means that a great many people have access to the files, which increases the possibility of abuse. Also, there are typically many low-tech ways of accessing personal information (such as reading files left in easily accessible places). Introducing an electronic system based on public key cryptography will not solve these problems and may indeed introduce greater potential for abuse because of increased centralization of personal information.
To provide data security, attention needs to be paid to the social system that uses the computer system, as well as the computer system itself. The panelists agreed that changing these social systems to ensure data security can be just as hard as designing technological solutions to security problems.
B5. Security: Conclusion
The application of public key cryptography is not enough to solve all security problems. In fact, the new systems that will be facilitated by public key cryptography create a whole set of complex security concerns that must be addressed to ensure the protection of personal information.
C. MANAGEMENT OF PERSONAL INFORMATION
Digital signatures could lead to the development of much larger, more complex electronic systems than have previously been used. These systems may raise significant concerns about how individuals’ private information is collected and exchanged by private entities.
C1. Centralization of Personal Information and Data Matching
The systems that will be facilitated by the use of digital signatures will likely increase the centralization of personal information. For instance, it will soon be possible for all of an individual’s medical information to be stored and updated in one electronic file. This may be advantageous to doctors and patients in many ways, but it also means that patients would have less control over their medical information. A patient would no longer be able to withhold parts of her medical history from a new doctor. Also, unauthorized access to the file would disclose the entire medical history and potentially create far more problems for an individual than disclosure of a partial file.
A major privacy concern will arise if one digital signature is used for multiple purposes. In this situation, the public key would become a de facto universal identifier, and allow for matching of diverse databases. This means that comprehensive files on individuals could be compiled by authorities with access to many different databases, or by hackers. Also, all of an individual’s electronic transactions could be recorded, and traced back to the individual.
C2. Certification Authorities
Certification authorities will likely play an important role in PKI; they will issue digital certificates to individuals to certify that an individual is the rightful holder of a public key. Through the process of issuing certificates, a certification authority would keep records about individuals identification, registries of public keys and certificates, as well as certificate revocation lists(13). The revocation lists in particular raise concerns because anyone relying on digital signatures would have to check the revocation list each time they accept a signature. In the process of checking the revocation list, a data trail would be created that would show every inquiry about a particular certificate. Therefore, everyone with whom an individual transacts could potentially be recorded by the certification authority.
Certification authorities could have a great deal of power over individuals by virtue of their function in issuing/withholding certificates, and revoking certificates. This power will be greater to the extent that the following factors are true:
- individuals need to obtain a certificate in order to engage in important or essential transactions;
- individuals do not have a choice as to which certificate authority they deal with, or all certification authorities offer the same service;
- eligibility requirements are not regulated;
- identification requirements and application criteria are not publicly disclosed.
Privacy advocates are concerned about the creation of authorities that could potentially exercise a great deal of power over individuals, and would hold significant amounts of information about them.
C3. Certificates and Names
Identification requirements to establish an individual’s eligibility for a certificate will have to be established. Privacy advocates are concerned that these requirements may be too onerous, and thus privacy invading. This problem will be more pronounced with certificates that actually establish identity, compared to certificates that establish some type of eligibility without identifying the individual.
Another privacy concern involves the personal information that the certificates would potentially display. The subject’s name and public key may not be enough information, because names are not always enough to unambiguously identify someone; other information such as an e-mail address or a driver’s license number may be required. A subject’s privacy could be compromised by having to disclose personal information in a certificate every time she uses a her digital signature.
The identification and eligibility requirements used by certificate authorities will have very important privacy implications. Many companies have an interest in securely identifying their customers. In the context of digital signatures they may see an opportunity to improve identification by pushing for more onerous identification requirements for certificates than the identification that is currently used to verify physical signatures. Any such push towards identifying individuals more comprehensively needs to be counterbalanced by privacy considerations.
C4. Management of Personal Information: Conclusion
To protect individuals’ privacy, personal information held by certification authorities and systems managers would need to be protected from misuse, and any authorized use of the information would have to be carefully evaluated to ensure that it is not privacy invasive. These privacy protections rely on good data management practices which could be promoted by sound rules and oversight. However, it will be impossible to completely avoid misuse of information or security breaches. It is important therefore, that PKI build in privacy protections apart from private-sector information management practices.
D. INDIVIDUAL CONTROL OVER PERSONAL INFORMATION
As digital signatures allow systems to be built that increase the centralization of information, it will become more and more important to ensure that individuals do not lose all control over their personal information, and thus any ability to protect their privacy. There are three main ways that individual control over personal information can be maintained in a digital environment: allowing people to choose privacy-enhancing services, allowing for the use of a “key ring” rather than one multipurpose key, and the de-linking of authentication and identification in many situations.
D1. Choices and Ability to Evaluate Systems and Certification Authorities
In the future, individuals may or may not have a choice about whether to acquire a digital signature, and which certification authority to use to validate it. It is important that individuals be able to choose options that maximize their privacy. As PKI is developed, it is important that individuals not be forced by mandated use of certain systems to acquire digital signatures. People should be free to acquire digital signatures when they are confident that their privacy is adequately protected.
If individuals are given choices about which systems and certification authorities to use, they must be able to evaluate the security and information management practices of a particular service. This will require the disclosure of key information about services, and some sort of independent evaluation of them, made available to consumers in understandable language.
D2. Key Rings
As mentioned above, there is a major concern with the public key becoming a de facto universal identifier. A public key would not become a universal identifier if an individual owned different key pairs (public and private keys) for different transactions, so that, for instance, an individual’s public key for accessing her bank account would be different from that used for accessing her medical records. Ari Schwartz of the Center for Democracy and Technology suggests that individuals should possess a “key ring” of different keys. This would be preferable to a single key, according to Schwartz because:
Given the choice between a ring with multiple keys or a single key to open all doors, most consumers would stick with the key ring – despite the initial appeal of the single key. The single key could be easily lost or misused and its functions couldn’t be isolated; … by giving someone the key to your car you would in effect be giving them the key to your life(14).
There are a number of factors that suggest that single keys may indeed become the norm. As mentioned above, powerful companies would like to have their customers identified conclusively, and will probably try to set up PKI so that one key will be the norm. Also, having multiple keys could mean additional expenses for individuals and the responsibility of managing multiple cards with multiple PINs. Nonetheless, the key ring concept should be promoted, as it could be the single most important way of maintaining individuals’ control over their personal information.
D3. De-linking Authentication from Identification
The potential for systems managers and certification authorities to invade individual privacy would be greatly reduced in cases where digital signatures did not function as identifiers. It is important to remember that authentication also applies to credentials, eligibility and reputation in ways analogous to diplomas or membership cards. There are many potential applications for digital signatures in which identification is not disclosed, and “blinded” digital signatures in which identification is hidden. To protect individual privacy, individuals should only be identified in digital transactions when it is necessary to do so(15).
D4. Individual Control Over Personal Information: Conclusion
In envisioning PKI, it is important not to assume that individuals will use one type of identifying digital signature for all of their transactions. The extent to which individuals can use different keys for different purposes, and choose whether or nor to identify themselves with a key, will determine how much control individuals will retain over their personal information. Also, the extent to which individuals can choose different types of certificates will determine how much individuals will be able to opt for privacy-enhancing options.
CONCLUSION
This overview of the privacy issues surrounding the development of digital authentication indicates three overall recommendations to maintain and protect individual privacy:
1) The limitations of public key cryptography in securing systems must be taken into account. Ensuring that information is secure throughout a system is a complex task that requires a number of methods, including providing incentives through assigning liability for misuse of information, and changing social systems. Systems must be auditable so that suspicions transactions can be investigated.
2) In the future, certification authorities and other service providers could possess a great deal of personal information. To protect individual privacy, information held by private entities would need to be protected from misuse, and any authorized use of the information would have to be carefully evaluated to ensure that it is not privacy invasive. These good information management practices should be promoted by sound rules and oversight, but this will not be enough to ensure individual privacy; PKI should also be designed so that individuals retain control over their personal information.
3) PKI should give individuals the choice to opt for privacy enhancing services. People should have the option to own multiple keys, and to use keys that do not identify them. As PKI is developed, people should not be forced to acquire digital signatures, but should rather be allowed to acquire them when they have confidence that there are adequate consumer safeguards in place.
As PKI is being developed, there will be a need for much more investigation of how these general recommendations can be implemented in practice.
1. Appendix A gives a description of the sessions and who contributed to them.
2. Roger Clarke, Personal Notes on Computers, Freedom & Privacy 2000
Toronto, 5-7 April 2000 at http://www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP2K.html accessed on April 18, 2000
3. The following discussion on public key cryptography relies upon Brian A. LaMacchia of Microsoft “Everything You Need to Know to Argue About Cryptography” Cryptograph Tutorial, CFP 2000, April 4, 2000.
4. A hash function reduces a message to a fixed size, and is a “one-way” invertable function. This means that knowing the hash function and the hash of the message does not allow someone to be able compute what the initial message was. Therefore, Alice can choose a well-known hash function; it does not need to be kept secret.
5. This paragraph is based on remarks by Carl Ellison of Intel at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”.
6. This paragraph is based on Brian A. LaMacchia “Everything You Need to Know to Argue About Cryptography” Cryptograph Tutorial, CFP 2000, April 4, 2000.
7. This point was made by Phil Hester of IBM at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”
8. This point was made by Margot Freeman Saunders of the National Consumer Law Centre at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”
9. This was suggested by Carl Ellison at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”. Roger Clarke reports that fingerprints are very easily forged, and that most biometrics will probably be “forged with ease” in Privacy Requirements of Public Key Infrastructure at www.anu.edu.au/people/Roger.Clarke/DV/PKI2000.html accessed on 18/4/2000.
10. This point was made by Phil Hester at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”
11. This paragraph is based on comments by Margot Freeman Saunders of the National Consumer Law Centre at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”.
12. This point was made by Carl Ellison at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”
13. Certificate revocation lists would list certificates that have been revoked because they have been compromised, or have expired.
14. Ari Schwartz, “Smart Cards at the Crossroads: Authenticator or Privacy Invader?” Center for Democracy and Technology at www.cdt.org/gigsig/idandsmartcards.shtml accessed on 12/4/2000.
15. Roger Clarke, Personal Notes on Computers, Freedom & Privacy 2000.