Professional Documents
Culture Documents
State In A Box presents a coherent vision of overhauling the fundamental assumptions made about
nation state infrastructure to enable breakthroughs in Security, Stability, Transition and Reconstruction
(SSTR) functions in states in crisis. The Identity Services Architecture presented enables low cost, high
security financial transaction infrastructure to be rolled out using 2D bar codes, public key
cryptography, camera phones and biometrics in a novel configuration which both protects civil liberties
and provides strong identity information for legal processes.
Furthermore, an approach to international control of a single international biometric database is
presented, based on the chaordic work of Dee Hock, the architect of VISA. The assessment at the heart
of this paper is that the benefits of a correctly-designed rights-respecting cross-jurisdictional chaordic
governance structure cannot be forgone if we are to see a realistic implementation of biometrics as an
enabling technology for development.
We anticipate the cost of issuing an ID using this technology to be less than $1 per head.
This paper covers a lot of theoretical ground. For a quick overview of the ID proposal and links to the
demonstration code, see the CheapID Homepage.
You may find the the original word document of this page easier to read. The getting started guide (pdf)
which has some diagrams that provide a good starting point is essential reading.
There is also a 35 minute video which explains some of the basic technical ideas behind CheapID,
although its scope is far more limited than this paper.
Object 1
This paper shows how we can manage large scale biometrics databases and increase the amount of
privacy we have from government snooping while still having a secure society.
The basic crux of this paper is that you can separate the biometrics database, which simply identifies
your physical body, and isn't necessarily any more intrusive than Flickr or any other online photo
sharing site, and the reputation database, which stores things like your credit rating, any criminal
record, and the suspicions of various government agencies about your intentions.
So when you do something like rent a car, you give them a token which has your face on it. They match
your face to the token, and say "ok, this token is valid." But the token doesn't have your name, or your
SSN, or anything else on it: it's totally sterile. But if you steal the car, they take the token to court, as
well as the proof you gave it to them, and the court uses the token to get your name, SSN and other
details.
If all that FBI or other government biometrics database stored was tokens, and it required a court order
to go from a match in the biometrics database to a name and street address, I think we'd have a fair
balance between civil liberties and security. A database of pictures of faces or fingerprints is not the
intrusive part: it's the connecting of your face or your fingerprint to your background that is the
intrusion, and we can separate the two databases and require a court order (and a crypto key) to
reconnect them.
Cheap DNA scanners are coming. We've have to fix how we handle biometric data as a society before
they arrive.
Introduction
The Security/Stability/Transition/Reconstruction (SSTR) arena offers an opportunity to re-examine the
fundamental "business processes" of the State.
State In A Box (SIAB) is a set of interwoven concepts which relate to the idea of rebuilding the State
from the ground up, from scratch, on modern technological infrastructure.
Much of our thinking about the State derives from historical accidents like monarchy, gold and paper
ballots. The structures of our democracy rest on foundations built when travel was slow and before the
invention of public key cryptography. Taxation rests on a framework which predates credit cards and
electronic bank records. Security rests on organizational structures which are still recognizable from
Rome or Babylonia.
In the commercial sector, areas which have these kinds of deeply embedded but no longer valid
assumptions go through periodic restructuring. These processes of "creative destruction" re-optimize
the business processes, frequently by moving the divisions between one business and another through
processes like integration and disaggregation.
In government, short of the collapse of nation states, the pace of innovation is much, much slower.
It is my contention that this fact obscures one or possibly two order of magnitude cost and capital
savings in providing State services to citizens. The price paid for stability, in this instance, is
inefficiency.
However, in countries that do not even have stability, this inefficiency can scarcely be afforded. By
thinking about redesigning the structure of the State around modern technology, we may be able to
design a robust new technological infrastructure to run a State upon.
This effort is called State In A Box because the likely form factor of a deployable solution is actually
about 20 trucks, and State in About Twenty Trucks is somewhat unwieldy.
The Hacker Lowdown
International Bodies
The ISA envisages two interlocking international bodies that collaborate with governments and other
international bodies to operate the highest level parts of the system. One of these entities is modeled on
the standards bodies of VISA and the Internet, and the other is akin to Interpol, or some of the nation-
state identity databases that include significant data on non-citizens.
The first body is the ISA Standards Board. It manages selections of basic technologies like which 2D
bar code standard, what image compression format, which digital signature algorithm and other basic
technology selection choices. This body is for technology.
The second international body is the International Phenotype Database. The International
Phenotype Database maintains an identity record for every single human being enrolled in the system,
and possibly eventually for every human being alive. The majority of the work in this paper goes into
ensuring that this Leviathan is blind and helpless without the active support of individual nation state
governments.
One critical detail is that the International Phenotype Database stores only biometric information: no
name, no reputation or criminal data or any other fact is stored in this database. It is made to check if a
person is in the system already, and if they are, to indicate an ID has already been issued. Other than
that, the database is essentially useless. It is like a sea of faces and fingerprints with no context to other
added value. Not even names are in the system.
The architectural firewall separating the biometric information in the International Phenotype
Database from the reputation and identity information stored by the National Government is a key
innovation. The National Court System is the only entity in the ISA which has the capability to
reunite biometric data with identity data to convict or exonerate a person.
Both of these entities are expected to deal politically mainly with Global Powers and other
international bodies like the UN.
Governments
To gain any credence at all, the ISA has to be endorsed and initially operated by at least on Global
Power. Given that we are discussing what is essentially commercial infrastructure with an identity
foundation, there are probably five or six possible implementors, including of course the USA, the
European Union, and some of the larger trading partnerships.
Global Powers do most of the talking about technical standards, and operate the International
Phenotype Database at a technical level. They pay most of the bills for that service and reap the most
tangible security benefits, much like the Internet and VISA are useful to everybody, but mainly
governed and paid for by G20.
Other Nation States can operate in one of two ways. Firstly, they can choose to allow their citizens to
get an ISA identity if they wish to. Secondly, they can merge their own identity infrastructure with the
ISA identity infrastructure, and rely on the International Phenotype Database to issue IDs from.
What kind of states would do this? Poor ones.
The issues here are similar to the issues of pegging currencies to one another, or the adoption of
international currencies like the Euro. Complex arguments are made for all points of view, and the
entanglements of sovereignty and convenience make for rich debate. There is no uniformity in these
issues across nation states, but rather a landscape of response to perceived opportunity and risk. A
critical feature is that the ISA comfortably functions with this degree of adoption diversity.
One of the critical features of the ISA scheme is that it accepts states with a sharp division of powers
between Courts and Governments and is therefore compatible with the American model, although it
does not require it.
The majority of the routine contact between the International Phenotype Database and the citizens of
a country is mediated by the National Court System.
National Governments make the agreements.
National Court Systems implement them, and in cases where there is no division between the two, the
system operates without disturbing those pre-existing equilibria.
Companies
There are four classes of company involvement in the ISA.
Technology Vendors implement international standards for private companies and governments.
Contract Co-parties rely on the identity backbone to reduce their contract risks when dealing with
individuals and companies.
Financial Services Institutions rely on the identity backbone to satisfy Know Your Customer and
other legal requirements while the privacy features of the ISA protect their customers from unwarranted
intrusion into their personal lives.
Professional Witnesses offer contract signing services, including (in some implementations) access to
a secure and reliable electronic voting infrastructure. An individual presents a contract to be signed, and
the Professional Witness essentially notarizes the assent to the contract and verifies the person
presenting against the individual's biometric ID. These companies absorb misidentification risk by
indemnifying Contract Co-parties from losses associated with the Professional Witness making a
mistake by mistaking one person as another in a contract signing situation. Note carefully that the
Professional Witness is verifying the Phenotype of the person signing the contract - their physical
body - but has no access to name or other information.
Consider the example of a car lease. A person presents a Professional Witness with a car lease they
want to sign and a copy of their ID. First the witness matches you to your ID to make sure it is you.
Then the witness records your assent to the contract, and signs the lease on your behalf, escrowing
identity credentials with the National Court System in the process.
Suppose that the lease is unpaid, and upon investigation it is discovered that it was not you who signed
the lease but unknown identity fraudster who defeated the Professional Witness systems with the help
of a member of their staff. The Professional Witness is liable for all associated costs to you, to the car
lease company, and any additional injured parties because they made a professional error.
Professional Witnesses must bear the full burden of proof in all cases. It is up to them to prove that the
person they say signed a document actually signed it, and they are responsible for presenting
incontrovertible evidence to this effect. Professional Witnesses have a peculiar exposure to risk: they
are liable for the costs of a crime (identity theft) and are also witnesses to the fact a crime has been
committed. Only a strong judicial system can keep them honest. Otherwise, Professional Witnesses
will rapidly become corrupt, unreliable, and the systems will fail because of the misalignment of their
incentives and the whole system requirements. They will start to present shoddy evidence, and the
system will collapse.
In this scheme, the needs of the Professional Witnesses for reliable identification are the primary
drivers for biometric security standards because they are the ones with the primary exposure to
pervasive misidentification risk. By collecting all of the misidentification risk in the system in a single
location in the architecture, we create the financial incentives to hire engineers to keep the systems
secure.
Individuals
Individuals come into contact with the ISA in one of three contexts: voluntary, default and
compulsory use of the system.
Voluntary use is where the ISA services are offered perhaps as an aid to doing international business,
or in a context like getting a permit for entry to a foreign country. An oppressive system will not get
used as people would rather avoid the activity than submit to intrusive identification.
Default use has more implications. Perhaps one needs an ISA-type identity to get a passport, or the
ISA-type identity is your passport. Perhaps it is required for opening a bank account, or for driving.
Sufficiently motivated and desperate people can avoid the net but almost nobody will choose to do so.
An oppressive system could well be used even by people who hate it.
Compulsory use is quite simple. You have an ISA-type ID or you go to jail.
The only reason that I can write this paper is because I believe that the ISA scheme proposed is the
least bad of the available options for managing biometrics. I believe that, in the long run, security in the
21st century is going to critically revolve around actually knowing who people are and that, in fact, we
can no longer afford to have nameless, faceless people shuffling around the world as human traffickers
move them across borders, or as international terrorists move around the world as if the nation state did
not exist.
Hence the goal is to create a system which, even if it becomes compulsory in a few generations time, is
not oppressive. We work not for today, but for our descendants in seven generations or more.
This is due prudence. Financial instruments like cheques have been in circulation far longer than that.
Concepts like interest on loans go back even further. Design decisions made casually by engineers
working on the internet protocol will likely affect all digital systems build from now until the end of
foreseeable human culture, if only through enshrining architectural distinctions embedded in the OSI
models through generation after generation of culture and language.
If this seems unrealistic, consider the distinction between "organic" and "inorganic" chemistry is a
historical accident caused by the supposed impossibility of converting inanimate materials into any
compound found in organic life. That barrier was crossed nearly two centuries ago by the synthesis of
urea, but the divide created around it remains to this very day in university departments, language,
terminology, technology and culture among chemists.
We have to be sure that any system we are architecting with intentions of global effect is something
that the future can live with because success is always an option. But success is no proof of quality,
only of immediate fit and timing. We must strive for excellence, particularly in the political aspects of
this system, if the system is adopted some of the abstractions it is built on may last hundreds of years.
In short, whatever model of the Rights of Individuals we choose to enshrine in these systems may
become the laws we, or our descendants, must live under.
System Design
In a whole systems thinking context, the performance of the system as a whole is ensured by designing
not just the components of the systems, but by carefully working to understand their interactions. In
this sense, object oriented programming and database architecture are close relatives of whole systems
thinking.
Fortunately the individual components of the SIAB-ISA are relatively simple to describe, although
some subsystems contain considerable technological complexity.
The deliverable is an Identity Services Architecture which supports an identity standard called
CheapID. CheapID is designed to be the cheapest and most robust possible personal identity card.
We will briefly examine three core technologies, then move on to detail the system as a whole, working
towards the CheapID towards the end of the paper.
Biometrics
Briefly, we assume four or five levels of biometric identification of a human being, ranging from a
simple picture like a passport photograph through to a complete set of biometrics perhaps even
including a DNA sample.
The basic CheapID Identity Card envisaged later on contains a digitally signed picture of the person.
Optional higher security credentials would include increasingly large amounts of identifying biometric
information, often encrypted so that it could only be read by authorized parties.
I believe it is important that system enrollment uses a full set of biometrics, in some implementations
even including DNA, because the consequences of having a single individual with two or more
globally recognized ISA identities are extremely serious. The strong protections we generate for
privacy and free speech rest on our ability to absolutely pin down individuals who abuse these
protections by, for instance, committing acts of terrorism. A person with two identities can do
something horrible under one identity, then slip away under another. The system must be robust enough
to compete in the policy marketplace and displace other candidate systems with less protection for
human rights.
Court Escrow
The Identity Services Architecture revolves around Court-like entities that manage private keys for
encrypting and decrypting identity information under legal (or other) authority.
Security in the system comes from the completeness of the records in the International Phenotype
Database. Privacy comes from the architectural separation of that biometric data and the identity and
reputation data held by nation states. Although a court cannot request the release of biometric identity
records for its own use, it can submit biometric evidence to the International Phenotype Database
and request a search. Such a search can pair evidence with an identity record, but the court cannot
simply pull records from the International Phenotype Database. It can search and get identity
information back in results, but not request biometric information directly.
Only the court can take an encrypted CheapID Identity Card, and recover fields like the individual's
name or their government-issued identity number, if one exists. These fields are private even from
police in most cases. This allows these cards to be used for many purposes that a less private identity
card could not be used for. The common practice of matching a face to an identity card, but not being
able to recover any additional information about the individual without a court order, is the key novel
transaction in our system.
A Brief Recap
Before we wade into the guts of the system design in detail, let us briefly recap.
The goal is to produce an Identity Services Architecture which provides a nation state level identity
backbone that has some interesting new properties, and that is broadly speaking affordable. One of
these properties is being able to uniquely identify individuals.
The goal beyond that goal is to re-implement the fundamental processes of the nation state on a modern
technological base, with the objective of reducing the overhead of running a state by 90% and steering
the way that other states adopt information technology in their own operations by providing a worked
example in an SSTR context. We propose that by doing so we can cut "canyons" through the cost
landscape in the areas where useful and rights-protecting technologies lie by paying the costs of R&D
and early adoption, and thereby steer other nations away from implementing biometric totalitarianism,
which we regard as an ever-present threat.
Because we are consciously attempting to re-engineer the processes of the nation state, the political
considerations are not secondary to the system but integral to it at every level.
Biometrics are not morally neutral technology.
Correctly applied cryptography can counterbalance most of the negative effects of biometrics while
preserving their most useful properties.
At the heart of this system is a cryptographic schema for implementing an international, cross-
jurisdictional legal process for managing personal information securely, with appropriate levels of
individual protection, while recognizing that many states afford their populations less freedoms (or
freedoms of a different type) than the American system. We must honor local diversity in order to
create an internationally interoperable system.
Finally, there is one technological gimmick which sits at the heart of the system: printing everything
needed to identify a person on a digitally signed 2D barcode and reading it back with a camera phone.
That's a technology with a relatively short life-span. There are twenty years at most before it is replaced
with something better.
The durable component of the system is the scheme for managing personal information, not the "hack"
for getting it to be cheap in the here-and-now.
This gets pretty involved, so try to put yourself in the political position of each entity in the process.
My assertion is that the system works well for every constituent entity in the system and therefore is
viable, once established. I may be wrong, but this is the reason I believe that this system is workable
while most other proposed schemes are not. A system without losers can usually out-compete a system
with winners and losers.
Jurisdiction
The International Phenotype Database is an international body that exists initially by fiat. In order
for the system to be trusted it is operated by an international technical coalition including a reasonable
number of representatives from nations who do not trust or like each other. The balance of power at the
heart of the system is that each nation state group cooperating to manage the system is doing so
partially to protect its own citizens form unwarranted surveillance and monitoring from the security
forces of the other groups present. Because any country can run searches against the database on an
equal footing, there is a strong incentive for every country to restrict the database to its due bounds,
simply to protect the privacy of their own citizens.
To attain this kind of balance of powers, the system must be simple, transparent and auditable, and
groups like Amnesty International should be able to review or even help operate the system.
The parallel with VISA is that banks are competitors who had to learn to cooperate to get an
international payment system working. The mutual tension around protecting the biometric privacy of
your citizens from The Bad Guys Over There (i.e. national rivals) applies to all sides equally, and
maintains the integrity of the system.
There is no parallel with the Internet because the Internet has no fundamental competitions at its heart.
Peering issues between backbone providers are the closest analogs, and are a poor fit.
The treaties under which the International Phenotype Database is created must explicitly recognize
the rule of law in the nations who are working with the system. The International Phenotype Database
can be seen as an organization convened by the court systems of various nation states working together.
Purpose
The International Phenotype Database has one basic purpose: when shown a set of biometric
information it can search through the biometric data of every human enrolled, and possibly every
human on the planet in later years, and return a set of matching records.
However, these "matching records" consider of only two fields: a National Government identifier ("is
an American") and a block of data encrypted encrypted by that government and given to the
International Phenotype Database when this person was enrolled in the system.
The International Phenotype Database is blind. It can see the "body"� a person's biometrics � but not
their identity, not their reputation, nothing except a citizenship and a block of data it cannot read.
Because of other features in the ISA, it is likely that this search will be performed initiated once per
lifetime for the average individual - on enrollment, and never again, although searches related to
criminal cases may be common. A search can only be initiated upon request of a National Court
System. Police forces, for example, have no direct access to the system and neither do governments.
Furthermore there is no use case which results in the return of biometric data to a National
Government from the International Phenotype Database. It is a "roach motel" for biometric data as
far as governments are concerned, as it must be.
An individual can request that the International Phenotype Database releases their biometric records
to them.
Common Operations
Biometric Enrollment Process
This is the process that stores the individual's data.
1. An individual presents at a CheapID Issuing Station and requests an ID be issued.
2. The International Phenotype Database receives a request to add a new person to the database.
3. If the request is from an authorized Issuing Station then a set of biometric information is send
to the International Phenotype Database to process.
4. The data is compared to all of the biometric records in the International Phenotype Database. If
there are matches on the personal data sent in, one of three things happens.
1. A request for additional information is returned, and more biometric information is sent
in until there are no more matches. Typically this would consist of a DNA sample being
processed to disambiguate similar fingerprints.
2. A list of possible matches is generated, and a complex legal process of ruling out each
possible match without undue invasions of privacy is begun � this is a serious process
and to be avoided where possible. The case of identical twins with closely matched
fingerprints would be about the only case where I can imagine this being necessary, but
biology always surprises us.
3. A pre-existing identity record is discovered for the person who is currently being
enrolled, and a report is returned that will allow them to get their original ID reissued.
Further investigation may also be required.
5. Once it is settled that this person is to be enrolled with the set of biometrics submitted, the
International Phenotype Database encrypts an identifier for this individual using the
International Phenotype Database's public key, then re-encrypts this identifier using the
public key of the relevant National Court System and returns this document, the Statement of
Biometric Enrollment, to the Issuing Station to be presented to the enrollee. This is not yet an
identity document, it is simply a statement of fact: this individual's data has been stored. Note
that it contains no personal information whatsoever.
It is my firm conviction that the International Phenotype Database is going to be more-or-less
inoperable without using DNA fingerprinting for everybody. However, I am not an expert in
biometrics, and it may be that an adequate level of uniqueness can be obtained from, say, 10
fingerprints plus both irises. But if DNA is not commonly stored a wide range of questions cannot be
answered using the SIAB-ISA and inevitably parallel, less secure, less useful systems will spring up to
handle DNA-based identity issue, resulting in a fragmentation of biometric security applications, a
reduced global value, and competition.
One system should exist, and it should be extremely heavily oriented towards individual liberty.
Therefore, to maintain the unitary nature of the system, it must deal with DNA either now, or as the
technology for handling DNA biometrics improves in future.
Note that we are not assuming a single standardization for biometric records. There are too many
instances where a person's morphology grossly changes (accidents, particularly burns) and new oddities
of human genetic makeup are constantly discovered, including chimeras, who are single individuals
with two sets of DNA, related to each other as if one part of their body was the sibling of another. We
cannot assume standardization. Rather we need the records in the SIAB-ISA to allow a Professional
Witness or other individual to securely verify that the person in front of them is the person on the ID
card presented.
DNA is the most unique and standard biometric data currently known, and logical pressure towards
using DNA to identify people is likely to be inexorable as genetic technology improves and brings the
cost of analysis down. Better to design a system to be secure enough to handle DNA properly from the
very start.
Criminal Investigations
1. A National Court System submits a request to the International Phenotype Database to
identify a person based on a fragment of biometric information, like a finger print or a DNA
sample.
2. The International Phenotype Database performs the search (perhaps charging the relevant
National Court System for the computer time) and generates a set of results.
3. Those results that are citizens of the nation state of the requesting court are returned to the
National Court System. All that is returned is the Identity Packets of those involved, not
additional biometric matching information.
4. Upon request, the International Phenotype Database will contact the National Court System
of the country of each person found to match the sample and inform them of the biometric
match, and of the request from the National Court System that initiated the search that contact
is made about this case. The expectation is that the person's National Court System will
cooperate with the National Court System that initiated the search within the framework of
any agreements between the two countries.
One nice thing about this system is that it makes it very easy to define one kind of state sponsored
terrorism. When biometric information about a terrorist is submitted to the International Phenotype
Database and they match it to a nation state, if that National Court System simply never returns any
further data, you have clear evidence of state sponsored terrorism by virtue of identity protection.
Note that in the best form of this system, the International Phenotype Database never returns any
information on matches outside of the jurisdiction of the National Court System that raises the query:
it does not reveal the nationality or even the existence of any additional matches. The relevant courts
are contacted, but nothing is relayed back to the originator of the query.
This is likely untenable in the real world, but is how the system might operate in an idealized form.
Technical Challenges
There are three classes of technical challenges at the International Phenotype Database level.
1. Searching six billion biometric records including issues like false positives and simply handling
that much data.
2. Securing the system, including audit trails, physical security, and prevention of an attack on this
critical facility resulting in a global failure of the capability to search biometrical records or
generate new identities, although existing CheapID Identity Cards would continue to work.
3. Building out the technical infrastructure for the exchange of information and management of
cryptographic keys within each National Court System.
Obviously in an SSTR context, SIAB-ISA is about equipping some number of facilities in the host
nation with the necessary technology and keeping it running for them as well as rolling out the
associated financial services and contract validation services outlined later on in this paper.
All of these services can be provided with technologies that are either common items or near-market
refinements of existing systems. Based on my current exposure to the technology even the large scale
biometrics matching appears possible given a few years for hardware to get faster and algorithms to
grow more sophisticated.
A lot of what makes this possible is that searches against this database are infrequent: once per lifetime
upon enrollment, plus criminal investigations.
However, one trade being made is full database searching without narrowing the dataset based on
factors like proximity. We are not permitting operations like "search for records in the London area"
because the International Phenotype Database is not allowed to know who lives in London. The
narrowing is done after the biometrics matching step, and it is done by the local courts, not the
biometrics database. This is extremely inefficient, but bigger computers are coming.
Purpose
In this context, the National Court System provides controlled legal access to the International
Phenotype Database, and the various Issuing Stations and other parts of the ISA.
Common Operations
All common operations with a technical component are covered under the International Phenotype
Database above. They are documented as a set of interactions between the International Phenotype
Database and the court because the court has little or no direct access to biometric data except through
that intermediary.
Technical Challenges
Deploying PKI in a court context and associated procedural changes are major issues, as is building
judicial understanding of how the system affects their role. There are additional challenges in building
a framework within existing legal systems to identify what is and is not rational and appropriate when
dealing with biometrics in general. These challenges are not unique to the SIAB-ISA, however.
One plausible approach is that each National Court Systems has a single national decryption center
that manages the court's private keys, and then additional PKI to manage transfers of data to and from
that center, and authorization and authentication. This is a major project, but considerably more
tractable than the obvious alternatives.
Issuing Stations
Jurisdiction
Authorized by the National Court System, may be operated by an arm of the court, an NGO, or third
parties like hospitals and Professional Witnesses.
Purpose
The issuing station exists to take a person's biometric information and relay it securely to the
International Phenotype Database. It takes legal responsibility for the honesty and integrity of this
task, and staff should be clearly identified and criminally liable, with a solid audit trail.
Common Operations
As documented under International Phenotype Database.
It's worth noting that the security and reliability of the issuing stations is key to the security and
reliability of the entire system.
Suppose, for example, the station collects bogus data and transmits it to the International Phenotype
Database? This gets caught by the Court, when the Court compares the data coming back from the
International Phenotype Database to the person presenting the request. But what if there is collusion
between an Issuing Station and the National Court System, to create a bogus identity by sending fake
biometric data? This still gets caught when the CheapID Identity Card is presented for use, of course,
but it is clearly possible for multi-party collusion to create fake people even if it is very hard to pass
them off against challenges. However, the system is many, many times harder to spoof than current
systems, where fake people can be created by a single government ad infinitum.
In common use, institutions like hospitals might act as Issuing Stations. The basic mechanics of taking
the necessary biometric data, possibly including DNA samples, fit nicely in a medical setting and
could, in an SSTR context, be associated with primary health screening and vaccinations for example.
Technical Challenges
The challenges depend entirely on the level of biometric sophistication required. A basic Issuing
Station is a digital camera and a net connection to a web site which provides an interface to the
International Phenotype Database.
The CheapID Identity Card
Jurisdiction
It is important to understand that the CheapID Identity Card reflects the international agreements
which form the ISA in its internal structure.
At an abstract level, the CheapID Identity Card has three statements on it, digitally signed by their
respective parties. The first is from the Issuing Station, attesting that this is a picture they took and is
an accurate likeness of an unnamed person (and the same for any other biometrics present.)
The second is from the International Phenotype Database stating that it has an Identity Packet from
a National Court System referring to the unique individual presented on this card. This implies that
the individual has been enrolled and that any ambiguity about their biometrics has been resolved.
Finally, there is a statement from the National Court System that it is willing to decrypt the unique
identifier present on this card (the identifier is unique to the card) to reveal this person's real identity
based on whatever legal criteria that National Court System requires.
The combination of these three statements gives a solid link to this person's identity, protected by the
Court's unwillingness to decrypt the identifiers on the card for frivolous or illegitimate purposes.
However, in practice, there are issues with presenting all of this information on the card. Firstly, one
may simply run short of bytes in the cameraphone implementation. Secondly, the digital signatures on
the image from the Issuing Station and the International Phenotype Database create a de facto
unique identifier which is unique to the individual, not to a given instance of their identity card. In
naive implementations, the signature on the photograph becomes usable as a sort of substitute Social
Security Number. Again, blind signatures may make it possible to carry these signatures from end to
end without them becoming illicit unique identifiers in their own right, but is that reasonable? The
algorithms allowing a blind signature (that is, for a party to sign a document it does not read, simply
proving it was presented at a given time and not altered) are not trivial and begin to lift the system out
of the domain in which simple reference implementations are possible.
Finally, those algorithms are dependent to an unknown degree on the particular features of the RSA
cryptosystem. In the upcoming post-RSA era (RSA is vulnerable to quantum cryptography) it will
become necessary to shift algorithms. Digital signatures will almost certainly continue to exist, but the
precise commutative properties of prime factorization may not be replicated in the new systems, killing
entire classes of useful algorithms.
Therefore, practically speaking, in a simplified implementation, the card bears only one digital
signature: that of the court, attesting that the original signatures were correct. Audit trails may be kept
at the court, perhaps involving re-encrypting some of the data in the audit trail with a public key
belonging to an auditing agency, the International Phenotype Database, or the Issuing Station to
prevent the Court's audit trail becoming an unhelpful store of biometric data.
The Court can be challenged to produce the Statement of Biometric Enrollment for a CheapID
Identity Card that is has issued if there are doubts about the legitimacy of the Court.
Alternatively, we simply bite the bullet, carry all three signatures through the entire system, and salt the
data from end to end. This approach may require hauling thousands of times more data across the
system. The Issuing Station would pass 1000 encrypted packets to the International Phenotype
Database which would then sign each one, and so on down the chain to the CheapID Identity Card
itself. This is an appallingly inefficient brute force solution but technical history has shown us that
brute force often produces correctness in software systems, which is a factor to consider.
In any case, it is certain that the CheapID Identity Card cannot carry any bitwise identical fields
which would allow one card to be matched to another. There are a variety of plausible approaches, as
outlined above, and the task of the system implementors is to pick a solution that works in practice.
A good enough system can be created by trusting the signature of the Court if you can challenge it and
require them to produce the signatures of the International Phenotype Database and Issuing Station.
This is a good enough solution to know the scheme is viable, although it can be improved.
Purpose
Let us revise the physical appearance of the CheapID Identity Card once again. It is a sheet of paper
or a plastic card covered in a mass of 2D barcode data and bearing few or no other identifiers. Each
individual has dozens or hundreds of cards, each one bearing their likeness in the form of a digital
image encoded in the barcode and signed as discussed above. There is no visible picture, so that people
must show the card to a device which can check digital signatures in order to see the face encoded on
it. No two cards corresponding to a particular individual share any bitwise fields.
Why?
The goal is to create a system in which the lives of those who do not break the law are almost entirely
private. This means that the ISA has to be able to support some novel operations. The most important is
being able to have absolute assurance that a person had committed an act, but no awareness of who
they are unless the act turns out to be illegal. This single property is the key to commercial use of the
ISA in the context of State In A Box. Because this desirable property did not exist in prior technological
substrates, outside of the context of proxies in some kinds of transactions, neither legal nor financial
infrastructure has taken advantage of the fact that our technological substrate can now support this
property.
This is leapfrogging. In an SSTR context, it becomes possible to rapidly build the new generation
infrastructure for CheapID Identity Cards and the necessary legal supports in the National Court
System. It seems like a stretch, but the technology is getting easier all the time, and the security
requirements for a solid biometric database are unarguable, as are the problems of leaving that database
behind when one leaves, or deleting it. By placing the dangerous database in a protected environment
like the one the ISA provides through the international framework, the worse abuses can be headed off
at the pass, while keeping the system available.
The bonus is a new kind of commercial transaction: Blind Contracts. We will discuss blind contracts
in some detail later in the paper, but the core of the concept is that, if the contract is not broken, one or
both parties can remain anonymous. If it is broken, the anonymity is compromised, and the legal
process can unfold.
A contract that is assented to by a person with a CheapID Identity Card is a blind contract. One of
their ID cards stays with the contract, digitally signed in all probability, and acts as a token of their
identity. However, until such time as the National Court System becomes involved and chooses to
decrypt the ID card, there is no way to identify the signatory. The contract holder has absolute
assurance that somebody knows who signed the contract, but no information about that person unless
something illegal or dishonest happens.
Doesn't that seem right, as the world would work if we had a just and efficient society? Nobody really
wants their grocery store colluding with their mortgage broker and their health insurer to pitch them
additional services. In reality, we almost all like our business to be conveniently private, but we are let
down by shoddy and outdated pre-database-monitoring identity infrastructure.
However, an entirely private world as I am describing does not work for all political systems, and
certainly does not work for all security situations. The goal here is, as always, more privacy for the law
abiding citizen, and more ability to identify threats and illegal activity and halt them.
Because of a small feature � the Certificate Revocation List Check � which we will discuss below,
in some implementations it is possible if national security requires it, to trace every instance where an
individual has used their CheapID Identity Card. In other implementations, this is not possible. This
is an architectural decision which is left with the National Court System.
Common Operations
Identity Check
This is how the cards are used for routine identity transactions.
1. A person presents their CheapID Identity Card to an identity check of some kind.
2. The person making the check takes a photograph of their card with a cameraphone, or otherwise
gets a copy of it into a computer.
3. The digital signature on the card is checked against a key pre-loaded on to the device, much as
HTTPS X509 certificates are pre-loaded on to web browsers.
4. The image of the person who should be associated with the card is displayed on the device.
5. The person making the check compares the image on the screen to the person in front of them.
If the two match, then the card has been successfully connected to the individual.
6. If there is any need for this individual to be re-identified later, the CheapID card is kept by the
person making the check, with any additional notes required by the situation.
7. In future instances, the person is checked against the card stored on file, but because of the "no
bitwise identical fields" rule, two entities with cards on file cannot match them without doing
full biometric comparisons on their face databases. Of course, they could (if it was legal) run
that check from surveillance camera footage, so we have presented no new tools to those who
wish to do monitoring.
Note that we assume that CheapID Identity Card checks on photographs will typically be done by a
human being rather than an automated system. This is a response to the likely deployment of these
systems in the developing world, where human labor is relatively cheap and machinery has a hard time
in the physical environment.
If the card had another biometric on it, like fingerprints or a facial biometric, perhaps an automated
system would be more appropriate. But for the simple low-tech version, a human comparison is plenty.
Also note that there is no database access in this case. In higher security use cases, there is probably a
Certificate Revocation List check.
Authorization Check
When a person returns to claim use of resources they previously signed up for, the card on file is used
exactly as any other card is.
1. Check Identity as in the previous case, but referring to an ID card kept on file, rather than a new
card.
We assume that the common practice will be "one card per contract" or "one card per transaction." No
two vendors should ever see the same CheapID Identity Card. This also applies to routine police
checks in the event of things like traffic stops. See the following section for an explanation of how this
works.
Bandit Check
One way of seeing a CheapID Identity Card is as a digital certificate. Certificates, however, typically
must be checked against a Certificate Revocation List to be meaningfully secure. Without such a
check, there is no way to know if the facts attested to in the certification are still true because the
certificate's whole virtue is that it does not and cannot be changed!
One option is to use a field which is unique to each card, say the digital signature of the Court, and
submit it to a URL to see if the CheapID card is on a wanted list. If the court returns an "all is well"
there is no problem, and other situations would be reflected appropriately.
There are a number of technical approaches one can take to this check which result in different civil
liberties landscapes. In a repressive, totalitarian environment, the CRL check could be run through
databases which would take the unique identifier, turn it back into a name, and run that name against all
the relevant databases.
In a less restrictive environment, the Court could generate a list of unique identifiers which need to be
held, and upload that list without further identity information, roughly corresponding to a list of people
with outstanding arrest warrants. In this instance, unless you are wanted, the Certificate Revocation
List simply has no record on you.
In between, there is a "sweet spot" which seems to me to blend excellent security with relatively good
privacy. In this instance, all CRL checks are logged in an enormous database, and a list like the arrest
warrant list is maintained. However, in the event of a serious security concern, or an investigation into
a person's life in which their privacy is deemed moot, the Court generates a list of unique identifiers
pertaining to this individual (in essence, by replicating the process it did when generating the ID cards)
and all those transactions are pulled out of the database.
The parties who ran the CRL checks can now be contacted to give a relatively complete picture of the
life of the person of interest. However, without the participation of the court, there is very little that can
be done with the main database, even if it is obtained by questionable means (like systematic
interception of CRL checks.)
If this seems totalitarian, you must ask yourself a simple question: do you think the real systems which
are likely in use by security forces are more or less private that the system I am describing here?
My guess, from what I read in the newspapers, is that we are already significantly past this level of
monitoring, and that the systems which do that monitoring were constructed with very little
fundamental analysis of their effects on society in the long run.
We have shown a system which has both better privacy and better security. The challenge is to deploy
it.
Technical Challenges
The CheapID card itself is perfectly feasible with existing technology. Packing it down into something
which can be made to work with the existing generation of cell phones is going to be a work of art,
however, and may involve extremely sophisticated facial image compression and tiny digital signatures
to work properly. Alternatively, the non-standard color implementation of the Data Matrix 2D bar code
standard triples the data density in the bar codes, and puts us in the clear as far as data on the card is
concerned, at the cost of breaking compatibility with off-the-shelf Data Matrix reader hardware.
These are questions for the implementors.
Statebuilding with the Identity Services
Architecture
Let us recap. We have a scheme for taking relatively straight forward biometrics and implementing
them in a way which relies much less on routine access to large databases, leaves plenty of room for
different nation states to operate in their own way, and yet is still internationally interoperable.
However, there is little incentive for anybody to get a CheapID Identity Card because, at this point,
we are still operating in the domain of international agencies and national governments. This is the
domain of the "stick." Nobody wants to change anything just because it is convenient for such groups,
which leaves them forced to compel change. This is not the best way to encourage technological (or
policy) progress.
To find out why people will use these CheapID Identity Cards, we have to move into the commercial
domain � the business and individual benefits of the system. This is where we find the "carrot" - the
ways that an upgraded identity infrastructure will make people's lives better, and where there is money
to be made!
We are going to cover a lot of ground quickly: appropriate technology banking infrastructure,
microfinance, a new approach to implementing democracy, and four or five other relatively radical
products of having a genuinely modern identity backbone. You may find much to object to in any
specific case, and an adequate defense of this picture would require one or perhaps two books. From
here on in, the cases are argued much less robustly.
The core transaction is that a person leaves one of their CheapID Identity Cards behind them, and the
card cannot be bound to their identity without a National Court System decrypting it. This transaction
is novel, and largely what we are doing is examining a few of the new possibilities that it opens up.
One way of thinking about it is that currently identity information is like gold. It's a hard, transferrable,
fungible resource. Many small pieces of identity information can be combined for a more complete
picture about you, or a single profile can be split into demographic information or other categories.
SIAB-ISA is a "virtualization" of identity. Rather than simply handing over the identity-gold, now
we're handing over a document which says "The National Court System Promises to Pay the Bearer
My Identity if I Break This Contract."
This is, and I hope you will excuse me one pun, an "Identity Cheque." It is an unbreakable future
promise of identity, perhaps more like a banker's draft than a cheque. By introducing new "identity
instruments" we expand the range of possible transactions, in the same way that new financial
instruments like cheques enabled many new classes of financial transactions.
What is interesting about this is that it also nicely parallels a great deal of work on capability-based
financial instruments, and I'm greatly indebted to Alan Karp for teaching me a lot about capabilities in
our discussions of this paper and other work. I have not refactored SIAB-ISA around the "capabilities
and authorizations" model that is so central to Alan's work, but I believe that doing so reveals another
system, one in which identity information goes from being a "cheque" drawn on a central banker to
"cash" - autonomous authorizations generated at the edge of the network, near where they will be used.
This work will have to wait for another year.
Purpose
Contract Signing is Currently a Broken Process
Contract signing � verifying the free assent of one entity to a proposal � is a fundamental necessity
for commerce. Whether it be banking, mobile phone contracts, even tax forms, this assent is a crucial
business process.
There are currently two basic approaches to this assent process both of which are broken because they
rely on having amateurs do the job of professionals. Note they are not necessarily broken for technical
reasons, but because we ask people who are not experts to do something they cannot do reliably or be
reasonably expected to absorb risk based on that performance.
The first areas is signing papers. The method is simple: you take a piece of paper with an offer on it,
sign your name, and the counterparty responds as if it has your legal assent. The problem is that most
signatures are never inspected to see if they are forgeries, and if they are, the check is normally done by
a person with no professional training. "Does this look right to you?" is not really an adequate
inspection, and most signed documents do not even get this cursory check. The result is forgery is a
common attack on both individuals and companies.
Consider how much would forgery be reduced if every signature was inspected by a trained
professional before action was taken on it?
It is not necessarily the signature itself that is the problem, it is the context we deploy them in, and the
risk management and liability landscape we have created around this form of assurance.
The second area is digital signatures. Here the problem is computer security. Without a professional
staff to maintain the integrity of the machine being used to generate the digital signature, the signature
cannot be trusted. A claim can be made that the machine was compromised, resulting in a signature that
does not signal the assent of the nominal owner of the private key via repudiation.
Would you trust a digital signature generated on a home computer on a document like a mortgage?
As a result of these limitations, we rely heavily on corroborating evidence when preparing a contract:
does the Social Security Number match? Do we know this person? Is it a reasonable looking request?
In practice, however, fraud prevention, detection, losses and investigation constitute a large tax on
businesses because these fraud reduction measures are deeply imperfect.
And this is in the relatively stable, relatively secure societies of the developed world. How much worse
are conditions in SSTR situations?
Improving contract signing means putting a professional in the loop to actually verify that something
has happened, and be sued for malpractice if something goes wrong. Note that we are not talking about
technology yet. Right now, we are talking about professionalization of contract signing and the risk
management implications. Having professional standards for contract signing � for verifying human
assent to a proposal � is independent of technology.
A notary public is one step in this direction, but an ordinary notary does not go far enough because of
the technological limitations of their context. Without the ability to generate extremely solid identity
credentials, a notary can only sign what they see. Furthermore, the actual process of stamping offers no
real security in the modern world, certainly not against major fraud attempts.
But the model is functional. Notaries exist because they add value, and an improved and generalized
"notary-like" function is not a heavily innovative proposal. Our implementation is a "leapfrogged
notary" called a Professional Witness.
A Brief Recap
The Professional Witness scheme creates the possibility of getting a signed contract with an extremely
low risk of misidentification of the party signing the contract. This reduced risk has the following five
effects:
1. In an SSTR context, it makes it easier to do business, particularly international business, in a
country where financial records may have been lost or destroyed.
2. In combination with CheapID Identity Cards we can now create reliable contracts with people
who's identity we do not have access to unless we can prove the contract was broken.
3. A "blind contract" infrastructure helps counterbalance the totalitarian effects of biometrics and
information technology. People have complete privacy as long as they obey the law.
4. Entire classes of fraud become effectively uneconomic because of the extreme complexity of
hacking the identity systems.
5. Transactional costs go down, possibly by as much as 1% or 2% of total economic volume
because of reduce risk.
Now we have a convincing driver for the widespread adoption of biometric technology: secure blind
contracts which make it cheaper and easier to do international business.
The Professional Witness makes its living by reducing the economic overheads of doing business by
as much as 1% of total transactional volume. All of the risk minimization measures that are made
obsolete by the Professional Witness cost money or generate additional barriers to successful
transactions and this is an extremely large market. What we are doing here is unbundling risk
management features into a highly efficient and effective stand along business - a disaggregation to
increase efficiency and offer new services.
For example, I think that a Professional Witness could charge $200 to sign a car lease, and that it
would be cheap compared to the current anti-fraud measures taken on such a transaction. For a
mortgage, the relevant transactional overheads could increase the fee ten fold. The Professional
Witness is a viable business entity, possibly even without government-backed identity infrastructure.
But with that infrastructure, I expect there to be no issues finding businesses willing to add these
services to their product range.
Economic Implications
One of the core goals of SSTR operations is to connect areas back to international financial services
including foreign investment. This shows up as both direct aid (and the mechanisms necessary to spend
it) and programs designed to attract new business.
In this context, the ability to offer extremely secure identification of persons, and a solid legal
framework for genuinely trustworthy and enforceable digital signatures becomes a vital part of
attracting new business. Imagine you are in the position of an international telecommunications
company considering which of two nations to invest in. One operates a reasonable ISA program, and
the other does not. Which is a more friendly environment for your business, all other factors being
equal? Of course it is the one where you can actually meaningfully identify your customers and your
staff in a way which makes them accountable and cuts your losses due to problems identifying who you
are actually selling services to.
Now put this in the context of microfinance. Microcredit lending agencies typically charge around 30%
interest, largely because of the costs of administering the loans. Some of that money goes into training
staff, training loan recipients and so forth. A lot of it goes into identifying whether people are suitable
candidates for a loan. One typical requirement is that loans are only given to small groups of women,
who mutually guarantee each other's loans in sequential order. If the first loan defaults, the second is
never given. These loans repay rate of over 99% in many areas.
Now add a reliable identity backbone. How much easier is it to run a microfinance operation now?
What new classes of financial services become possible for the very poor when it is possible for them
to identify themselves even if they are too poor to have a home address, a job or even much interaction
with their government.
An identity solid enough to get credit is a developed-world luxury. Doing business in countries without
reliable identity infrastructure, without meaningful Dun and Bradstreet coverage, has enormous risk
and transactional overheads. Cutting these factors to an absolute minimum � in fact, to lower levels
than are found in the developed world � paves the way for international trade in hereto inconceivable
ways.
One classical Indian form of identity theft is to declare your relatives dead with a fake death certificate,
and then inherit their lands. There are some ten thousand of these people, and they have their own
union. Some of them have been "dead" for a decade or more because it is impossible to prove to the
government that they are alive. Dead people cannot sue. An upgrade to the identity systems used by the
state would not be a bad idea.
Common Operations
Signing A Contract
1. I physically visit the office of the Professional Witness.
2. They verify my CheapID Identity Card.
3. I present them with the contract I wish to sign in digital form.
4. The Witness affixes my CheapID Identity Card to the contract in digital form.
5. The Witness records my assent to signing the contract perhaps by video recording the event,
having me sign a paper copy and recording the signing event on a pressure sensitive tablet, or
other mechanisms. This evidence is probably encrypted with the key of the court and archived.
6. I now present this signed contract, including the signed ID, to the counterparty of the contract.
7. In the event of a breach of contract, the counterparty presents the contract to the National
Court System which, if the evidence supports it, decrypts my CheapID Identity Card and
identifies me. If I contest the validity of the signature, the records showing my signing are
decrypted and presented and an adjudication is made.
Technical Challenges
The internal systems of a Professional Witness are not simple. They include monitoring systems,
control of their signing keys, repositories for secure data and a variety of other technical infrastructure,
none of which ventures deep into unknown territory, but all of which is expensive to deploy as
functional commercial systems.
Purpose
I believe we have less than 10 years of legal anonymous free speech on the Internet. People
confuse the "Wild West" style properties of a new frontier with fundamental aspects of the digital space
and, as court houses and law get built on the Internet, much of the current wildness is inevitably going
away.
However, correctly leveraging PKI and the ISA creates the possibility of preserving the politically
critical support of free speech with a reasonable expectation of anonymity, except when criminal acts
are being performed.
The benefit in this case is the convenience of single sign on across all Internet (and perhaps other)
electronic services.
How is this to be achieved? Consider the OpenID standard, a distributed (or, more correctly, federated)
ID system which hangs off the Domain Name System namespace. An OpenID identity provider gives
out URLs, each one of which has a username and a password. The URL is given out to third parties as
the "identity" and back-channel communication occurs between the third party and the OpenID
provider to enable log in.
OpenID has about 10 million operational accounts and is being integrated into projects like Wikipedia.
It is likely to succeed widely. If not, something else like it is going to take its place, in all probability.
The email address has the same basic properties (of hanging off the DNS namespace) and has been
used as a default ID namespace up to this point, with much the same properties � for most web sites,
if I can read the email associated with Account X, then I am that person.
Hanging off the DNS namespace is an interesting thing, because it basically makes personal identities
part of the DNS hierarchy. Part of the freedom people feel on the Internet is that, on the Internet, you
are a "citizen" of the DNS Government � DNS creates the political unit of your email account
provider or, if you operate your own domain, yourself. In the event of an investigation, queries follow
the DNS chain of command: first WHOIS to identify the domain owner, then an enquiry to the domain
owner about the conduct or identity of a given user.
This usually results in either a real name, or an IP address, which is then mapped back to service
providers, then billing records, then an actual hard physical identity. Internet users typically feel rather
violated by having their online actions tracked back to their physical location because it is a cross-
namespace violation, rather like having a foreign nation state come and enforce its laws on you. These
illusions have built up through common custom and the largely privileged academic communication
which was the initial environment of the internet. That separateness is largely collapsing as the Internet
becomes a part of the "real world" and the new privileged spaces are massively multi-player online
roleplaying games like Warcraft, Second Life and Everquest.
Authentication for these systems is extremely problematic. Computer security is very ineffective for
most home users, and falsely authorized emails generated by viruses, for example, are a common
problem. Online banking security is constantly under attack from criminals compromising home
computer security over unaccountable emails. This situation cannot go on indefinitely.
The solution is simple: a special, privileged class of Single Sign On Identity Providers who require
an ISA-style blind contract before they will provide you single sign-on services. An identity with these
groups is indicated by a cryptographic signature from the vendor attesting that they have a CheapID
contract on file and will reveal it under a specified set of conditions, usually a court order in their native
jurisdiction.
Ideally, this move would be coupled with a definitive upgrade in authentication. Pseudo-random
number generators, when used for security applications like as the common SecureID tag are subject to
man in the middle attacks, so probably we are going to wind up with an additional PKI level, perhaps
small USB-type tokens. In any case it would be nice to indicate the level of authentication in the
account so that third parties could judge for themselves how much trust they want to put into a log in
from a particular SSO provider.
Common Operations
Identity Recovery
Upon display of proof that a given account has engaged in an activity which requires an identity to be
revealed (i.e. presentation of a court order) the sign on service returns the original ISA-style blind
contract, with associated CheapID Identity Card to the court to decrypt.
Electronic Democracy
With sufficiently secure SSO services, including perhaps specially created government-backed SSO
accounts along the lines of the Estonian system, it should be possible to do secure electronic voting
over a variety of devices including cell phones. Challenges pertaining specifically to this project will be
the subject of another paper. In essence, this discussion is about extending the reach of the Professional
Witness to transactions at a remote site like your home, using the media of a cell phone or other
computing device as the intermediary. This is non-trivial and may involve windows of revocation in
which coercion can be reported, for instance.
Technical Challenges
There are no difficult technical challenges specifically related to the ISA aspects of this system.
Implementation
Let's get down to the nitty gritty of implementing a system like this.
The hardest individual project in an implementation is the International Phenotype Database. Even a
prototype has to be able to accurately match incoming biometric data against a database we expect to
be vast, and provide auditing at a level that makes people like you and me comfortable being in that
database.
However, that is a problem which has an enormous number of really smart people working on it. We
are minimizing the problem in two ways: firstly, by anticipating seeding the system with very good
quality biometric data captured under controlled conditions, with an initial check for false positive
matches and refinement of the dataset to reduce these. That's a big step up: being able to flag a person
on enrollment as having fingerprints which partially match a bunch of other people helps later on.
Secondly, we are not pounding the database every time somebody wants to get access to their bank
account. By carrying a card with data on it, and matching face-to-data, we are minimizing the load on
the centralized system. It cannot be slow, but it can be non-real-time.
Secondly we have the whole dynamics of the exchange of information between courts and leviathan
and issuing stations and so on. For now, this can be done with web services and digital signatures.
Perhaps eventually a different architecture is appropriate, but for now? HTTP and XML are sufficient
for all of these transactions, as long as the protocols are carefully designed, and all traffic is encrypted
at an application level. Audit trails, again, are a lot of the difficulty here.
Then we have the cell phones. 574 bytes is the largest 2D barcode I have been able to get a vendor to
sign off on as a workable reality with current generation cell phones. It is not enough to do a general
use ID card which is reliable enough for banking because of image compression issues.
However, because we have been discussing a deployment involving perhaps millions of people, we can
discuss the issue with cell phone manufacturers. Adding the additional optical elements required to get
a good quality close up of an ID card is not a major engineering obstacle, it is just a case of being an
item with limited market demand. Likewise, the full color variant of Data Matrix boosts data densities
for a given optical system by 3.
So I think that a special run of cell phones with better cameras is perfectly reasonable and, once there is
an established application for those cameras beyond taking pretty pictures, the upgrade should become
a standard feature relatively quickly if there is market demand. It may even be possible to have the
Data Matrix standard extended to include an optional color implementation.
The hardest problem in the entire system is getting banks to allow account access using a CheapID
card. Once that problem is solved the systems can be adopted. Until then, it is all theory.