Defending "Fixing the Internet"
- 19 May, 2008 10:10
Last week I publicly released a white paper called Fixing the Internet: A Security Solution in this blog.
I proposed three main ideas:
- Put together an Internet security dream team of experts to solve the hard issues
- Create an Internet global infrastructure service dedicated to Internet security for the benefit of all
- Replace the Internet's pervasive anonymity with requestable identity and integrity
I've had as many critics as supporters, although not surprisingly, my closest friends and colleagues have been the harshest. This I expected, as you don't learn new things by hanging around with passive, unopinionated people. Here's the most common objection:
Regarding the third item in my solution, many have pointed out that it invades people's privacy, and a few have said that I'll take their privacy when I pry it out of their cold, dead hands. In short, they say that my plan is an utter invasion of personal privacy.
My answer? Yes, it is!
Wow, that was easy. OK, on to the next one...
Seriously, I completely agree with this complaint. It is an invasion of privacy, and I'm a big personal privacy proponent. I read and promote Electronic Privacy Information Center nearly every week. One of my favorite quotes is from Benjamin Franklin, who said, "Anyone who trades liberty for security deserves neither liberty nor security." I hate many parts of the US Patriot Act and the current proposed renovations to the FISA courts (although I respect and support all laws). I think privacy is a good thing. I just cannot think of a long-term solution to the Internet's security problems that does not involve giving up some privacy, some of the time, in order to get a significantly more secure Internet.
Privacy is not a binary yes or no decision. We accept varying degrees of compromised privacy all the time. We do this when we register for national IDs, employee badges, and health insurance cards. We do this when we take driver licenses tests and stop for law enforcement when they pull us over for speeding. Anyone belonging to civilization today and not running off to remote, mostly uninhabited areas of the world have purposefully traded off some portion of privacy for more security, whether it be physical, spiritual, or mental.
Further, my solution doesn't require that you give up privacy. It only requires that you give up privacy to interact in the most optimal way with a destination that also requires that you give up your anonymity, but only during a transaction requiring it.
You may require that your identity be kept anonymous all the time, no exceptions. Or you can always offer to identify your true self to Web sites and applications you trust. Or maybe you'll take the middle ground and use a third-party-verified identity that isn't really you...it's just a proxy identity, but one that both sides of the transaction accept. OpenID or CardSpace anyone?
For example, I may choose to drop any traffic not identified by the real identity or a verified proxy from contacting my e-mail server. Heck, that would end a lot of spam and most of the hate mail I've been getting. I could require that end-users give me some level of identity before they can say they hate me, but accept anonymous love letters.
A better example might be your online bank, which may require that you truly identify yourself to it with your real human identity before it will allow you to access and modify your bank account. Or maybe your bank doesn't care as much as you, and it's willing to take a verified proxy identity, but you instruct it to ask for your real identity. How am I to know which side of the process cares more about a particular transaction?
Most casual browsing Web sites probably don't require any identity and integrity, so you can access them without giving up any bit of anonymity. Or if you connect anonymously, they can make sure your traffic is inspected more thoroughly than someone who provides a stronger identity. Or if you don't care and it's your Web service, you can give everyone, authenticated or not, the same level of service. It's up to you and the customer.
My solution just says that in the future it should be possible for me to require a certainly level of identity and integrity if I want to require it, and to treat noncompliant traffic a different way if I don't receive identity verification. And I, as the originator, can choose whether or not to participate with a particular Web site, with a particular level of identity (or anonymity) based upon how I want (or how I want my network traffic) to be treated. Both sides can agree to a particular level of identity and integrity, or agree to disagree, and not do business.
In the current model, even if I need better identity or integrity, as a sender or receiver, I can't easily guarantee that across multiple protocols to multiple partners. And for everyone who wants to keep absolute anonymity, keep it. If enough people agree with you, then we'll probably even have online banks that accept default anonymity even though it means that millions of dollars will be stolen from them over the Internet each day -- oops, that's today's model.
Finally, I remain open to suggestions. If you disagree with my solution, tell me how you can make the Internet significantly more secure than it is today. I've thought about it very hard, and I can't think of another way to do it. Living with the fragility of today's Internet just won't cut it in the future. The Internet is becoming everything, and that everything has to be secure.