Abstract

State In A Box presents a coherent vision of overhauling the fundamental assumptions made about
nation state infrastructure to enable breakthroughs in Security, Stability, Transition and Reconstruction
(SSTR) functions in states in crisis. The Identity Services Architecture presented enables low cost, high
security financial transaction infrastructure to be rolled out using 2D bar codes, public key
cryptography, camera phones and biometrics in a novel configuration which both protects civil liberties
and provides strong identity information for legal processes.
Furthermore, an approach to international control of a single international biometric database is
presented, based on the chaordic work of Dee Hock, the architect of VISA. The assessment at the heart
of this paper is that the benefits of a correctly-designed rights-respecting cross-jurisdictional chaordic
governance structure cannot be forgone if we are to see a realistic implementation of biometrics as an
enabling technology for development.
We anticipate the cost of issuing an ID using this technology to be less than $1 per head.
This paper covers a lot of theoretical ground. For a quick overview of the ID proposal and links to the
demonstration code, see the CheapID Homepage.

You may find the the original word document of this page easier to read. The getting started guide (pdf)
which has some diagrams that provide a good starting point is essential reading.

There is also a 35 minute video which explains some of the basic technical ideas behind CheapID,
although its scope is far more limited than this paper.
 Object 1

The Civil Liberties Perspective

Another way to understand this paper is to look at how the system described in it would be used by
ordinary people doing everyday things. People like you and me.

This paper shows how we can manage large scale biometrics databases and increase the amount of
privacy we have from government snooping while still having a secure society.

The basic crux of this paper is that you can separate the biometrics database, which simply identifies
your physical body, and isn't necessarily any more intrusive than Flickr or any other online photo
sharing site, and the reputation database, which stores things like your credit rating, any criminal
record, and the suspicions of various government agencies about your intentions.

So when you do something like rent a car, you give them a token which has your face on it. They match
your face to the token, and say "ok, this token is valid." But the token doesn't have your name, or your
SSN, or anything else on it: it's totally sterile. But if you steal the car, they take the token to court, as
well as the proof you gave it to them, and the court uses the token to get your name, SSN and other
details.

If all that FBI or other government biometrics database stored was tokens, and it required a court order
to go from a match in the biometrics database to a name and street address, I think we'd have a fair
balance between civil liberties and security. A database of pictures of faces or fingerprints is not the
intrusive part: it's the connecting of your face or your fingerprint to your background that is the
intrusion, and we can separate the two databases and require a court order (and a crypto key) to
reconnect them.

Cheap DNA scanners are coming. We've have to fix how we handle biometric data as a society before
they arrive.

Introduction
The Security/Stability/Transition/Reconstruction (SSTR) arena offers an opportunity to re-examine the
fundamental "business processes" of the State.
State In A Box (SIAB) is a set of interwoven concepts which relate to the idea of rebuilding the State
from the ground up, from scratch, on modern technological infrastructure.
Much of our thinking about the State derives from historical accidents like monarchy, gold and paper
ballots. The structures of our democracy rest on foundations built when travel was slow and before the
invention of public key cryptography. Taxation rests on a framework which predates credit cards and
electronic bank records. Security rests on organizational structures which are still recognizable from
Rome or Babylonia.
In the commercial sector, areas which have these kinds of deeply embedded but no longer valid
assumptions go through periodic restructuring. These processes of "creative destruction" re-optimize
the business processes, frequently by moving the divisions between one business and another through
processes like integration and disaggregation.
In government, short of the collapse of nation states, the pace of innovation is much, much slower.
It is my contention that this fact obscures one or possibly two order of magnitude cost and capital
savings in providing State services to citizens. The price paid for stability, in this instance, is
inefficiency.
However, in countries that do not even have stability, this inefficiency can scarcely be afforded. By
thinking about redesigning the structure of the State around modern technology, we may be able to
design a robust new technological infrastructure to run a State upon.
This effort is called State In A Box because the likely form factor of a deployable solution is actually
about 20 trucks, and State in About Twenty Trucks is somewhat unwieldy.
The Hacker Lowdown

In straight, one-hacker-to-another terms, here's what we've got.

Take a piece of paper. Print a digitally signed 2D bar code on the piece of paper. The bar code contains
a picture of the person, and an encrypted block of data which identifies that person to a court. To check
an ID, you take a picture of a the bar code, and it displays an image of the person on the ID card.
A person carries a handful of these documents, each one bitwise-unique. They are used a bit like
business cards, but for transactions that need hard identity information, like car loans. You leave the ID
card behind you with each transaction - but all anybody can read is the image - and they saw that when
you walked in the door so no additional information is being revealed.
If there's a problem the document gets decrypted by a court, revealing who you are. If there's no
problem, it's like a cheque that is never cashed: the information about your identity sits there, inert and
unseen. This document is called a CheapID Identity Card. It's just a piece of paper, the brains is in the
crypto scheme.
To make this work you need to split a person's biometric and identity data apart. Nobody has ever done
that as far as I know, so this is a novel idea. We don't just split them between two government bodies,
but we split them so that the biometric data goes to the international level, and the identity data stays
where it is right now, with governments. To manage these interfaces we need standards bodies rather
like those that manage the internet.
We rely on a separation of powers to put the specter of unrestrained use of biometric data away,
permanently, if we can manage it. Good enough to get you started? This is long...

State in a Box and the Spectrum of

Infrastructure
The Spectrum of Infrastructure (SOFI) reflects a different way of thinking about infrastructure systems
on both a nation state and local level.
Take electricity demand. You want light. In a conventional infrastructure setting, you buy a bulb, you
plug it into a standard fitting (even this standardization is an important utility function) and standard
electricity comes down the wire and gives you services.
On the other end of the wire is a trillion dollars and more of power plants, fuel supply chains, national
grid finance, building and maintenance and other essential systems working together to get you 110V at
60Hz AC.
Now consider another example: a tiny LED reading light that is powered by turning a handle for a few
minutes every three hours.
The problem solved is similar or the same: reading at night.
The SOFI is a way of understanding the architectures of service provision. On one axis there are the
essential and non-essential services we need, like water to drink and temperature control. On the other
axis, there are different styles and scales of infrastructure.
In a SSTR / HADR (Humanitarian Assistance and Disaster Relief) context, it may prove difficult or
impossible to rebuild service provision architectures towards the left hand (large, complex) side of the
SOFI. However, the systems on the right (small, simple) side of the SOFI may prove to be durable even
in a war because of their self-contained modularity.
The definitive resource for understanding the different scales and styles of infrastructure is Small is
Profitable from the Rocky Mountain Institute (http://smallisprofitable.org.) This book focusses on
electrical infrastructure but many of the same arguments apply to service architectures of all types.
State In A Box extends conventional thinking about infrastructure into an SSTR context. Much of
RMI's work on distributed infrastructure and infrastructure resilience applies directly to SSTR, of
course, but the RMI model applies mostly to energy and other "traditional infrastructure" service
provision models. SIAB considers financial services and a variety of services traditionally provided by
government as "infrastructure" largely to group them together with the other large complex systems
that must be repaired or have substitutes deployed in an SSTR context to successfully restore essential
services to a nation.
However, the further we extend into subtle services like "voting" the more we begin to push the
boundaries of the conventional use of the word "infrastructure." Can we really put a power station and
a ballot box on the same "to do" list? From the perspective of a citizen they may be equally important,
but we do not typically thing of grouping the provision of those services together.
However, State In A Box does just that because there are synergies between unexpected areas of the
service architectures in SIAB that provide for accelerated roll out of normality in an SSTR context.
This paper only covers the Identity Services Architecture concepts in any real depth, but we will
examine the minimal household infrastructure package associated with the Hexayurt Project (one of
our HADR offerings) to give a concrete example of the Spectrum of Infrastructure concept in action.

The Hexayurt Project and Whole Systems Thinking

In 2003 I redesigned refugee housing and infrastructure systems using a process very similar to the one
which I am now applying to the fundamental structures of the State. The product of this process is the
Hexayurt Shelter System.
Infrastructure often defines what is and is not possible or economically effective. Modern decentralized
infrastructure solar panels can provide limited services without the rigidity, vulnerability and costs
associated with heavier weight centralized service architectures like power plants and gas terminals.
The Hexayurt itself is a cheap, lightweight shelter which is remarkable only because it is held together
with tape and is easy to field fabricate. There are a number of similar shelter systems in development
which are broadly speaking as functional.
The Infrastructure Package which goes with the Hexayurt, however, is unique and valuable. A
conventional home has six kinds of pipes and wires running into it to carry services: electrical lines, gas
lines, clean water in, waste water out, communications links over copper wire or fiber optics, and storm
drains. To this list can be added roads and wireless data services.
The Hexayurt Shelter System provides options for providing all of these basic services on a house by
house basis. For example, rather than providing a centralized gas plant and then running gas mains to
every $200 shelter, we use a wood gasification stove. This stove is an efficient design that burns wood,
dung, coal and many other fuels roughly 10 times more efficiently than an open fire, without producing
much smoke because the combustion is so complete. One stove per household effectively substitutes
for the centralized gas infrastructure and international gas transport system, as far as cooking and
heating needs goes.
Similar approaches provide electrical light and power for small appliances, clean drinking water,
working toilets and perhaps even communications.
The bundle, in mass production quantities, including the house is likely to cost less than $500 per
household and may cost as little as $150 per household using local labor and vast economies of scale.
In an HADR scenario, the hexayurt-style settlements have some unique properties. Firstly, the quality
of life is likely to be much higher because all basic amenities are provided. Secondly, because these
amenities are provided at an individual household level rather than from large centralized resources like
a central power generator, and the homes themselves are designed to be easily transported, a large
settlement can be resettled, family by family, back to their original villages when stable conditions are
restored.
This new capability may help ease relationships between refugees and host nations by ensuring that
hosts are not stuck with large fixed settlements for years or decades after peace is restored because the
refugees have become dependent on the centralized infrastructure provided to them by HADR services.
Much of the redefinition of shelter and services which lead to the design of the Hexayurt Shelter
System was done by the Rocky Mountain Institute, particularly at the Sustainable Settlements
Charrette.
Integrating various disparate aspects of a system to provide breakthrough performance or new
capabilities, like transportable infrastructure, is a design approach called whole systems thinking.
SIAB is an attempt to apply whole systems thinking to the nation state, in the hope of providing an
accelerated path to restoring nation state services during and after a crisis.

The Leapfrogged State

Leapfrogging is a term used in sustainable development circles to refer to phenomena like Chinese or
Indian villages getting their first telephone services in the form of cell phones instead of land lines.
Rather than going through the slow evolution of telephone services, from telegraph to manually-
switched copper and up through analog, digital and 3G services, these new generations of telephone
users simply get the modern systems without the precursors.
Leapfrogging is often efficient for sustainable development because the enormous capital costs of
developing these advanced technologies are disproportionately paid for by the competition to provide
new generations of services to the highly paying customers of the developed world. The benefits of
innovation are global, but the costs are mainly borne in the developed world.
A side effect of this phenomena is that frequently late adopters wind up with much better services than
early adopters. In television, the European PAL standard reproduced color considerably better than the
earlier NTSC standard adopted in America. In broadband internet, the US customer has speeds around
5% of the average speeds found in countries like South Korea that came to the game late and invested
heavily.
The one area where leapfrogging encounters serious issues is traditional infrastructure like water
supply and electrical power provision. This is because little developed world money currently goes into
refining our solutions to these problems because the existing service provision architectures are
perfectly functional, albeit deeply influenced by the Victorian model of infrastructure. The Victorian
model is that large factories that produce services, and pipes and wires carry the services to homes and
businesses. This is the model we use for drinking water, sewage, gas and electricity supply in the
developed world. Because solar panels or composting toilets did not exist, the Victorian model relies on
complex centralized facilities to provide the services which we can now provide at or close to point of
use.

Backporting to the Developed World

Backporting is a term used in software, and it has been re-applied to "reverse leapfrogging," where
leapfrogged technologies are re-imported from the late adopting nations back to the early adopters.
The hope of the State In A Box project is to produce a template for a new approach to statebuilding
based on leapfrogging and whole systems thinking. Together, these approaches may reveal a way to run
a functional State with new and unusual properties, including an unexpectedly high degree of stability
and resilience, for pennies on the dollar compared to traditional approaches.
SSTR provides a rare opportunity to re-examine the foundational concepts on which the state is built,
and re-examination of these fundamental processes reveals the same things seen when one re-examines
the electrical services provision architectures we use in the developed world: the are inefficient because
they are stepwise refinements of architectures that were created when science and technology were
dramatically less capable.
A fresh start allows us to design a new architecture based on full application of modern understandings
and capabilities. The leapfrogged state may be as different from conventional state architectures as the
jet plane was from horseless carriages.
It is my sincere hope that if the State In A Box model turns out to be useful, any aspects of it which are
suitable for backporting can be brought into service in the developed world.

Identity Services Architecture

Identity services architectures are commonly discussed in the context of providing single sign on (SSO)
services on the internet, and other identity management services. In the context of the State, there is
usually a duplication (or worse) of effort between private identity credentialing services and the State's
own systems.
State services like taxation, criminal justice and voting revolve around the idea of a person being
clearly identified. Indeed, the very boundary of the State is partially defined by a list of persons who
are members of that State.
Identity fraud at the State level is most typically seen by illegal immigrants and criminals who use
multiple State-issued identities to evade the controls at the borders of a State to prevent unauthorized
entry.
Identity theft indicates that our old approaches to providing identity backbone services is encountering
problems and is probably due for an upgrade. RealID, a proposed US Govt. standard for identity cards,
is one model for that upgrade.
In voter fraud, inaccuracies in the match between who is meant to be able to vote, and who actually
votes, can contribute to the perception of corruption and resultant loss of faith in an electoral process
� a major issue in fledgling democracies.
At a fundamental level all these services hang off an identity backbone � a centralized facility which
allows the State to identify internally which one of their citizens a specific fact or credential pertains. In
the USA, this is the Social Security Number plus the associated authentication services infrastructure,
like driver's testing and licensing facilities.
The SIAB Identity Services Architecture is designed to be an expedient way of rebuilding this identity
backbone and enabling a troubled state to regain the ability to provide its citizens with identity services
in all their forms. By extending the scope of the traditional state identity services architecture, we hope
to also offer some additional leverage against international terrorism, civil unrest and foment economic
growth by providing identity credentials that are reliable enough to give confidence to financial
institutions.

Locality, Scope and Architecture

Business process re-engineering and software architecture often make a big deal out of locating
systems, processes and services at the right level in an architecture. A software architecture that locates
a critical process at the wrong architectural level can wind up with serious performance or reliability
issues. A business process can wind up uneconomic or unworkable if processes and especially decision
making are carried out at the wrong level, either too slow at the top, or without authority at the bottom.
The SIAB design gains much of its leverage from moving various aspects of the system either up to
higher, transnational levels, or down to extremely local levels. SIAB often pushes municipal services
down to the household or the individual, and national services up to transnational levels where the
international community can stabilize them.
Because we operate in an increasingly globalized world, bodies like international standards committees
exert an increasingly large degree of international influence on the activities individual nation states. At
a technical level, standards like the internet protocol are default realities for every government on the
earth, and they have no direct control of those standards. Access to the international services requires
conformity international standards.
This has massive advantages for all parties. A close parallel is the VISA system, which was formed
after years of failure to get banks to agree on how to allow customers to make electronic payments
across bank boundaries. VISA relocated the problem from being a massively interconnected mass of
agreements between individual banks to creating a new body, in which all participants had some
influence, but which was immune to capture by any individual group. This new body set the standards,
operated the agreements and did the branding of what became VISA. This was in essence an
architectural solution. The problem which was insoluble at one architectural level, that of bank-to-bank
agreements, became profitably soluble when it became bank-to-VISA agreements.
Likewise, SIAB and particularly the Identity Services Architecture relies on locating problems at the
right architectural level to provide clean solutions. Some aspects of the problem are best handled by as-
yet-non-existent international bodies. Others are handled by commercial infrastructure, particularly
those parts of the system which exist to absorb risk.
The ISA, like the hexayurt, relies on a few small enabling technologies. In the case of the hexayurt, the
enabling technologies are industrial box closure tape and individual systems in the infrastructure pack,
most of which rely on small scientific insights and basic engineering. The performance of the whole
system greatly exceeds the sum of its individual parts because it fulfills all the basic requirements for
infrastructure, and therefore gives the solution new attributes � transportability and scalability.
If the Hexayurt Infrastructure Package did everything except one critical piece that required centralized
infrastructure, we would not get those new capabilities. Everything has to work together to get
breakthroughs in capability.
The ISA is a whole systems thinking solution to providing an identity backbone just as the Hexayurt is
a whole systems thinking solution to shelter and household infrastructure. State In A Box as a whole
requires a myriad of other components, each designed as a whole system, and also designed as a
component of a larger whole system, the State itself.
The ISA also draws inspiration from the structures of VISA and the Internet in terms of how
operational processes cross organizational and jurisdictional boundaries, and also various architectural
levels of the system to effect jurisdictional arbitrage. Processes which are impossible in one jurisdiction
are easy in another, and control of the system and division of power within it is carefully balanced
between architectural levels and stakeholders.
The design of systems like this is known as chaordics and is a field pioneered by Dee Hock, the
architect of VISA. ("The Birth of the Chaoridic Age" gives more details.)

Fusing Technology, Politics and Law

One of the historical accidents which contributes to our current muddles over identity is the historical
separations between technology, politics and law. In prior ages technological progress happened at a
pace which broadly speaking matched the ability of governments and courts to keep up. Technology
was largely contained and managed by political and legal concerns. Law and policy acted as brakes on
change.
Now the situation is different. Technological progress is outstripping the ability of governments to
make accurate policy on all fronts, and the courts are repeatedly mishandling cases with a technological
component so badly that they look ridiculous. The entire arena of software patents is a quagmire caused
by using 200 and more year old conceptions of the role of law in an arena with entirely different
dynamics.
The future is a foreign country. If the social values which we respect are to live in that country there
needs to be an almost diplomatic process by which relationships with the ways of the future are
established in the present and emigration to the future done with as few losses as possible. This sounds
abstract but it has acute practical implications.
The market is inevitably bringing improvements to our current basic systems. Some improvements are,
linear and others, discontinuous. Computing power gets cheaper, disks get larger, and once in a while
radical new technologies like cheap video projectors come along. We assume that the slowest part of
the systems is the State's ability to use the available technologies effectively, and to plan and respond.
Technology marches forward, and the State plays catch-up, trying to effectively port concepts about
society forwards on to the new substrate, layer by layer.
This embrace of constant change, of constant progress in technological capability, against the
apparently relatively static background of natural laws and human nature is a radical new condition
against which all national governments must function. Being 5% faster than the Soviets was enough for
the USA to win the Cold War. It is not fast enough to maintain the integrity of American society as we
move ever faster into the future.
Development is usually thought of as being about how we export the present (cell phones) and the past
(plumbing.) But SIAB is about exporting the future � a set of systems that our own bureaucratic
incapacity is likely to make impossible to adopt domestically may still turn out to be the best match
between available technologies and human welfare. SIAB is "exported leapfrogging." Perhaps we can
learn to learn better from smaller and less stable societies as they leapfrog their basic infrastructure, and
step firmly away from governmental protectionism of social constructs which are now untenable due to
technological change.
We have to face the probable reality that the most technologically advanced societies on the planet will
soon be the societies that came last to the table, spent their scarce capital on the most effective
technologies yet produced, and reap the benefits in increased leverage for their dollars of capital
invested. By strategic trail blazing through this new technological landscape, we can affect the course
that these societies will travel, simply by making our preferred options available more reliable, cheaply
and easily than other, less preferable options.
The developed countries of the world would rather that the Global Poor did not all drive cars as soon as
the option becomes available, for three reasons: fuel availability, environmental concerns, and land use
problems due to urban sprawl. Yet how much work do we do on making sure that the most advanced
engineering goes into making better bicycle designs for the developing world?
Our policy objectives and our technological development pipelines are currently at two different
architectural levels in government. Is that an accurate and effective model any more? We attempt to
police proliferation of some technologies, like cryptography, super computers and weapons
technologies.
On the other hand, do we attempt to consciously foster adoption of technologies which are supportive
to goals like reducing global environmental impact? We have restriction of what is bad, but no political
capital invested in active promotion of what is good, as far as technology goes. This is irrational in a
technological age.

Bridging Technological Activism, International Relations and

Business Process Re-engineering to Create the Just Future
The set of technologies which are outlined in this paper are relatively simple combinations of existing
off-the-shelf systems to create an Identity Services Architecture with radical new properties. It is a
whole system.
The individual system components are vastly more complex and sophisticated than, say, a wood
gasification stove. But these individual software or hardware systems are, to those skilled in the
relevant arts, off the shelf items or will be in the two or three years it is likely to take to begin serious
work on the global build out if the scheme is adopted.
You only get whole systems performance if every component is right. Omit the water purification
technology with the hexayurt, and refugees remain tied to their new clean wells and cannot return home
without losing access to clean drinking water.
Similarly, a single broken subsystem within the ISA will produce a working system, but it will not
achieve the breakthroughs in privacy and security that will allow the system to compete in the free
market, and thereby get the leverage required to effect a global transformation in how identity services
are provided by government.
In the hexayurt, all of the pieces of the whole system are at the same architectural level � they are all
bits and pieces of equipment which can be thrown in a truck and unpacked to form a whole. This is a
convenient and easy situation. Everybody involved in the design is basically an engineer.
The Identity Services Architecture is not like this. It is a whole system comprised of parts which are
radically unlike each other, as different as international agencies and strange little bits of software
which run on camera phones. A whole system with parts from different architectural levels is an
extremely hard case because it requires such a wide variety of different people to work together to
make the entirety function as intended. Compound this by the internationalism required to get the
global solution that is the payoff at the end of this process, and it is unlikely to be possible to
implement this system successfully in any kind of coordinated fashion.
This is not to say the system is unimplementable, however. It just means that the traditional approach to
development is unlikely to be effective.
How, then, to build the Identity Services Architecture?
VISA and the Internet are two global systems which function as whole systems, and are comprised of
diverse actors united through standards organizations, supported by private companies out of intelligent
self-interest. These commons are incredibly important because the value of the network increases
rapidly with the size of the network. This network effect enables multi-party, cross-level cooperation
because it is in the interests of all parties for the system to work and any steps against that goal are
suppressed by all other parties, and by the marketplace (i.e. collective free will) itself.
This likely means that only a commercial implementation of these systems has any realistic chance of
success. It is extremely notable that large international network-based service architectures like VISA
and the Internet are watched over by states, but not operated by them.
Because of the security aspects of the ISA, governments must be involved. Because of the financial
services aspects, private companies must be involved. Think of it as a system that compliments and
extends the VISA payment architecture (and its rivals and descendants) and the Internet � a third leg
in the tripod of global interconnectedness technologies: communication, trade and identity are natural
partners.
The hope is that the SIAB-ISA can be incubated within the SSTR arena while the technological
substrate is built. Once the basic tools are available (and, as stated before, they are COTS technologies
for the most part,) it may be possible to begin to build the framework of alliances necessary to take this
simple and direct approach to solving the liberty / security / privacy equation and turn it into a global
solution to the dangerous mismatch between technology and policy in the arena of personal and
government identity management.
Technology is policy. Biometrics is far to dangerous a technology to be allowed to develop in directions
that thwart broader policy goals like civil rights and personal freedoms.

Enumerating the Stakeholders

Earlier presentations of this system marched directly on to the technology and tended to leave people
somewhat lost. I apologize for further preamble, but it is necessary to correctly contextualize the
relatively simple technological core.
Like VISA and the internet, the SIAB-ISA is relatively simple at a technological level. However, the
genius of VISA and the internet lies in the governance structures that allow disparate parties to work
together. The same technologies with a rigid hierarchical control structure would likely never have been
adopted. The governance framework is inseparable from the technology. These are whole systems.
The stakeholders who must be represented at the governance level of the ISA are:
Private Individuals
Transaction Coparties (those who sign contracts, like utilities)
Infrastructure Providers
Banks and other Conventional Financial Service Institutions
Microfinance Institutions
Global Powers
Small Nation States
International Policing Bodies
Non-Governmental Organizations
New Classes of Business which arise from the ISA
This diversity of stakeholders is not surprising because we are dealing with an infrastructure system.
Imagine how long the list of stakeholders is for the electrical supply system, for example.
An easier approach, then, is to divide the stakeholders into four architectural levels: international
bodies, governments, companies and individuals.

International Bodies
The ISA envisages two interlocking international bodies that collaborate with governments and other
international bodies to operate the highest level parts of the system. One of these entities is modeled on
the standards bodies of VISA and the Internet, and the other is akin to Interpol, or some of the nation-
state identity databases that include significant data on non-citizens.
The first body is the ISA Standards Board. It manages selections of basic technologies like which 2D
bar code standard, what image compression format, which digital signature algorithm and other basic
technology selection choices. This body is for technology.
The second international body is the International Phenotype Database. The International
Phenotype Database maintains an identity record for every single human being enrolled in the system,
and possibly eventually for every human being alive. The majority of the work in this paper goes into
ensuring that this Leviathan is blind and helpless without the active support of individual nation state
governments.
One critical detail is that the International Phenotype Database stores only biometric information: no
name, no reputation or criminal data or any other fact is stored in this database. It is made to check if a
person is in the system already, and if they are, to indicate an ID has already been issued. Other than
that, the database is essentially useless. It is like a sea of faces and fingerprints with no context to other
added value. Not even names are in the system.
The architectural firewall separating the biometric information in the International Phenotype
Database from the reputation and identity information stored by the National Government is a key
innovation. The National Court System is the only entity in the ISA which has the capability to
reunite biometric data with identity data to convict or exonerate a person.
Both of these entities are expected to deal politically mainly with Global Powers and other
international bodies like the UN.

Governments
To gain any credence at all, the ISA has to be endorsed and initially operated by at least on Global
Power. Given that we are discussing what is essentially commercial infrastructure with an identity
foundation, there are probably five or six possible implementors, including of course the USA, the
European Union, and some of the larger trading partnerships.
Global Powers do most of the talking about technical standards, and operate the International
Phenotype Database at a technical level. They pay most of the bills for that service and reap the most
tangible security benefits, much like the Internet and VISA are useful to everybody, but mainly
governed and paid for by G20.
Other Nation States can operate in one of two ways. Firstly, they can choose to allow their citizens to
get an ISA identity if they wish to. Secondly, they can merge their own identity infrastructure with the
ISA identity infrastructure, and rely on the International Phenotype Database to issue IDs from.
What kind of states would do this? Poor ones.
The issues here are similar to the issues of pegging currencies to one another, or the adoption of
international currencies like the Euro. Complex arguments are made for all points of view, and the
entanglements of sovereignty and convenience make for rich debate. There is no uniformity in these
issues across nation states, but rather a landscape of response to perceived opportunity and risk. A
critical feature is that the ISA comfortably functions with this degree of adoption diversity.
One of the critical features of the ISA scheme is that it accepts states with a sharp division of powers
between Courts and Governments and is therefore compatible with the American model, although it
does not require it.
The majority of the routine contact between the International Phenotype Database and the citizens of
a country is mediated by the National Court System.
National Governments make the agreements.
National Court Systems implement them, and in cases where there is no division between the two, the
system operates without disturbing those pre-existing equilibria.

Companies
There are four classes of company involvement in the ISA.
Technology Vendors implement international standards for private companies and governments.
Contract Co-parties rely on the identity backbone to reduce their contract risks when dealing with
individuals and companies.
Financial Services Institutions rely on the identity backbone to satisfy Know Your Customer and
other legal requirements while the privacy features of the ISA protect their customers from unwarranted
intrusion into their personal lives.
Professional Witnesses offer contract signing services, including (in some implementations) access to
a secure and reliable electronic voting infrastructure. An individual presents a contract to be signed, and
the Professional Witness essentially notarizes the assent to the contract and verifies the person
presenting against the individual's biometric ID. These companies absorb misidentification risk by
indemnifying Contract Co-parties from losses associated with the Professional Witness making a
mistake by mistaking one person as another in a contract signing situation. Note carefully that the
Professional Witness is verifying the Phenotype of the person signing the contract - their physical
body - but has no access to name or other information.
Consider the example of a car lease. A person presents a Professional Witness with a car lease they
want to sign and a copy of their ID. First the witness matches you to your ID to make sure it is you.
Then the witness records your assent to the contract, and signs the lease on your behalf, escrowing
identity credentials with the National Court System in the process.
Suppose that the lease is unpaid, and upon investigation it is discovered that it was not you who signed
the lease but unknown identity fraudster who defeated the Professional Witness systems with the help
of a member of their staff. The Professional Witness is liable for all associated costs to you, to the car
lease company, and any additional injured parties because they made a professional error.
Professional Witnesses must bear the full burden of proof in all cases. It is up to them to prove that the
person they say signed a document actually signed it, and they are responsible for presenting
incontrovertible evidence to this effect. Professional Witnesses have a peculiar exposure to risk: they
are liable for the costs of a crime (identity theft) and are also witnesses to the fact a crime has been
committed. Only a strong judicial system can keep them honest. Otherwise, Professional Witnesses
will rapidly become corrupt, unreliable, and the systems will fail because of the misalignment of their
incentives and the whole system requirements. They will start to present shoddy evidence, and the
system will collapse.
In this scheme, the needs of the Professional Witnesses for reliable identification are the primary
drivers for biometric security standards because they are the ones with the primary exposure to
pervasive misidentification risk. By collecting all of the misidentification risk in the system in a single
location in the architecture, we create the financial incentives to hire engineers to keep the systems
secure.

Individuals
Individuals come into contact with the ISA in one of three contexts: voluntary, default and
compulsory use of the system.
Voluntary use is where the ISA services are offered perhaps as an aid to doing international business,
or in a context like getting a permit for entry to a foreign country. An oppressive system will not get
used as people would rather avoid the activity than submit to intrusive identification.
Default use has more implications. Perhaps one needs an ISA-type identity to get a passport, or the
ISA-type identity is your passport. Perhaps it is required for opening a bank account, or for driving.
Sufficiently motivated and desperate people can avoid the net but almost nobody will choose to do so.
An oppressive system could well be used even by people who hate it.
Compulsory use is quite simple. You have an ISA-type ID or you go to jail.
The only reason that I can write this paper is because I believe that the ISA scheme proposed is the
least bad of the available options for managing biometrics. I believe that, in the long run, security in the
21st century is going to critically revolve around actually knowing who people are and that, in fact, we
can no longer afford to have nameless, faceless people shuffling around the world as human traffickers
move them across borders, or as international terrorists move around the world as if the nation state did
not exist.
Hence the goal is to create a system which, even if it becomes compulsory in a few generations time, is
not oppressive. We work not for today, but for our descendants in seven generations or more.
This is due prudence. Financial instruments like cheques have been in circulation far longer than that.
Concepts like interest on loans go back even further. Design decisions made casually by engineers
working on the internet protocol will likely affect all digital systems build from now until the end of
foreseeable human culture, if only through enshrining architectural distinctions embedded in the OSI
models through generation after generation of culture and language.
If this seems unrealistic, consider the distinction between "organic" and "inorganic" chemistry is a
historical accident caused by the supposed impossibility of converting inanimate materials into any
compound found in organic life. That barrier was crossed nearly two centuries ago by the synthesis of
urea, but the divide created around it remains to this very day in university departments, language,
terminology, technology and culture among chemists.
We have to be sure that any system we are architecting with intentions of global effect is something
that the future can live with because success is always an option. But success is no proof of quality,
only of immediate fit and timing. We must strive for excellence, particularly in the political aspects of
this system, if the system is adopted some of the abstractions it is built on may last hundreds of years.
In short, whatever model of the Rights of Individuals we choose to enshrine in these systems may
become the laws we, or our descendants, must live under.

The Exercise of Individual Rights through the ISA

Where do we find a template for thinking about the Rights of Individuals in the context of designing
biometric infrastructure?
Why, back to the Framers and the historical thinkers on Liberty, of course. It is necessary when
designing technologies with such massive political implications (if they succeed) to consider the
political levels explicitly at every major turning point to make sure that we have not designed a system
for freedom, and accidentally engineered one for compliance.
The watch word must be "would you be comfortable with your own children and grandchildren living
under a system of the kind we are working on?" If the answer is "no" the system must be improved or
abandoned, and certainly you cannot ethically support it.
I would suggest that the ISA must implement technological versions of three fundamental rights. They
are
The Right to Privacy � The system should protect an individual from being identified except by
legally appropriate powers. This right has to be extended using public key cryptography and other
techniques to counterbalance the extensions in surveillance possible through biometrics, databases and
network monitoring.
The Right to Identity � This is analogous to the various discussions of rights to a citizenship without
necessarily requiring a nation state implementation. For instance, perhaps an NGO could be authorized
to issue ISA identities in instances involving stateless individuals, giving them an identity without a
citizenship.
The Right to Anonymous Free Speech � A combination of the right to privacy and the right to free
speech. One of the natural consequences of the ISA is the capability to generate single sign on accounts
for use on the Internet. Additional architectural levels are required to protect people's right to speak
anonymously, while also preserving the recoverability of hard identity information when addressing
hard cases like child pornography and international terrorism. If we do not build in these protective
architectural levels from the start, states which opt for the compulsory approach to adoption will face
human rights issues from the start.
It's important to understand that these rights are not granted by the system, but recognized (in the grand
fashion) as being inherent within the individual. Although governments may choose to implement
systems compatible with the ISA standards and protocols in such a way that their citizens are deprived
of these rights, it would behoove free governments to be prepared to use considerably political leverage
to ensure that such an approach is at least penalized, and preferably outlawed.

Architectural Location of Rights

In the ISA system, rights are located in at least five locations. Firstly, the are present in the documents
which frame the system including this document. Secondly, they exist in the technological substrate of
the system, particularly how information about a person is scattered across architectural levels to
protect people from the system as a whole (hopefully.) Thirdly, the emphasis on the participation of the
court system ensures some protections in at least some nations. Fourthly the ability for third parties to
absorb risk and issue cryptographically secure identities allows people to veil the identity of another
person if they are willing to take responsibility for doing so. This is a key principle. Finally, the fact
that this system is being developed in an American context and from a theoretical base close to
fundamental American political theory increases the odds of conscientious implementation at every
level, guaranteeing a fifth level of protection. Getting biometric digital identity wrong ushers in some
extremely unpleasant possibilities, including global totalitarian control of people from morning to
evening through a mix of ubiquitous computation and radio frequency identification (RFID.)
For this reason alone this work exists: to bar the gateway to biometric totalitarianism by presenting a
better option in the public domain.

A Final Word on Rights

At a realpolitik level, getting a healthy and private global identity infrastructure in place is going to
require something approximating a miracle. Fighting non-state actors of various kinds is hard without
the ability to definitively identify and locate persons but the risk of enabling and empowering
totalitarian regimes is so great that getting the necessary levels of international cooperation in the
places where it counts (the Gap) is nearly impossible. We need new approaches based on the most
advanced technology available, be it biometrics or our fundamental politics.

System Design
In a whole systems thinking context, the performance of the system as a whole is ensured by designing
not just the components of the systems, but by carefully working to understand their interactions. In
this sense, object oriented programming and database architecture are close relatives of whole systems
thinking.
Fortunately the individual components of the SIAB-ISA are relatively simple to describe, although
some subsystems contain considerable technological complexity.
The deliverable is an Identity Services Architecture which supports an identity standard called
CheapID. CheapID is designed to be the cheapest and most robust possible personal identity card.
We will briefly examine three core technologies, then move on to detail the system as a whole, working
towards the CheapID towards the end of the paper.

Biometrics
Briefly, we assume four or five levels of biometric identification of a human being, ranging from a
simple picture like a passport photograph through to a complete set of biometrics perhaps even
including a DNA sample.
The basic CheapID Identity Card envisaged later on contains a digitally signed picture of the person.
Optional higher security credentials would include increasingly large amounts of identifying biometric
information, often encrypted so that it could only be read by authorized parties.
I believe it is important that system enrollment uses a full set of biometrics, in some implementations
even including DNA, because the consequences of having a single individual with two or more
globally recognized ISA identities are extremely serious. The strong protections we generate for
privacy and free speech rest on our ability to absolutely pin down individuals who abuse these
protections by, for instance, committing acts of terrorism. A person with two identities can do
something horrible under one identity, then slip away under another. The system must be robust enough
to compete in the policy marketplace and displace other candidate systems with less protection for
human rights.

2D Bar Codes with Digital Signatures

2D bar codes can store digital information in surprisingly large quantities, up to around 3Mb on an 8.5"
x 11" or A4 sheet of paper. Writing such bar codes is simple and economical: laser or ink-jet printers,
label printers and card printers are all reasonably cheap.
Reading back data from these bar codes can be done in one of three ways. The simplest, cheapest and
slowest is the flatbed scanner as found in any office. Cheap models are well under $50. Resolution is
excellent (well above 300 DPI) and bar codes read this way could likely be at close to full theoretical
data density. Of course this currently requires a computer to be present at the station.
Next there are commercial 2D barcode readers. Most of these systems are designed for relatively small
data sets � a few hundred to a few thousand bytes at most. Many of these systems are designed for
extremely high speed operation which leads to a different set of design criteria than are ideal high data
density. However, there are many vendors and a good deal of variety in available commercial readers.
Finally there is the humble camera phone or computer-connected camera. This is the likely workhorse
of common CheapID transactions. The best of the current generations of camera phones are capable of
capturing enough data from their cameras, and have sufficient processing power to get just under 600
bytes back from a single image using standard black and white bar codes. Non-standard color systems
may triple that data density.
The limitations are largely optical. Many camera phones do not have a "macro" capability for the
necessary detailed close ups of the ID card, or have a focal length of around one meter. As a result an
identity document, even on Letter sized paper, fills only a small part of their field of view and so very
few pixels are translated into data. However, given a camera phone that has a good close up camera
mode it may be possible to extract significantly more information from CheapID Identity Cards.
One of the critical distinctions between CheapID and simpler approaches to identity is that in CheapID,
the identity card contains a variety of fields, each of which may be signed and optionally encrypted by
a different party, all within the broad standard of the ISA. The complexity of the international
agreements and so on is reflected all the way down into the identity documents and the legal process
that produces them.
Dependence on network infrastructure and centralized identity databases is greatly reduced because
certifications of facts like "of drinking age" or "has driving license" are stored encrypted on the card
rather than pulled in over the network.
The technology naturally supports this outcome, unlike approaches like RFID-based identity
documents that more or less require constant central database access to turn the ID number on the
RFID tag into meaningful information about the person in front of you.
In the long run, it may be that the 2D barcode aspect of the CheapID system is temporary. Better local
data exchange mechanisms are certainly being worked on, although perhaps not less expensive ones.
However, the conceptual and legal framework embedded in each card may turn out to be endure
through many successive implementations.

Court Escrow
The Identity Services Architecture revolves around Court-like entities that manage private keys for
encrypting and decrypting identity information under legal (or other) authority.
Security in the system comes from the completeness of the records in the International Phenotype
Database. Privacy comes from the architectural separation of that biometric data and the identity and
reputation data held by nation states. Although a court cannot request the release of biometric identity
records for its own use, it can submit biometric evidence to the International Phenotype Database
and request a search. Such a search can pair evidence with an identity record, but the court cannot
simply pull records from the International Phenotype Database. It can search and get identity
information back in results, but not request biometric information directly.
Only the court can take an encrypted CheapID Identity Card, and recover fields like the individual's
name or their government-issued identity number, if one exists. These fields are private even from
police in most cases. This allows these cards to be used for many purposes that a less private identity
card could not be used for. The common practice of matching a face to an identity card, but not being
able to recover any additional information about the individual without a court order, is the key novel
transaction in our system.

A Brief Recap
Before we wade into the guts of the system design in detail, let us briefly recap.
The goal is to produce an Identity Services Architecture which provides a nation state level identity
backbone that has some interesting new properties, and that is broadly speaking affordable. One of
these properties is being able to uniquely identify individuals.
The goal beyond that goal is to re-implement the fundamental processes of the nation state on a modern
technological base, with the objective of reducing the overhead of running a state by 90% and steering
the way that other states adopt information technology in their own operations by providing a worked
example in an SSTR context. We propose that by doing so we can cut "canyons" through the cost
landscape in the areas where useful and rights-protecting technologies lie by paying the costs of R&D
and early adoption, and thereby steer other nations away from implementing biometric totalitarianism,
which we regard as an ever-present threat.
Because we are consciously attempting to re-engineer the processes of the nation state, the political
considerations are not secondary to the system but integral to it at every level.
Biometrics are not morally neutral technology.
Correctly applied cryptography can counterbalance most of the negative effects of biometrics while
preserving their most useful properties.
At the heart of this system is a cryptographic schema for implementing an international, cross-
jurisdictional legal process for managing personal information securely, with appropriate levels of
individual protection, while recognizing that many states afford their populations less freedoms (or
freedoms of a different type) than the American system. We must honor local diversity in order to
create an internationally interoperable system.
Finally, there is one technological gimmick which sits at the heart of the system: printing everything
needed to identify a person on a digitally signed 2D barcode and reading it back with a camera phone.
That's a technology with a relatively short life-span. There are twenty years at most before it is replaced
with something better.
The durable component of the system is the scheme for managing personal information, not the "hack"
for getting it to be cheap in the here-and-now.
This gets pretty involved, so try to put yourself in the political position of each entity in the process.
My assertion is that the system works well for every constituent entity in the system and therefore is
viable, once established. I may be wrong, but this is the reason I believe that this system is workable
while most other proposed schemes are not. A system without losers can usually out-compete a system
with winners and losers.

The International Phenotype Database

The International Phenotype Database is the only entity in the ISA that has access to biometric
information in bulk. No other entity � not national court systems, not governments, not private
companies, not individuals � is empowered by the ISA scheme to hold personal biometric
information. This entity is a singular planetary repository for biometric data. As such it is about the
most dangerous entity on the planet from a civil liberties perspective, and is expected to be under
constant political pressure from totalitarian forces.
Remember that the keystone of the ISA is that this database does not contain names, biographical
or reputation data about persons. The only tie between the biometric data in the phenotype database
and the biography of the individual in question is an encrypted unique identifier operated by the
National Court System of that individual. And even that court does not have the right to retrieve
individual biometric records, only to search the database to bind pre-existing biometric information
relevant to an investigation to an individual. If this rule is broken, the system collapses into
totalitarianism very easily.
To understand this risk, examine minor areas where we see just how much power lobbying groups can
have over international policy. Consider the so-called "copyright lobby" and how their desire to
maintain the current status quo on intellectual property works its way into international treaties under
the auspices of groups like the World Trade Organization. The copyright lobby is fighting for the past
and is willing to sacrifice the future to get there, and they are succeeding in several key areas, although
the measures being taken are perhaps becoming increasingly repressive in the manner of entities falling
out of history. Digital Rights Management technology threatened to restrict the freedom of speech of
digital technology users in the name of protecting business models that were designed around the same
time the printing press. How much more serious is the threat from the combined might of the national
security groups of many nations?
The threat to the integrity of the International Phenotype Database is pressure from abusive
governments, corrupt secret services, international mafias and every other power-grabbing totalitarian
agenda on the face of the earth. Everybody who wants control, everybody who wants to fight the
future, everybody who is (rightly) scared of biometric technology in the hands of totalitarian regimes
collects in one place and fights for control, some pulling for commercial interests, looser privacy
standards, the others fighting for individual rights. This is the obstacle to creating the International
Phenotype Database.
To solve this problem we must rely on the formation of a trans-ideological consensus on identity
management. When the engineering and policy are sufficiently advanced, it is possible for all sides to
agree that the proposed solution is right. In such cases the proposed solution is hardly ever understood
as having been a negotiable policy decision, but is more usually simply seen as being "how the world
works."
Good examples of this are: paper currency, numerical telephone numbers, energy efficiency.
Nothing which is not extremely flexible and sophisticated will get past this gauntlet of public opinion
and private fear: it is the primary roadblock to overhauling the global identity services systems, and
applies to all candidate systems. Maybe SIAB-ISA is good enough. Probably not, though. It may have
insufficient assurances of privacy.
Without a mandate from a group of rights-respecting military powers with the capability to defend the
International Phenotype Database from corruption and coercion the scheme is simply inoperable.
Institutions with little respect for fundamental human rights cannot operate a system like this, and
precious few of the governments of the world take human rights seriously at the level required to make
this scheme operable. But there is one very large encouragement for such a combined effort to institute
the system described.
To get the greater security which a global biometric database gives, you must give the greater
liberty which comes from that database being well managed by institutions that the global
population can trust with their very lives, and those of their children for untold future
generations.
With sufficiently refined engineering, Security and Liberty are not enemies. By recognizing the
individual right to privacy, a deal can be struck between governments and their respective people that
will result in a way to adopt biometric technology in a beneficial way. One way of thinking about this is
to say that Security + Privacy = Liberty.
The repository of that rights-based idealism is the International Phenotype Database.

Jurisdiction
The International Phenotype Database is an international body that exists initially by fiat. In order
for the system to be trusted it is operated by an international technical coalition including a reasonable
number of representatives from nations who do not trust or like each other. The balance of power at the
heart of the system is that each nation state group cooperating to manage the system is doing so
partially to protect its own citizens form unwarranted surveillance and monitoring from the security
forces of the other groups present. Because any country can run searches against the database on an
equal footing, there is a strong incentive for every country to restrict the database to its due bounds,
simply to protect the privacy of their own citizens.
To attain this kind of balance of powers, the system must be simple, transparent and auditable, and
groups like Amnesty International should be able to review or even help operate the system.
The parallel with VISA is that banks are competitors who had to learn to cooperate to get an
international payment system working. The mutual tension around protecting the biometric privacy of
your citizens from The Bad Guys Over There (i.e. national rivals) applies to all sides equally, and
maintains the integrity of the system.
There is no parallel with the Internet because the Internet has no fundamental competitions at its heart.
Peering issues between backbone providers are the closest analogs, and are a poor fit.
The treaties under which the International Phenotype Database is created must explicitly recognize
the rule of law in the nations who are working with the system. The International Phenotype Database
can be seen as an organization convened by the court systems of various nation states working together.

Purpose
The International Phenotype Database has one basic purpose: when shown a set of biometric
information it can search through the biometric data of every human enrolled, and possibly every
human on the planet in later years, and return a set of matching records.
However, these "matching records" consider of only two fields: a National Government identifier ("is
an American") and a block of data encrypted encrypted by that government and given to the
International Phenotype Database when this person was enrolled in the system.
The International Phenotype Database is blind. It can see the "body"� a person's biometrics � but not
their identity, not their reputation, nothing except a citizenship and a block of data it cannot read.
Because of other features in the ISA, it is likely that this search will be performed initiated once per
lifetime for the average individual - on enrollment, and never again, although searches related to
criminal cases may be common. A search can only be initiated upon request of a National Court
System. Police forces, for example, have no direct access to the system and neither do governments.
Furthermore there is no use case which results in the return of biometric data to a National
Government from the International Phenotype Database. It is a "roach motel" for biometric data as
far as governments are concerned, as it must be.
An individual can request that the International Phenotype Database releases their biometric records
to them.

Common Operations
Biometric Enrollment Process
This is the process that stores the individual's data.
1. An individual presents at a CheapID Issuing Station and requests an ID be issued.
2. The International Phenotype Database receives a request to add a new person to the database.
3. If the request is from an authorized Issuing Station then a set of biometric information is send
to the International Phenotype Database to process.
4. The data is compared to all of the biometric records in the International Phenotype Database. If
there are matches on the personal data sent in, one of three things happens.
1. A request for additional information is returned, and more biometric information is sent
in until there are no more matches. Typically this would consist of a DNA sample being
processed to disambiguate similar fingerprints.

2. A list of possible matches is generated, and a complex legal process of ruling out each
possible match without undue invasions of privacy is begun � this is a serious process
and to be avoided where possible. The case of identical twins with closely matched
fingerprints would be about the only case where I can imagine this being necessary, but
biology always surprises us.

3. A pre-existing identity record is discovered for the person who is currently being
enrolled, and a report is returned that will allow them to get their original ID reissued.
Further investigation may also be required.
 5. Once it is settled that this person is to be enrolled with the set of biometrics submitted, the
International Phenotype Database encrypts an identifier for this individual using the
International Phenotype Database's public key, then re-encrypts this identifier using the
public key of the relevant National Court System and returns this document, the Statement of
Biometric Enrollment, to the Issuing Station to be presented to the enrollee. This is not yet an
identity document, it is simply a statement of fact: this individual's data has been stored. Note
that it contains no personal information whatsoever.
It is my firm conviction that the International Phenotype Database is going to be more-or-less
inoperable without using DNA fingerprinting for everybody. However, I am not an expert in
biometrics, and it may be that an adequate level of uniqueness can be obtained from, say, 10
fingerprints plus both irises. But if DNA is not commonly stored a wide range of questions cannot be
answered using the SIAB-ISA and inevitably parallel, less secure, less useful systems will spring up to
handle DNA-based identity issue, resulting in a fragmentation of biometric security applications, a
reduced global value, and competition.
One system should exist, and it should be extremely heavily oriented towards individual liberty.
Therefore, to maintain the unitary nature of the system, it must deal with DNA either now, or as the
technology for handling DNA biometrics improves in future.
Note that we are not assuming a single standardization for biometric records. There are too many
instances where a person's morphology grossly changes (accidents, particularly burns) and new oddities
of human genetic makeup are constantly discovered, including chimeras, who are single individuals
with two sets of DNA, related to each other as if one part of their body was the sibling of another. We
cannot assume standardization. Rather we need the records in the SIAB-ISA to allow a Professional
Witness or other individual to securely verify that the person in front of them is the person on the ID
card presented.
DNA is the most unique and standard biometric data currently known, and logical pressure towards
using DNA to identify people is likely to be inexorable as genetic technology improves and brings the
cost of analysis down. Better to design a system to be secure enough to handle DNA properly from the
very start.

Legal Enrollment Process

This process binds the bare biometric data in the International Phenotype Database to an individual's
national identity number, and is the next step before a CheapID Identity Card can be issued.
1. An individual takes their Statement of Biometric Enrollment to their National Court System
and presents it, with appropriate identity credentials proving who they are (in the nation state
records) to the Court's satisfaction.
2. The Court then prepares an Identity Packet which is a unique identifier for this individual at a
National Government level, similar to a Social Security Number as it is commonly used. This
 Identity Packet is encrypted using whatever cyphers are deemed appropriate by the National
Government and then re-encrypted with the Court's public key.
3. This document, plus the Statement of Biometric Enrollment is submitted to the International
Phenotype Database. The International Phenotype Database then adds this Identity Packet to
the information it is storing about this individual. This completes the enrollment process but no
ID has yet been issued.
Note the open question of how the Statement of Biometric Enrollment is tied to the individual, given
that it has no biometric data visible. Ideally this entire process is done in a secure facility where there is
no doubt about who is who during the issue process: the person remains in front of the issuing
personnel for the entire process. However, a more liberal setting is possible if the Statement of
Biometric Enrollment is somehow tightly tied to the individual during the issue process, perhaps by
placing temporary biometric information on it.
The primary operation of the International Phenotype Database is to run searches, and when it finds
a match, to take the stored Identity Packet that it acquired in this transaction, salt it (adding noise to
the encrypted block to prevent message matching), re-encrypt it with the National Court key, and send
it back to the National Court System of the individual located in the database along with whatever
additional information pertains to the identity request, such as the contact information for the National
Court System making the search request.
The National Court System of the citizen involved is then responsible for liaisons with the court
making the request. This will be covered in more detail below, but note that the access of the
International Phenotype Database to information about the person is extremely limited: it knows
nothing about them other than the shape of their eyeballs or fingers.
Likewise, has the National Court System seen any biometric information? No, nothing has been
divulged to any court, other than the primary evidence used to run the search.
So if - and it is if - the Issuing Stations do not improperly retain a person's biometric data then a very
private system has been created. Nobody single party has the ability to tie a person to their biometric
profile, or retrieve their biometric profile from their name or other personal information like their
Social Security Number.
Can the same be said of any other proposed scheme?

Identity Issue Process

Finally we issue the actual CheapID Identity Card to the person who made the initial request.
1. An individual asks the National Court to issue them a CheapID Identity Card.
Note the praxis here � the court or government does not issue an ID, an individual requests
one. This is the Voluntary or Default enrollment model. In the Compulsory model, the agency
is reversed, and the court or government initiates.
2. The court submits the Certificate of Biometric Enrollment to the International Phenotype
Database, stating that the individual wants an ID issued. Again, note the flow � the National
Court System is attesting that the individual in question wants something done.
3. The International Phenotype Database keeps a copy of this digitally signed request from the
court, and takes the biometric information which the court has requested, encrypts it with key
provided with the request, and returns it to the court.
This is a subtle and important point. In the simplest implementation of this system, the National
Court System uses its own key for this request, and therefore is in a position to illicitly copy
the biometric information passing through its hands during this process. A more sophisticated
cryptographic protocol removes that temptation, but at the cost of a much more involved
process that may be vulnerable to cryptographic developments which break the RSA
cryptosystem, as quantum computing is likely to.
4. The National Court System then takes this information, decrypts it, and matches it to the
individual making the request. If there is a mismatch, we have malfeasance.
There is also the possibility of collusion between the International Phenotype Database and this
individual, to return false information. How do we get around this? Remember that the
biometric information is initially collected by an Issuing Station which signs the data which is
initially passed to the International Phenotype Database. These signatures are passed
transparently through to the court to verify. This adds one additional party to the list of those
who have to collude to commit identity fraud.
However, this set of exchanges needs extremely tight cryptographic analysis to get the precise
set of transactions refined to an optimal balance between security and privacy. I believe that a
system reliant only on digital signatures (as this outline does) is actually suboptimal and, in fact,
if the exchanges are reworked using a cryptographic blinding approach (Chaum's approach,
perhaps?) something significantly better emerges. This remains a task for the future. It is
discussed in more detail in a subsequent section of this paper.
5. If all is well, and the individual matches the data returned from the International Phenotype
Database the court proceeds to take a subset of the biometric information returned from the
International Phenotype Database and create a set of CheapID Identity Cards.
Each card contains the following information:
1. Biometrics on the individual who owns the card. For typical purposes, this is simply a
high quality facial image like those found on passports and perhaps one fingerprint.
2. The fingerprint may be encrypted with a key, perhaps the court key or a special security
forces / police key. The fingerprint and other data may also be stored in a non-
recoverable form that allows matching against a presented finger, but not retrieval of the
fingerprint. Secure "biometric hash" algorithms do exist and are an area of ongoing
research. (Nalini Ratha of IBM is one researcher in this area.)
 3. An court key encrypted unique identifier for the individual.
Note that all data on the card is stored in a 2D bar code. The card itself looks like a mass of
black and white squares. Also every field on the card is salted, so bitwise comparison between
cards is impossible. Also note there is no name or other identifier on the card, other than the
salted unique identifier placed there by the court. Some variations of the card may also allow
areas of the card to be removed (tear off areas) to remove some information before the card is
used. We will cover the exact construction of the card later on.
6. Something like a hundred of these cards are prepared and printed. Think of them as secure
business cards. There should be no picture on the card, although there may be some additional
elements to help people tell one person's cards from another (a recognizable logo or personal
mark, perhaps, but nothing that can be used as an identifier for the person.)
This is because people are lazy. If you print a picture of the person on the card, people will
inspect the image rather than showing the card to a machine which can verify the digital
signatures.
7. The court now deletes all of the biometric information that passed through its hands, leaving
what is on your ID cards as the only biometric information existing outside of the International
Phenotype Database.
Without this step, we have an Orwellian 1984 database scenario. There are a variety of work-
arounds which all greatly complicate the card issue process by splitting the process across yet
more actors, or using more sophisticated cryptograph.
But if you cannot trust the National Court System to do its job effectively in protecting
individual liberties, then the fact it has access to biometric data is a minor issue compared to the
existing issues in the nation state. A technical work-around for an untrustworthy court is a
classic example of solving a problem at the wrong architectural level. We should, of course, be
belt and braces about this: secure protocols, and trustworthy courts.
Now this is an awful song and dance for a process that, in a biometric totalitarianism, can be reduced to
a few simple steps: take their DNA and digitally sign it. Take a picture, digitally sign that. Stick it on
one single card and shoot people if they lose their card.
All of this vouching by the National Court System and shuffling around encrypted bits so people
cannot peek is what separates this instantiation of biometrics from a totalitarian one. Human rights and
especially democracy involves an enormous amount of paper shuffling with ideas about privacy and
rights wired into every step, and that is what ensures that the will of the people is at least notionally
expressed through their government, and that they have at least basic safety and security.
So let's zoom back for a moment and consider this again. What is actually being done?
Biometrics are collected. They're sent to a repository. They are then used to make an ID card.
The song and dance with the courts and diffusing the process across both jurisdictional and
architectural levels is where the civil liberties are put into the process. That song and dance with the
courts and jurisdictions is your rights and mine in this model system.
Most rights-respecting processes involve a lot of legal song and dance. Part of the reason we are having
such a lot of trouble with privacy and identity theft right now is that the Social Security Number has
become a de facto unique identifier that a person has no control over and furthermore that identifier has
no cryptographic features to restore a measure of privacy. There is a profound absence of legal song
and dance around use of the Social Security Numbers. As a result this current generation of American
identity infrastructure is a personal liability in the financial domain through identity theft, and a liability
to American democracy through various kinds of attempts to pervert democracy by attacking the
identity infrastructure and having both additional votes cast, and votes denied, based on false identity
information anchored by the insecure Social Security Number infrastructure.
I do not believe, at this point, that a simpler system than the one I am outlining here can work and not
be tip the balance towards totalitarian use of biometrics. It has many stages as an internet-age
implementation of the principle "checks and balances."

A Note On Practical Implementations

In an SSTR context this entire ID issue process is expected to be compressed down to a processing
center. Individuals come in at one end, have their biometrics taken, run against the big database in real
time, and then have their CheapID Identity Cards printed on the spot. The legal formalities are
exactly that: they are the superstructure on which the system is built. They do not get carried out by a
formal court setting, but are discharged with paperwork performed under the notional auspices of the
National Court System. In day-to-day SSTR operations, the majority of these legal processes may in
fact be carried out as function calls between computer systems.
As normality is restored and the SSTR phase closes, the National Court System explicitly takes over
the entire process and, as problems occur, every step in the process has a valid legal foundation and
issues can be resolved through the normalized rule of law which is one of the crucial goal states of
SSTR.
If biometrics are used in a field expedient fashion without secure legal foundation at every step, the
odds of them being normalized into a legal framework at the end of the transition period is extremely
low. Either they will continue to be used in a rights-stripping fashion by the new government, creating
the temptation of easy totalitarian rule, or the biometrics system will fall out of use because they
represent an illegal or even unconstitutional intrusion into people's lives. Biometrics technology must
be given legal footing in order to become a valid part of the SSTR process.

Criminal Investigations
1. A National Court System submits a request to the International Phenotype Database to
identify a person based on a fragment of biometric information, like a finger print or a DNA
sample.
 2. The International Phenotype Database performs the search (perhaps charging the relevant
National Court System for the computer time) and generates a set of results.
3. Those results that are citizens of the nation state of the requesting court are returned to the
National Court System. All that is returned is the Identity Packets of those involved, not
additional biometric matching information.
4. Upon request, the International Phenotype Database will contact the National Court System
of the country of each person found to match the sample and inform them of the biometric
match, and of the request from the National Court System that initiated the search that contact
is made about this case. The expectation is that the person's National Court System will
cooperate with the National Court System that initiated the search within the framework of
any agreements between the two countries.
One nice thing about this system is that it makes it very easy to define one kind of state sponsored
terrorism. When biometric information about a terrorist is submitted to the International Phenotype
Database and they match it to a nation state, if that National Court System simply never returns any
further data, you have clear evidence of state sponsored terrorism by virtue of identity protection.
Note that in the best form of this system, the International Phenotype Database never returns any
information on matches outside of the jurisdiction of the National Court System that raises the query:
it does not reveal the nationality or even the existence of any additional matches. The relevant courts
are contacted, but nothing is relayed back to the originator of the query.
This is likely untenable in the real world, but is how the system might operate in an idealized form.

Technical Challenges
There are three classes of technical challenges at the International Phenotype Database level.
1. Searching six billion biometric records including issues like false positives and simply handling
that much data.
2. Securing the system, including audit trails, physical security, and prevention of an attack on this
critical facility resulting in a global failure of the capability to search biometrical records or
generate new identities, although existing CheapID Identity Cards would continue to work.
3. Building out the technical infrastructure for the exchange of information and management of
cryptographic keys within each National Court System.
Obviously in an SSTR context, SIAB-ISA is about equipping some number of facilities in the host
nation with the necessary technology and keeping it running for them as well as rolling out the
associated financial services and contract validation services outlined later on in this paper.
All of these services can be provided with technologies that are either common items or near-market
refinements of existing systems. Based on my current exposure to the technology even the large scale
biometrics matching appears possible given a few years for hardware to get faster and algorithms to
grow more sophisticated.
A lot of what makes this possible is that searches against this database are infrequent: once per lifetime
upon enrollment, plus criminal investigations.
However, one trade being made is full database searching without narrowing the dataset based on
factors like proximity. We are not permitting operations like "search for records in the London area"
because the International Phenotype Database is not allowed to know who lives in London. The
narrowing is done after the biometrics matching step, and it is done by the local courts, not the
biometrics database. This is extremely inefficient, but bigger computers are coming.

The National Court System

Jurisdiction
By definition, one nation state, plus any areas that state is providing legal services for.

Purpose
In this context, the National Court System provides controlled legal access to the International
Phenotype Database, and the various Issuing Stations and other parts of the ISA.

Common Operations
All common operations with a technical component are covered under the International Phenotype
Database above. They are documented as a set of interactions between the International Phenotype
Database and the court because the court has little or no direct access to biometric data except through
that intermediary.

Technical Challenges
Deploying PKI in a court context and associated procedural changes are major issues, as is building
judicial understanding of how the system affects their role. There are additional challenges in building
a framework within existing legal systems to identify what is and is not rational and appropriate when
dealing with biometrics in general. These challenges are not unique to the SIAB-ISA, however.
One plausible approach is that each National Court Systems has a single national decryption center
that manages the court's private keys, and then additional PKI to manage transfers of data to and from
that center, and authorization and authentication. This is a major project, but considerably more
tractable than the obvious alternatives.
Issuing Stations
Jurisdiction
Authorized by the National Court System, may be operated by an arm of the court, an NGO, or third
parties like hospitals and Professional Witnesses.

Purpose
The issuing station exists to take a person's biometric information and relay it securely to the
International Phenotype Database. It takes legal responsibility for the honesty and integrity of this
task, and staff should be clearly identified and criminally liable, with a solid audit trail.

Common Operations
As documented under International Phenotype Database.
It's worth noting that the security and reliability of the issuing stations is key to the security and
reliability of the entire system.
Suppose, for example, the station collects bogus data and transmits it to the International Phenotype
Database? This gets caught by the Court, when the Court compares the data coming back from the
International Phenotype Database to the person presenting the request. But what if there is collusion
between an Issuing Station and the National Court System, to create a bogus identity by sending fake
biometric data? This still gets caught when the CheapID Identity Card is presented for use, of course,
but it is clearly possible for multi-party collusion to create fake people even if it is very hard to pass
them off against challenges. However, the system is many, many times harder to spoof than current
systems, where fake people can be created by a single government ad infinitum.
In common use, institutions like hospitals might act as Issuing Stations. The basic mechanics of taking
the necessary biometric data, possibly including DNA samples, fit nicely in a medical setting and
could, in an SSTR context, be associated with primary health screening and vaccinations for example.

Technical Challenges
The challenges depend entirely on the level of biometric sophistication required. A basic Issuing
Station is a digital camera and a net connection to a web site which provides an interface to the
International Phenotype Database.
The CheapID Identity Card
Jurisdiction
It is important to understand that the CheapID Identity Card reflects the international agreements
which form the ISA in its internal structure.
At an abstract level, the CheapID Identity Card has three statements on it, digitally signed by their
respective parties. The first is from the Issuing Station, attesting that this is a picture they took and is
an accurate likeness of an unnamed person (and the same for any other biometrics present.)
The second is from the International Phenotype Database stating that it has an Identity Packet from
a National Court System referring to the unique individual presented on this card. This implies that
the individual has been enrolled and that any ambiguity about their biometrics has been resolved.
Finally, there is a statement from the National Court System that it is willing to decrypt the unique
identifier present on this card (the identifier is unique to the card) to reveal this person's real identity
based on whatever legal criteria that National Court System requires.
The combination of these three statements gives a solid link to this person's identity, protected by the
Court's unwillingness to decrypt the identifiers on the card for frivolous or illegitimate purposes.
However, in practice, there are issues with presenting all of this information on the card. Firstly, one
may simply run short of bytes in the cameraphone implementation. Secondly, the digital signatures on
the image from the Issuing Station and the International Phenotype Database create a de facto
unique identifier which is unique to the individual, not to a given instance of their identity card. In
naive implementations, the signature on the photograph becomes usable as a sort of substitute Social
Security Number. Again, blind signatures may make it possible to carry these signatures from end to
end without them becoming illicit unique identifiers in their own right, but is that reasonable? The
algorithms allowing a blind signature (that is, for a party to sign a document it does not read, simply
proving it was presented at a given time and not altered) are not trivial and begin to lift the system out
of the domain in which simple reference implementations are possible.
Finally, those algorithms are dependent to an unknown degree on the particular features of the RSA
cryptosystem. In the upcoming post-RSA era (RSA is vulnerable to quantum cryptography) it will
become necessary to shift algorithms. Digital signatures will almost certainly continue to exist, but the
precise commutative properties of prime factorization may not be replicated in the new systems, killing
entire classes of useful algorithms.
Therefore, practically speaking, in a simplified implementation, the card bears only one digital
signature: that of the court, attesting that the original signatures were correct. Audit trails may be kept
at the court, perhaps involving re-encrypting some of the data in the audit trail with a public key
belonging to an auditing agency, the International Phenotype Database, or the Issuing Station to
prevent the Court's audit trail becoming an unhelpful store of biometric data.
The Court can be challenged to produce the Statement of Biometric Enrollment for a CheapID
Identity Card that is has issued if there are doubts about the legitimacy of the Court.
Alternatively, we simply bite the bullet, carry all three signatures through the entire system, and salt the
data from end to end. This approach may require hauling thousands of times more data across the
system. The Issuing Station would pass 1000 encrypted packets to the International Phenotype
Database which would then sign each one, and so on down the chain to the CheapID Identity Card
itself. This is an appallingly inefficient brute force solution but technical history has shown us that
brute force often produces correctness in software systems, which is a factor to consider.
In any case, it is certain that the CheapID Identity Card cannot carry any bitwise identical fields
which would allow one card to be matched to another. There are a variety of plausible approaches, as
outlined above, and the task of the system implementors is to pick a solution that works in practice.
A good enough system can be created by trusting the signature of the Court if you can challenge it and
require them to produce the signatures of the International Phenotype Database and Issuing Station.
This is a good enough solution to know the scheme is viable, although it can be improved.

Purpose
Let us revise the physical appearance of the CheapID Identity Card once again. It is a sheet of paper
or a plastic card covered in a mass of 2D barcode data and bearing few or no other identifiers. Each
individual has dozens or hundreds of cards, each one bearing their likeness in the form of a digital
image encoded in the barcode and signed as discussed above. There is no visible picture, so that people
must show the card to a device which can check digital signatures in order to see the face encoded on
it. No two cards corresponding to a particular individual share any bitwise fields.
Why?
The goal is to create a system in which the lives of those who do not break the law are almost entirely
private. This means that the ISA has to be able to support some novel operations. The most important is
being able to have absolute assurance that a person had committed an act, but no awareness of who
they are unless the act turns out to be illegal. This single property is the key to commercial use of the
ISA in the context of State In A Box. Because this desirable property did not exist in prior technological
substrates, outside of the context of proxies in some kinds of transactions, neither legal nor financial
infrastructure has taken advantage of the fact that our technological substrate can now support this
property.
This is leapfrogging. In an SSTR context, it becomes possible to rapidly build the new generation
infrastructure for CheapID Identity Cards and the necessary legal supports in the National Court
System. It seems like a stretch, but the technology is getting easier all the time, and the security
requirements for a solid biometric database are unarguable, as are the problems of leaving that database
behind when one leaves, or deleting it. By placing the dangerous database in a protected environment
like the one the ISA provides through the international framework, the worse abuses can be headed off
at the pass, while keeping the system available.
The bonus is a new kind of commercial transaction: Blind Contracts. We will discuss blind contracts
in some detail later in the paper, but the core of the concept is that, if the contract is not broken, one or
both parties can remain anonymous. If it is broken, the anonymity is compromised, and the legal
process can unfold.
A contract that is assented to by a person with a CheapID Identity Card is a blind contract. One of
their ID cards stays with the contract, digitally signed in all probability, and acts as a token of their
identity. However, until such time as the National Court System becomes involved and chooses to
decrypt the ID card, there is no way to identify the signatory. The contract holder has absolute
assurance that somebody knows who signed the contract, but no information about that person unless
something illegal or dishonest happens.
Doesn't that seem right, as the world would work if we had a just and efficient society? Nobody really
wants their grocery store colluding with their mortgage broker and their health insurer to pitch them
additional services. In reality, we almost all like our business to be conveniently private, but we are let
down by shoddy and outdated pre-database-monitoring identity infrastructure.
However, an entirely private world as I am describing does not work for all political systems, and
certainly does not work for all security situations. The goal here is, as always, more privacy for the law
abiding citizen, and more ability to identify threats and illegal activity and halt them.
Because of a small feature � the Certificate Revocation List Check � which we will discuss below,
in some implementations it is possible if national security requires it, to trace every instance where an
individual has used their CheapID Identity Card. In other implementations, this is not possible. This
is an architectural decision which is left with the National Court System.

Common Operations
Identity Check
This is how the cards are used for routine identity transactions.
1. A person presents their CheapID Identity Card to an identity check of some kind.
2. The person making the check takes a photograph of their card with a cameraphone, or otherwise
gets a copy of it into a computer.
3. The digital signature on the card is checked against a key pre-loaded on to the device, much as
HTTPS X509 certificates are pre-loaded on to web browsers.
4. The image of the person who should be associated with the card is displayed on the device.
5. The person making the check compares the image on the screen to the person in front of them.
If the two match, then the card has been successfully connected to the individual.
 6. If there is any need for this individual to be re-identified later, the CheapID card is kept by the
person making the check, with any additional notes required by the situation.
7. In future instances, the person is checked against the card stored on file, but because of the "no
bitwise identical fields" rule, two entities with cards on file cannot match them without doing
full biometric comparisons on their face databases. Of course, they could (if it was legal) run
that check from surveillance camera footage, so we have presented no new tools to those who
wish to do monitoring.
Note that we assume that CheapID Identity Card checks on photographs will typically be done by a
human being rather than an automated system. This is a response to the likely deployment of these
systems in the developing world, where human labor is relatively cheap and machinery has a hard time
in the physical environment.
If the card had another biometric on it, like fingerprints or a facial biometric, perhaps an automated
system would be more appropriate. But for the simple low-tech version, a human comparison is plenty.
Also note that there is no database access in this case. In higher security use cases, there is probably a
Certificate Revocation List check.

Authorization Check
When a person returns to claim use of resources they previously signed up for, the card on file is used
exactly as any other card is.
1. Check Identity as in the previous case, but referring to an ID card kept on file, rather than a new
card.
We assume that the common practice will be "one card per contract" or "one card per transaction." No
two vendors should ever see the same CheapID Identity Card. This also applies to routine police
checks in the event of things like traffic stops. See the following section for an explanation of how this
works.

Bandit Check
One way of seeing a CheapID Identity Card is as a digital certificate. Certificates, however, typically
must be checked against a Certificate Revocation List to be meaningfully secure. Without such a
check, there is no way to know if the facts attested to in the certification are still true because the
certificate's whole virtue is that it does not and cannot be changed!
One option is to use a field which is unique to each card, say the digital signature of the Court, and
submit it to a URL to see if the CheapID card is on a wanted list. If the court returns an "all is well"
there is no problem, and other situations would be reflected appropriately.
There are a number of technical approaches one can take to this check which result in different civil
liberties landscapes. In a repressive, totalitarian environment, the CRL check could be run through
databases which would take the unique identifier, turn it back into a name, and run that name against all
the relevant databases.
In a less restrictive environment, the Court could generate a list of unique identifiers which need to be
held, and upload that list without further identity information, roughly corresponding to a list of people
with outstanding arrest warrants. In this instance, unless you are wanted, the Certificate Revocation
List simply has no record on you.
In between, there is a "sweet spot" which seems to me to blend excellent security with relatively good
privacy. In this instance, all CRL checks are logged in an enormous database, and a list like the arrest
warrant list is maintained. However, in the event of a serious security concern, or an investigation into
a person's life in which their privacy is deemed moot, the Court generates a list of unique identifiers
pertaining to this individual (in essence, by replicating the process it did when generating the ID cards)
and all those transactions are pulled out of the database.
The parties who ran the CRL checks can now be contacted to give a relatively complete picture of the
life of the person of interest. However, without the participation of the court, there is very little that can
be done with the main database, even if it is obtained by questionable means (like systematic
interception of CRL checks.)
If this seems totalitarian, you must ask yourself a simple question: do you think the real systems which
are likely in use by security forces are more or less private that the system I am describing here?
My guess, from what I read in the newspapers, is that we are already significantly past this level of
monitoring, and that the systems which do that monitoring were constructed with very little
fundamental analysis of their effects on society in the long run.
We have shown a system which has both better privacy and better security. The challenge is to deploy
it.

Technical Challenges
The CheapID card itself is perfectly feasible with existing technology. Packing it down into something
which can be made to work with the existing generation of cell phones is going to be a work of art,
however, and may involve extremely sophisticated facial image compression and tiny digital signatures
to work properly. Alternatively, the non-standard color implementation of the Data Matrix 2D bar code
standard triples the data density in the bar codes, and puts us in the clear as far as data on the card is
concerned, at the cost of breaking compatibility with off-the-shelf Data Matrix reader hardware.
These are questions for the implementors.
Statebuilding with the Identity Services
Architecture
Let us recap. We have a scheme for taking relatively straight forward biometrics and implementing
them in a way which relies much less on routine access to large databases, leaves plenty of room for
different nation states to operate in their own way, and yet is still internationally interoperable.
However, there is little incentive for anybody to get a CheapID Identity Card because, at this point,
we are still operating in the domain of international agencies and national governments. This is the
domain of the "stick." Nobody wants to change anything just because it is convenient for such groups,
which leaves them forced to compel change. This is not the best way to encourage technological (or
policy) progress.
To find out why people will use these CheapID Identity Cards, we have to move into the commercial
domain � the business and individual benefits of the system. This is where we find the "carrot" - the
ways that an upgraded identity infrastructure will make people's lives better, and where there is money
to be made!
We are going to cover a lot of ground quickly: appropriate technology banking infrastructure,
microfinance, a new approach to implementing democracy, and four or five other relatively radical
products of having a genuinely modern identity backbone. You may find much to object to in any
specific case, and an adequate defense of this picture would require one or perhaps two books. From
here on in, the cases are argued much less robustly.
The core transaction is that a person leaves one of their CheapID Identity Cards behind them, and the
card cannot be bound to their identity without a National Court System decrypting it. This transaction
is novel, and largely what we are doing is examining a few of the new possibilities that it opens up.
One way of thinking about it is that currently identity information is like gold. It's a hard, transferrable,
fungible resource. Many small pieces of identity information can be combined for a more complete
picture about you, or a single profile can be split into demographic information or other categories.
SIAB-ISA is a "virtualization" of identity. Rather than simply handing over the identity-gold, now
we're handing over a document which says "The National Court System Promises to Pay the Bearer
My Identity if I Break This Contract."
This is, and I hope you will excuse me one pun, an "Identity Cheque." It is an unbreakable future
promise of identity, perhaps more like a banker's draft than a cheque. By introducing new "identity
instruments" we expand the range of possible transactions, in the same way that new financial
instruments like cheques enabled many new classes of financial transactions.
What is interesting about this is that it also nicely parallels a great deal of work on capability-based
financial instruments, and I'm greatly indebted to Alan Karp for teaching me a lot about capabilities in
our discussions of this paper and other work. I have not refactored SIAB-ISA around the "capabilities
and authorizations" model that is so central to Alan's work, but I believe that doing so reveals another
system, one in which identity information goes from being a "cheque" drawn on a central banker to
"cash" - autonomous authorizations generated at the edge of the network, near where they will be used.
This work will have to wait for another year.

Contract Signing Infrastructure � the

Professional Witness
Jurisdiction
Private company operating in the context of one or more nation states.

Purpose
Contract Signing is Currently a Broken Process
Contract signing � verifying the free assent of one entity to a proposal � is a fundamental necessity
for commerce. Whether it be banking, mobile phone contracts, even tax forms, this assent is a crucial
business process.
There are currently two basic approaches to this assent process both of which are broken because they
rely on having amateurs do the job of professionals. Note they are not necessarily broken for technical
reasons, but because we ask people who are not experts to do something they cannot do reliably or be
reasonably expected to absorb risk based on that performance.
The first areas is signing papers. The method is simple: you take a piece of paper with an offer on it,
sign your name, and the counterparty responds as if it has your legal assent. The problem is that most
signatures are never inspected to see if they are forgeries, and if they are, the check is normally done by
a person with no professional training. "Does this look right to you?" is not really an adequate
inspection, and most signed documents do not even get this cursory check. The result is forgery is a
common attack on both individuals and companies.
Consider how much would forgery be reduced if every signature was inspected by a trained
professional before action was taken on it?
It is not necessarily the signature itself that is the problem, it is the context we deploy them in, and the
risk management and liability landscape we have created around this form of assurance.
The second area is digital signatures. Here the problem is computer security. Without a professional
staff to maintain the integrity of the machine being used to generate the digital signature, the signature
cannot be trusted. A claim can be made that the machine was compromised, resulting in a signature that
does not signal the assent of the nominal owner of the private key via repudiation.
Would you trust a digital signature generated on a home computer on a document like a mortgage?
As a result of these limitations, we rely heavily on corroborating evidence when preparing a contract:
does the Social Security Number match? Do we know this person? Is it a reasonable looking request?
In practice, however, fraud prevention, detection, losses and investigation constitute a large tax on
businesses because these fraud reduction measures are deeply imperfect.
And this is in the relatively stable, relatively secure societies of the developed world. How much worse
are conditions in SSTR situations?
Improving contract signing means putting a professional in the loop to actually verify that something
has happened, and be sued for malpractice if something goes wrong. Note that we are not talking about
technology yet. Right now, we are talking about professionalization of contract signing and the risk
management implications. Having professional standards for contract signing � for verifying human
assent to a proposal � is independent of technology.
A notary public is one step in this direction, but an ordinary notary does not go far enough because of
the technological limitations of their context. Without the ability to generate extremely solid identity
credentials, a notary can only sign what they see. Furthermore, the actual process of stamping offers no
real security in the modern world, certainly not against major fraud attempts.
But the model is functional. Notaries exist because they add value, and an improved and generalized
"notary-like" function is not a heavily innovative proposal. Our implementation is a "leapfrogged
notary" called a Professional Witness.

Fixing Contract Signing

Let as assume a person walks into my office and says the want me to witness them signing a document.
This is a two step process. Firstly, I verify that the person matches the CheapID Identity Card they
present. Secondly, I watch them sign the document, and somehow assert this fact in a manner that
proves to third parties that I say I saw it. This process is, in fact, equivalent to me creating and signing a
document which says I saw the person in my office sign a document.
If I am trustworthy, this second document � a signed statement from a professional witness � might
actually constitute the real legally binding signature on the original contract, rather than the relatively
fragile ink-on-paper that is so prone to forgery.
This seems rather round-about, until we get back to the question of putting a liable professional with
insurance in the loop as a way of improving the quality of execution of a business process. What we are
doing here is creating a new business entity to reduce the risk of contract signing for both parties by
taking professional responsibility for the veracity of a signature on a contract. This role � the
Professional Witness � is a pivotal point in bringing a truly digital economy into existence. We
stagger along with credit card companies acting as the risk buffers for e-commerce transactions, but the
limits this imposes on the digital economy in terms of both overheads and maximum value of
transactions are crippling.
You think that digital technology is transforming commerce? Imagine if we actually had the capability
to make real payments electronically, to sign contracts remotely in a way which was inherently
trustworthy, and to operate without revealing our affairs to every service and infrastructure provider we
buy services from.
In truth, the transformation is barely begun.

What does a Professional Witness Do?

The role of the Professional Witness is to prove that something happened. The ability to prove that a
"point event" occurred in an extremely legally credible way begins to dismantle the need for the highly
invasive "preponderance of contextual evidence" approaches used to verify behaviors like using credit
cards or signing a contract applying for financial services. In short, if we can verify point events with
some degree of finality, we can largely stop using pervasive monitoring to assure transactional
integrity. This is an important point: one good observation can easily substitute for tens of thousands of
weak observations, like your previous credit card transactions.
What we hope to establish through the agency of the Professional Witness is a bombproof credential
showing what a person chooses in a legally binding fashion. In short, they are there to create a verified,
transmittable moment in time that can be used by appropriate third parties in a legally context. The
Professional Witness's job is to record evidence and attest to what they have seen.
In theory, this is what your signature on a document is: it records an instant in time when you choose to
constrain your future behavior to the terms of the document you sign. It is, in theory, a "transmittable
moment in time." Your signature on a document is not an object, but rather it is evidence of an event.
The Professional Witness is a high-tech generalization of this function.
However, because people are running around all over the world signing people's other people's names,
the "ink-on-paper signature" standard has almost entirely eroded, and now we are using profiling to
make up some of the gap. Introduce a better way of signaling assent, and you reduce the risk that
profiling is meant to redce. What we are working towards here is a risk-free contract signing
environment � something which has never existed in history outside of robust personal trust networks,
a rarity in an SSTR environment. Note that we are only proving who the entity is and that they assented
to this contract - nothing about their ability or willingness is being measured, only that they are who
they say they are, and they cannot repudiate this signature.
This is actually a major step forwards, especially when coupled with the persistence of the
International Phenotype Database. The problem is that it is too much of a good thing if combined
with existing profiling approaches, likely resulting in a rigid and over-controlling business
environment. Pervasive profiling is not something that should ever be combined with biometrics,
because of the privacy and balance-of-power issues.
Obviously we start with contract signing, but we can expect that once the infrastructure is in place,
other ways will be found to use the services of the Professional Witness. One of these possibilities is
using this infrastructure to record votes. This is an example of how whole systems thinking saves
money. Suddenly we discover that two systems that used to be separate can be combined to provide
superior services at reduced costs. Of course, in this instance, the final stage of the action - which vote
was cast - is split from the fact that somebody voted to ensure we still have the all-important secret
ballot. But in principle, the action is very similar to contract signing.

Risk and Liability Factors

Part of the goal here is to aggregate enough risk that it becomes profitable to pay for the engineering to
reduce that risk as far as technically and economically possible. If you have an office which does
nothing from day to night but check CheapID Identity Cards and record assent to contracts, they will
see enough attempts at fraud to improve security technology and practices if the financial incentives
and risk management are right. Correctly aligning the incentives harnesses competitive pressure to
produce better services, where misaligned incentives will produce technological stagnation and
lackluster performance as we see in many wrongly-regulated, mis-incentivized industries.
My suggested model is that when a Professional Witness documents the signing of a contract, if the
signing turns out to be an identity fraud, where the company did not correctly take the biometrics, or
was party through collusion to falsifying a contract signing event, the Professional Witness is fully
financially responsible for all associated costs, including the original contract. For example, somebody
who looks a little like you goes into with a Professional Witness and signs a services contract in your
name. You object, the National Court System rules it is not you that signed the contract based on
insufficient evidence presented by the Professional Witness. The Professional Witness is now
responsible for the services contract that it signed on "your" behalf.
This scheme has two effects. Firstly, companies can feel confident that when they have a signed
contract in their hand, somebody is either going to pay, or be legally accountable. Because you have a
biometric identity backbone that you can trust, a contract is a contract. If the contract is signed by the
person it should be signed by, and the deal goes bad, you take their CheapID to court, recover a real
identity and begin proceedings. If the signature turns out to be fraudulent, you can recover your losses
from the Professional Witness and their insurers. You never have a contract with a ghost. This is
important in an SSTR context where accountability can be hard to come by.

Recording Events and the Burden of Proof

Just as "innocent until proven guilty" and "guilty until proven innocent" are describe two very different
legal systems, correctly allocating the burden of proof is very important to the success of the
Professional Witness. In the event that a person repudiates a contract signing, the entire burden of
proof is on the Professional Witness to prove that the person assented to the contract.
This is an area where risk management and technical measures collide. For low risk contract, perhaps
the Professional Witness is willing to use an automated system that, once in a while, gets fooled and
when you come back to check the log tapes, there's a person with a rubber mask and a fake finger
spoofing the machine. For sufficiently high value contracts, the process might involve taking new
biometric data and securely storing it, or encrypting it with the key of the court in a secure archive so
that in the event of a problem a solid case can be made, but in the mean time there is no repository of
biometric information being built up in the Professional Witness.
Of course, sleazy and unprofessional Professional Witnesses might fabricate evidence. One safeguard
against this is for individuals to register their own choice of Professional Witness in a public
fashion, automatically repudiating all contracts said to be signed by them which are not signed by that
witness. This process helps balance the commercial interests of Professional Witnesses. individuals,
and companies. Witness choice is a market decision.

A Brief Recap
The Professional Witness scheme creates the possibility of getting a signed contract with an extremely
low risk of misidentification of the party signing the contract. This reduced risk has the following five
effects:
1. In an SSTR context, it makes it easier to do business, particularly international business, in a
country where financial records may have been lost or destroyed.
2. In combination with CheapID Identity Cards we can now create reliable contracts with people
who's identity we do not have access to unless we can prove the contract was broken.
3. A "blind contract" infrastructure helps counterbalance the totalitarian effects of biometrics and
information technology. People have complete privacy as long as they obey the law.
4. Entire classes of fraud become effectively uneconomic because of the extreme complexity of
hacking the identity systems.
5. Transactional costs go down, possibly by as much as 1% or 2% of total economic volume
because of reduce risk.
Now we have a convincing driver for the widespread adoption of biometric technology: secure blind
contracts which make it cheaper and easier to do international business.
The Professional Witness makes its living by reducing the economic overheads of doing business by
as much as 1% of total transactional volume. All of the risk minimization measures that are made
obsolete by the Professional Witness cost money or generate additional barriers to successful
transactions and this is an extremely large market. What we are doing here is unbundling risk
management features into a highly efficient and effective stand along business - a disaggregation to
increase efficiency and offer new services.
For example, I think that a Professional Witness could charge $200 to sign a car lease, and that it
would be cheap compared to the current anti-fraud measures taken on such a transaction. For a
mortgage, the relevant transactional overheads could increase the fee ten fold. The Professional
Witness is a viable business entity, possibly even without government-backed identity infrastructure.
But with that infrastructure, I expect there to be no issues finding businesses willing to add these
services to their product range.
Economic Implications
One of the core goals of SSTR operations is to connect areas back to international financial services
including foreign investment. This shows up as both direct aid (and the mechanisms necessary to spend
it) and programs designed to attract new business.
In this context, the ability to offer extremely secure identification of persons, and a solid legal
framework for genuinely trustworthy and enforceable digital signatures becomes a vital part of
attracting new business. Imagine you are in the position of an international telecommunications
company considering which of two nations to invest in. One operates a reasonable ISA program, and
the other does not. Which is a more friendly environment for your business, all other factors being
equal? Of course it is the one where you can actually meaningfully identify your customers and your
staff in a way which makes them accountable and cuts your losses due to problems identifying who you
are actually selling services to.
Now put this in the context of microfinance. Microcredit lending agencies typically charge around 30%
interest, largely because of the costs of administering the loans. Some of that money goes into training
staff, training loan recipients and so forth. A lot of it goes into identifying whether people are suitable
candidates for a loan. One typical requirement is that loans are only given to small groups of women,
who mutually guarantee each other's loans in sequential order. If the first loan defaults, the second is
never given. These loans repay rate of over 99% in many areas.
Now add a reliable identity backbone. How much easier is it to run a microfinance operation now?
What new classes of financial services become possible for the very poor when it is possible for them
to identify themselves even if they are too poor to have a home address, a job or even much interaction
with their government.
An identity solid enough to get credit is a developed-world luxury. Doing business in countries without
reliable identity infrastructure, without meaningful Dun and Bradstreet coverage, has enormous risk
and transactional overheads. Cutting these factors to an absolute minimum � in fact, to lower levels
than are found in the developed world � paves the way for international trade in hereto inconceivable
ways.
One classical Indian form of identity theft is to declare your relatives dead with a fake death certificate,
and then inherit their lands. There are some ten thousand of these people, and they have their own
union. Some of them have been "dead" for a decade or more because it is impossible to prove to the
government that they are alive. Dead people cannot sue. An upgrade to the identity systems used by the
state would not be a bad idea.

Financial Services in the Developing World

With a system like SIAB-ISA in place, the risk of identity fraud when somebody applies for a bank
account or a credit card in a poor country is likely to be less than the equivalent risk in the developed
world without the ISA. What we are talking about is leapfrogging identity infrastructure to pave the
way for leapfrogged financial services.
One example of a leapfrogged financial services is the E-gold company. E-gold is a privately issued
currency, with about $70 million dollars worth of gold reserves. It has been possible to transfer
$100,000 from one account to another using a cell phone interface since around 1998. The system has
been profitable and self-supporting for many years, and was started by a single individual with an
Excel spread sheet. E-gold is, in many ways, an ideal currency for international trade because
transactions are measured in transfers of allocations of the gold reserve directly: you are paying by
transferring a fractional right to take gold from the reserve, exactly as national currencies were when
operated on the gold standard. This means that there is very little political risk to storing one's wealth in
e-gold: hyperinflation and other effects of government policy may destroy a nation-state economy, but
seldom have significant effects on the gold price, except perhaps to raise it.
The final relevant factor is than E-gold supports payments down to around 1/3 of a cent, and
transactions costs are extremely low making even $0.05 payments economically viable. Being able to
move five cents internationally in an economically viable way is a breakthrough technology for the
very poor.
E-gold is currently being severely challenged by the Federal Government over a variety of licensing
issues and allegations of money laundering. A cursory examination of the cases seems to suggest that
these charges stem from an unwillingness to issue the necessary licenses to let the free market provide
currency services, rather than from actual malfeasance, and E-gold's record of cooperation with the
authorities in tracking down illegal activity appears to be extremely strong. I hope that these issues will
be resolved in a way which leaves a viable and successful company standing.
Imagine, however, the alternative path in which the US Govt. sponsored (or simply permitted) the
development of an independent, stable international currency, coupled to the SIAB-ISA. It cannot be
the dollar because of the exposure that users, particularly the very, very poor, would have to US Govt.
policy.
This trade backbone - identity plus currency - can create transactions than normal national currencies
cannot because they have such poor support for international transactions, and low-value electronic
payments. An international currency, with strong ISA backup, opens the slums of the world to trade in a
way which is currently unimaginable.
Build a leapfrogged trade backbone. The people of the world will do the rest.

Common Operations
Signing A Contract
1. I physically visit the office of the Professional Witness.
2. They verify my CheapID Identity Card.
3. I present them with the contract I wish to sign in digital form.
4. The Witness affixes my CheapID Identity Card to the contract in digital form.
 5. The Witness records my assent to signing the contract perhaps by video recording the event,
having me sign a paper copy and recording the signing event on a pressure sensitive tablet, or
other mechanisms. This evidence is probably encrypted with the key of the court and archived.
6. I now present this signed contract, including the signed ID, to the counterparty of the contract.
7. In the event of a breach of contract, the counterparty presents the contract to the National
Court System which, if the evidence supports it, decrypts my CheapID Identity Card and
identifies me. If I contest the validity of the signature, the records showing my signing are
decrypted and presented and an adjudication is made.

Voting: A Special Case

Only minor changes are required to have a secure voting system emerge from this infrastructure. The
two necessary changes are that the Professional Witness has to verify that I am authorized to vote
before allowing me to do so (or invalid votes must be screened out down the line) and my vote has to
be concealed from the Professional Witness.
One approach to this might be to have a conventional voting booth and to hand out secret ballots.
Alternatively various cryptographic schemes might be employed. Ron Rivest has been doing some
extremely interesting work on voting recently, and is certainly the person to read to see some possible
solutions to this challenge.

Technical Challenges
The internal systems of a Professional Witness are not simple. They include monitoring systems,
control of their signing keys, repositories for secure data and a variety of other technical infrastructure,
none of which ventures deep into unknown territory, but all of which is expensive to deploy as
functional commercial systems.

Universal Secure Single Sign-On

Jurisdiction
Hybrid. Although operated by private companies and NGOs for the most part, in some instances this
service might be provided by governments, or across international boundaries in much the same way
email accounts are created. This is typical for internet-based systems, of course.

Purpose
I believe we have less than 10 years of legal anonymous free speech on the Internet. People
confuse the "Wild West" style properties of a new frontier with fundamental aspects of the digital space
and, as court houses and law get built on the Internet, much of the current wildness is inevitably going
away.
However, correctly leveraging PKI and the ISA creates the possibility of preserving the politically
critical support of free speech with a reasonable expectation of anonymity, except when criminal acts
are being performed.
The benefit in this case is the convenience of single sign on across all Internet (and perhaps other)
electronic services.
How is this to be achieved? Consider the OpenID standard, a distributed (or, more correctly, federated)
ID system which hangs off the Domain Name System namespace. An OpenID identity provider gives
out URLs, each one of which has a username and a password. The URL is given out to third parties as
the "identity" and back-channel communication occurs between the third party and the OpenID
provider to enable log in.
OpenID has about 10 million operational accounts and is being integrated into projects like Wikipedia.
It is likely to succeed widely. If not, something else like it is going to take its place, in all probability.
The email address has the same basic properties (of hanging off the DNS namespace) and has been
used as a default ID namespace up to this point, with much the same properties � for most web sites,
if I can read the email associated with Account X, then I am that person.
Hanging off the DNS namespace is an interesting thing, because it basically makes personal identities
part of the DNS hierarchy. Part of the freedom people feel on the Internet is that, on the Internet, you
are a "citizen" of the DNS Government � DNS creates the political unit of your email account
provider or, if you operate your own domain, yourself. In the event of an investigation, queries follow
the DNS chain of command: first WHOIS to identify the domain owner, then an enquiry to the domain
owner about the conduct or identity of a given user.
This usually results in either a real name, or an IP address, which is then mapped back to service
providers, then billing records, then an actual hard physical identity. Internet users typically feel rather
violated by having their online actions tracked back to their physical location because it is a cross-
namespace violation, rather like having a foreign nation state come and enforce its laws on you. These
illusions have built up through common custom and the largely privileged academic communication
which was the initial environment of the internet. That separateness is largely collapsing as the Internet
becomes a part of the "real world" and the new privileged spaces are massively multi-player online
roleplaying games like Warcraft, Second Life and Everquest.
Authentication for these systems is extremely problematic. Computer security is very ineffective for
most home users, and falsely authorized emails generated by viruses, for example, are a common
problem. Online banking security is constantly under attack from criminals compromising home
computer security over unaccountable emails. This situation cannot go on indefinitely.
The solution is simple: a special, privileged class of Single Sign On Identity Providers who require
an ISA-style blind contract before they will provide you single sign-on services. An identity with these
groups is indicated by a cryptographic signature from the vendor attesting that they have a CheapID
contract on file and will reveal it under a specified set of conditions, usually a court order in their native
jurisdiction.
Ideally, this move would be coupled with a definitive upgrade in authentication. Pseudo-random
number generators, when used for security applications like as the common SecureID tag are subject to
man in the middle attacks, so probably we are going to wind up with an additional PKI level, perhaps
small USB-type tokens. In any case it would be nice to indicate the level of authentication in the
account so that third parties could judge for themselves how much trust they want to put into a log in
from a particular SSO provider.

Common Operations
Identity Recovery
Upon display of proof that a given account has engaged in an activity which requires an identity to be
revealed (i.e. presentation of a court order) the sign on service returns the original ISA-style blind
contract, with associated CheapID Identity Card to the court to decrypt.

Electronic Democracy
With sufficiently secure SSO services, including perhaps specially created government-backed SSO
accounts along the lines of the Estonian system, it should be possible to do secure electronic voting
over a variety of devices including cell phones. Challenges pertaining specifically to this project will be
the subject of another paper. In essence, this discussion is about extending the reach of the Professional
Witness to transactions at a remote site like your home, using the media of a cell phone or other
computing device as the intermediary. This is non-trivial and may involve windows of revocation in
which coercion can be reported, for instance.

Technical Challenges
There are no difficult technical challenges specifically related to the ISA aspects of this system.

Implementation
Let's get down to the nitty gritty of implementing a system like this.
The hardest individual project in an implementation is the International Phenotype Database. Even a
prototype has to be able to accurately match incoming biometric data against a database we expect to
be vast, and provide auditing at a level that makes people like you and me comfortable being in that
database.
However, that is a problem which has an enormous number of really smart people working on it. We
are minimizing the problem in two ways: firstly, by anticipating seeding the system with very good
quality biometric data captured under controlled conditions, with an initial check for false positive
matches and refinement of the dataset to reduce these. That's a big step up: being able to flag a person
on enrollment as having fingerprints which partially match a bunch of other people helps later on.
Secondly, we are not pounding the database every time somebody wants to get access to their bank
account. By carrying a card with data on it, and matching face-to-data, we are minimizing the load on
the centralized system. It cannot be slow, but it can be non-real-time.
Secondly we have the whole dynamics of the exchange of information between courts and leviathan
and issuing stations and so on. For now, this can be done with web services and digital signatures.
Perhaps eventually a different architecture is appropriate, but for now? HTTP and XML are sufficient
for all of these transactions, as long as the protocols are carefully designed, and all traffic is encrypted
at an application level. Audit trails, again, are a lot of the difficulty here.
Then we have the cell phones. 574 bytes is the largest 2D barcode I have been able to get a vendor to
sign off on as a workable reality with current generation cell phones. It is not enough to do a general
use ID card which is reliable enough for banking because of image compression issues.
However, because we have been discussing a deployment involving perhaps millions of people, we can
discuss the issue with cell phone manufacturers. Adding the additional optical elements required to get
a good quality close up of an ID card is not a major engineering obstacle, it is just a case of being an
item with limited market demand. Likewise, the full color variant of Data Matrix boosts data densities
for a given optical system by 3.
So I think that a special run of cell phones with better cameras is perfectly reasonable and, once there is
an established application for those cameras beyond taking pretty pictures, the upgrade should become
a standard feature relatively quickly if there is market demand. It may even be possible to have the
Data Matrix standard extended to include an optional color implementation.
The hardest problem in the entire system is getting banks to allow account access using a CheapID
card. Once that problem is solved the systems can be adopted. Until then, it is all theory.