PermaLink The good ideas tend to hang around a long time. Unfortunately, so do the bad ones.02/08/2008 03:43 PM
I was reading Wired while the entire detailed map of North America was downloading to my new GPS, and I realized that this was an idea I thought out fairly carefully back in 1995 when challenged by a now-retired executive at work to imagine how technology could be applied to improve, not erode, privacy.  And here's the idea again, in a different form, but one that any good Domino theoretician will grok instantly.

The article on Wired talks about a startup that wants to technologically divorced the concepts of "identity" and "authority" and in so doing, minimize the chance that people will misuse personal information.

Think about this: when you buy something in a lot of places with a credit card, you also have to show some form of picture identification. While most people don't think about this (and they should), realistically there's no actual reason for you to show either, except that there's a gap in technology that makes this rather risky and public method the most convenient, and therefore the most likely to be used by humans.

What's on your credit card? A name, the name of your bank or whatever, the card number, the expiration date, the CVV code on the back, a magnetic stripe, and a hologram probably.

What's on your driver's license? A name, your complete address, possibly (in some states) your Social Security number, your picture, your vital statistics, a driver's license number, an expiration date, maybe a checkbox if you wear glasses, have pledged to donate organs after death, and if you're the irresponsible sort, maybe a thing saying you have an alcohol-related violation on your record. It probably also has a magnetic stripe on the back or some sort of barcode that contains most or all of this same information.

But all you wanted to do was buy some tennis balls or a spindle of blank CDs or something?

What the fuck does any of this information have to do with that, and why should you have to expose all that information to some clerk?

Step back a minute and think of two concepts.

First is "identity." You are who you say you are.
Second is "authority." You're allowed to do what you are trying to do.

Sound familiar from the really early Notes/Domino training? Separation of "identity" from "authority?"

Well, in the human world, these concepts have gotten really messed up, to where to do simple things, you are forced (mostly by "convenience") to divulge a lot of personal, sensitive data to complete a transaction to which this data is actually irrelevant. To the clerk at BestBuy, he doesn't care what your name is or what your eye color is. He's just looking to see that "you," or who you claim to be, matches the "name" on the credit card. The credit card is largely worthless to say "who" you are, but is the key to a system that is, after all, rather important to the store: is this person good for $16.72?

But yet the clerk now has your name, your address, your picture, your credit card number, your expiration date, your CVV, and if the store was shady, they could easily be storing away a copy of everything on the mag stripe on your credit card and your license.

Instant potential for identity theft.

Worse, potential that exists even though it adds no value to the transaction.

So, back to this startup and my 1994-1995 musings.

What I told that executive (we'll call him "Bob," because that's his name) was that in the future, we'd all be carrying a sort of intelligent agent on our person. Not like an RFID patch, which is willing to tattle on you to anybody with a cheap scanner, but more like a trusted manservant (or womanservant, if you prefer). A little device that will vouch for you. In every way.

But it would not be omniscient.

Picture some transactions:

  • You walk into a store. You want something. You pick it up, you walk out with it. No checkout. No credit card. No clerk. All you do is touch your key fob. A biometric reader knows "this person is authorized to use me." The store's RFID inventory control system says, "a person left with this object." The key fob tells the store computer, "a person I know just bought this and this and this. I certify they are allowed to make purchases using me. To collect payment, here is a one-time-use key you can use at the following bank to retrieve the appropriate payment." The transaction goes through, you are out $16.72, you have your blank CDRs, the store receives their money and knows one object left, and so it makes a note to itself to order another one. The store does not know your name. The store does not know your bank account number. Your bank doesn't know what you bought.
  • You decide to rent a car. At the rental counter, you touch your key fob, then wave your key fob over the reader. You walk out the door and get in a car that unlocks as you approach. The rental company's computer has been told you have a valid right to drive because the last time you were at the motor vehicle office, their computer told your key fob so. The rental company's computer does not have your name, but in this instance, they do have an encrypted key that will allow them to retrieve that data from MVA, in case of accident, or in case you never come back. When you take the car back, the rental company gets paid (again, anonymously) and the car is told, "that key fob isn't allowed to use you now."
  • You want to buy something on the net. Same thing. No card numbers, no CVV, no expiration date, just, "this person is good for the money, and here's where you can get it." Sure, they need your address to ship you your stuff, but things like basic name and address have been in phone books for over 100 years.

The degree to which people who do not need your information, but merely want it, have information about you that is irrelevant to your activities, is the degree to which you are at risk for violation of your privacy and dilution of your identity.

Until my mythical key fob is invented and accepted, take my advice: never confuse "need" with "want." Never give people information in a transaction simply because they say they "need it." Do not allow anyone to copy down information from your driver's license. Do not give people your phone number unless you intend for them to call you. Do not use a credit card as a second form of identification. If your state, your school or your employer still uses your Social Security number on your "identification," call them up and yell a lot and tell them to stop doing it.

I know this crap from experience.

This page has been accessed 219 times. .
Blabber :v

1. Turtle02/09/2008 12:56:36 AM

I tried stuffing cash into the DVD slot of my MacBook Pro when I was buying the new GPS. The results were not particularly good.

2. Tim Leach02/08/2008 05:05:32 PM

I can certainly see the potential in such a device. Until it exists, however, you might want to consider using good, old-fashioned, relatively untraceable and anonymous cash!

Other stuff to waste your time:
Weightless Dog
My YouTube videos
My Head Talking
Today's Poll
Recent Entries
The BlogRoll
No calendar found.
Monthly Archive
Lotus Domino ND8 RSS News Feed RSS Comments Feed RSS Validator Blog Admin Lotus Geek OpenNTF BlogSphere
Say hi