The Transparent Society
LOUIS D. BRANDEIS, 1890
Any high-integrity identifier represents a threat to civil liberties, because it represents the basis for a ubiquitous identification scheme, and such a scheme provides enormous power over the populace. All human behavior would become transparent to the State, and the scope for non-con formism and dissent would be muted to the point envisaged by the anti-utopian novelists.
ROGER CLARKE
Might society use practical ingenuity to sidestep those outrageous dichotomies we discussed in chapter 7? When it comes to identity, for instance, is it possible to safeguard beneficial uses of secrecy without sheltering harmful acts and evil men?
In fact, some creative combinations of accountability with limited anonymity have been around for a long time. For example, the venerable secret ballot merges substantial transparency where it is needed—through poll watchers, open inspection of voter rolls, and extensive citizen involvement—with a narrow zone of sacrosanct privacy, the ballot itself, where the voter’s conscience may be expressed without fear of betrayal or retribution. In other words, the fact that a transaction (voting) has taken place, and by whom, is openly verifiable, but the details of personal choice are not. Even where arguments rage, for instance, concerning improper registration by noncitizens, the debate concerns some local enforcement laxity, not the overall approach of mixing fierce accountability with narrowly focused privacy.
Lately, fear of jury tampering has led some U.S. jurisdictions to institute “juror anonymity,” disguising panelist identities through numbered ID badges, partial visual barriers, and legal rulings ascertaining that jurors are not “public figures.” Yet the names are on record so that both defense and prosecution teams can investigate and rule out potential bias. Neutral outsiders may also view the records under regulated conditions. Similar mixtures of confidentiality and assigned responsibility are seen in other areas, such as scientific peer review and witness protection programs.
We shall explore later this principle of considering the legitimate needs of groups and individuals to keep either narrowly defined or temporary secrets. Also in this chapter we will discuss a range of pragmatic tools that might help us achieve a more open society in the next century. But first, let us examine the problem of identity, and a misconception that is causing far more aggravation than it should.
NAMES, PASSWORDS, AND SOCIAL SECURITY NUMBERS: THE PROBLEM OF IDENTIFICATION
At times a storm of controversy can arise, provoking irate calls for urgent action, only for people to realize much later that the whole situation arose out of a simple mistake of definition. Take the public angst now raging in America concerning Social Security numbers (SSN). Most legal U.S. residents carry one of these nine-digit figures around for life. Yet the Social Security card is not officially a national identification document. While citizens of other lands take such things for granted, many Americans share a traditional hostility toward the notion of a universal ID card.
In theory, the SSN has a single purpose: to track benefits under a retirement and disability insurance system that does not even encompass the whole population. Still, for many Americans, who shift home addresses— and sometimes names—like changes of clothes, their SSN is the one unique tag that will accompany them through vagabond lives. And universality came a step closer when the IRS began requiring that toddlers get an SSN in order for their parents to claim a dependent deduction at tax time. Some civil libertarians foresee a hated national ID certificate, ending the cherished American fantasy that a citizen might conceivably live and thrive within the boundaries of the United States while somehow remaining invisible and uncounted by any government.
Of course, only a zealous fringe believes such invisibility will remain possible during the next century. Still, the SSN has become the symbolic threat to modern privacy in the United States. Corporations want it for quick, efficient correlation of facts from many sources. State governments now use SSNs to find absconded parents and extract delinquent child support, and some use the SSN as a driver’s license number. Credit agencies say they need it to foil defaulters because, while it is legal to change your name without filing documents, you cannot do likewise with your SSN. All sorts of quasi-official agencies—from your college, to your bank, to your HMO—prefer this number for tracking purposes. In fact, hardly a week goes by without someone finding a new application for the handy, nine-digit figure.
If it is so useful, why do people get livid when they learn that some data clearinghouse is storing and selling the SSNs of millions of people? The Lexis-Nexis Corporation was caught doing this in 1996, until protesters sent enough e-mail to shut down its Internet server for a while. So outraged were consumers and privacy advocates that bills were introduced in Congress, banning use of the SSN to identify records in any commercial database. Other laws already restrict use of the number by federal agencies.
The reason for all this heated reaction involves a lot more than some quirky American mythology about free-spirited autonomy, inherited from the wild frontier. It is pragmatic and worrisome. A stranger who knows your SSN can harm you.
When a customer telephones his or her bank to transfer funds between two accounts, or perhaps to order a new credit card, an SSN will be required to validate the transaction. So a criminal who learns your SSN might fraudulently check your bank balance, or have a “replacement” credit card sent to his hotel room. Access to your SSN can also be the starting point for that irksome modern nightmare, identity theft. In other words, some privacy paranoia is soundly based!
And yet, this whole controversy is rooted in misconception, a failure to note the distinction between a password and a name.
It seems that people living in Korea have a problem. A large majority are born into just five patronymic family lines. If a Korean’s surname isn’t Kim, or Park, just three more guesses will likely nail it down. The same winnowing of family names happened in China, only on a vastly larger scale. Within the Peoples’ Republic dwell more than 80 million people with the surname “Li” or “Lee.” Together, the five most frequently used Chinese appellations cover at least 300 million human beings, the equivalent of nearly everyone in the United States and Canada being named Smith, Jones, Williams, Cohen, and Diaz. Moreover, the personal names given to Chinese boys and girls are restricted by tradition and numerological beliefs. This results in considerable confusion. In one recent Chinese case, the victim of a crime, the trial judge, and the perpetrator all had the same full name, as well as some poor fellow who spent weeks in jail before he could prove he was a different guy.
Things are a bit better in the West, but that is no guarantee against error. Newspapers frequently report instances where the wrong man was arrested with the same name as some fugitive. (Some years ago a bank put a lock on my funds while a credit agency pursued another David Brin, whom I never met.) This is why companies want to use SSNs. As an identifier, each SSN is supposedly unique for each resident or citizen of the United States. That makes it a nearly perfect, unambiguous name, supplementing the one your parents gave you. A separate way of professing, “This is the unique and only me.”
Unfortunately, through laziness or lack of imagination, many American institutions long ago began using the SSN for an entirely different purpose, with obnoxious consequences.
Look at it this way. When you approach a stranger and introduce yourself, you are asserting a certain identity. The other person has a choice. She can say, “I’ll take your word for it.” Or else, she can reply, “Prove it to me!”
In daily life we take such assertions at face value. Why should people lie? But matters are different for financial institutions. It is incumbent on banks and fiduciary agents to be skeptical. The assertion of identity must be followed by verification. A driver’s license or photo ID may be visually compared to your face, if you are present. In telephone transactions, or on the Net, a skeptical party demands that you state or transmit some datum that only you should know. Whether a single word or a hundred-di
git number, this datum serves as a password.
Names and passwords have distinct qualities. Your name lets someone else call up specific records, or personal memories. A password or verifier proves that you have a right to make decisions on the named person’s behalf. A name never (or rarely) changes. You want it to be stable, so that the chronicle of your activities can be cohesive—like your life. Even if you try to leave all your mistakes behind, it is in society’s interest that some continuity be maintained, so that basic obligations are met, and others won’t be blamed for things you do.
Most of the time, there are few dire repercussions if others know your name. Even strangers who overhear it at a party or look it up in a phone book can be irksome, but seldom harmful. In fact, many people yearn to achieve “name recognition,” to be known for virtues or accomplishments (or infamy) and even become a household world. Often, humans take pride in imagining that their names may continue to be spoken after death.
A password is different in many ways. A predator who acquires it can swiftly do harm—snoop, change essential records, bill phone calls to your account, or even steal your life savings. Lots of people know your home address (a name), but the metal key to your front door is a kind of password whose loss might conceivably endanger your life. If you suspect it has been copied, you don’t change addresses; you change the locks. If you fear a password is violated, you throw it away and get a new one.
Clearly, the SSN is a name. Unique, permanent, and difficult to change, its aims are specificity and constancy, distinguishing one “Mary Q. Smith” from another. The SSN lacks a single trait of a password!
Then why is it used that way?
Because in earlier times, people knew their own SSN, but almost no one knew anybody else’s. To banks, it seemed a convenient test for use during telephone transactions—like your birth date, or another quaint verifier, your mother’s maiden name.
Nowadays, birth dates and mothers’ names are routinely published in Who’s Who-style bibliographic reference works, which have expanded their scope in recent years far beyond the ranks of the rich and famous to cover almost all people of modest prominence in their field of endeavor. More important, the number of remote transactions has grown exponentially. How many times can you tell your birthday to strangers before the datum becomes useless as a password? Whenever you purchase by credit card, either in person or by phone, there is a chance that someone will copy the number and use it for fraud.
But at least you can change credit card numbers! With your birth date or SSN, all it takes is a single lapse for the whole world to know it the next day, and forever after.
A daunting prospect, to which the logical answer is ...
“... so what!”
Okay, in the short term, it is a serious matter. But only because of that lazy misunderstanding by major institutions. As a name, your SSN cannot harm you, even if a million thieves know all nine digits. Only the archaic practice of using it as a verifier-password makes its discovery dangerous.
So long as that practice continues, no American’s savings are truly secure.
Perhaps ancient peoples understood this distinction between names and passwords better than we sophisticated moderns do. Under some religious or mystical systems, individuals possessed two names: one for daily use, plus a secret designation known only to intimate relations. According to these beliefs, an enemy who learned your hidden or “true” name could use it to inflict grievous harm. The means in those days were subjective and magical, and today they are technological, yet eerie similarities remain. You can get in trouble if some enemy learns your password!
To deal with this problem, we must do three things. 1. Get used to a world in which passwords will be routinely changed.
2. Experiment with new technologies, including certain types of encryption such as digital signatures, to make the use of passwordbased transactions both reliable and convenient.
3. Ensure that predators, and abusers of the system face a high certainty of getting caught, resulting in a world where passwords merely verify what we already know—that we are safe.
The contrast between a name and a password goes to the core of many modern privacy problems, and their potential solutions. Names are what help keep people accountable. They should not enable others to harm you. Names verify the fact that a transaction is taking place, which is a completely separate matter from giving permission for the transaction to proceed. Names are inherently open things. We base countless decisions on having fair knowledge about the reputations of others—whether they are skillful, credible, or reliable, for instance. On the other hand, passwords set transactions in motion. They require secrecy, even in a transparent society.
Alas, SSNs aren’t the only case where both functions have been mixed, creating confusion and danger. Take the de facto national ID card, your driver’s license. Many people have their license number printed on bank checks, alongside their home address, as both a time-saver and a convenience for retail clerks. When simply written down, the license number serves as a supplementary name, to help the store find you if the check bounces. The number by itself verifies nothing. Only when your face is compared with the picture on the license does an act of confirmation take place, though high-tech criminals keep getting better at counterfeiting, while states strive to upgrade the cards in order to thwart them.
When you choose to give strangers your telephone number, it becomes a password, offering them the power to intrude on you at home. But what about when you call out for a pizza? Often nowadays (in California) the restaurant begins by asking your phone number, to check their computer records. If your household ordered from them before, you won’t have to repeat lengthy delivery instructions. Now your phone number serves as a name, much easier for the restaurant to type in without error than having you carefully spell out “Thomasina Lumumba Chang-Jones” each time you call out for triple-cheese on a thin crust. Instead, the clerk obligingly asks, “Do you want pineapple and anchovies, like last time?”
If I order from a gift catalog, do they want my phone number because their filing system needs it to find me? Or because they want to have their autodialer robot call and breathlessly explain their latest sale, every week, during dinnertime, for the rest of my life? (A clear case for legal restraint of information flow!)
Visionaries speak of a time when each of us may need only a single telephone number through our entire lives. Already some telecom companies offer to bounce calls from your office to home to car, and then to your portable unit, depending on where you are (and whether you choose to be “in”). It will be ridiculous to keep secret a number that is equivalent to your name. Whether this second name is liberating, or feels like an indelible tattoo on your arm, will depend on how the system works. The devil lies in the details.
Let me reiterate. If a datum is permanent, like the SSN, it has no business playing the role of verifier. In fact, the clever men and women designing new “electronic cash” systems have decided that the ideal password will be used just once! Applying methods of public key coding, each “e-transaction,” from a dollar to a major shift in the national debt, will be enciphered by pairs of prime numbers more than a hundred digits long. Numbers the user will never glimpse, because all the fancy encrypting and decrypting take place behind the transaction, in an exchange of “locks” and “keys” that should be seamless and foolproof.
Am I dubious that this will actually work as planned? Well, yes and no. Although this book expresses skepticism toward most forms of secrecy, it seems clear that encryption will have a major role in the coming world economy. At least, a great many smart people say so.
There is no conflict. My point has always been that encryption and electronic secrecy, like all fruits of science, have potential for both good and ill. No inherent threat to openness or liberty lurks in using codes to verify a purchaser’s identity, just as we will see that it is reasonable to encrypt an occasional sensitive document, so long as doing so does not lead to a
pervasive and pernicious habit of secrecy, blinding us all in a fog of bitter static.
Ideally, we will learn how to distinguish open accountability of names (the fact that a transaction is taking place) from the prim confidentiality of passwords (giving permission for the transaction to go forward). When those passwords become both huge and ephemeral, perhaps banks will finally stop asking anachronistic, sexist questions about maternal “maiden names.”
Some other traditional verifiers may be on their way out, for example, using handwritten signatures to prove identity. For one thing, many children are no longer taught the art of cursive writing. Anyway, a handwritten scrawl can be fabricated, not just by photocopying but by taking several samples of a person’s signature, then having a computer randomly morph between those data points, generating a result that is different each time, and yet stylistically a good semblance. Companies like United Parcel Service have been collecting digital images of signatures for years on handy little portable units. Their security measures have held so far; still, it is only a matter of time before your scribble becomes too widely known to rely on as a password anymore.
Fingerprints are another old standby that should remain useful for catching run-of-the-mill crooks. (In some states, thumb imprints are now routinely required of people applying for mortgages, or welfare.) But their effectiveness, too, may not endure against a technological elite. Wellfinanced criminals will almost certainly develop those artifices long seen in spy thrillers: an artificial fingertip covering, crafted by adroit machines to fool some of the new print readers that are coming on the market. It will work ... until countenneasures regain the lead. A similar arms race between ingenious felons and legitimacy verifiers will complicate every other proposed ID system, perhaps all the way to on-the-spot DNA appraisal.