Privacy And Trust – Part 5


There was a cartoon by Peter Steiner in the July 5, 1993 issue of The New Yorker showing a dog at a PC speaking to another dog watching from the floor. The caption was, ?On the Internet nobody knows you’re a dog.? Very true and in fact nobody really knows for sure just who you are. Nor do you know who is at the other end of a chat session or e-commerce transaction either. Assuming success of the numerous technologies at the Inside ID conference in Washington, D.C. this week, we will soon have Digital IDs that will change this. There are many issues but has become urgent that we get digital ID’s in place for all of us (and for our servers and eventually for everything.

There has been a prevailing attitude that digital IDs would mean that the “government” would issue an ID that would then enable them to spy on us; read our email, track what we do on the web, or invade our privacy in some way. A bit of knowledge plus a healthy Net Attitude would actually lead us instead to a very positive view — that digital ID’s are not to be feared but in fact should be embraced. They represent the empowerment that can unleash the full potential of e-business while at the same time enable us to protect our privacy and control who can send us email. They will allow us establish that we are who we say we are and to validate that the web server we are doing business with is really who they say they are. Security is not the issue. Authentication is.

It is true that large numbers of people have learned that security technology can encrypt (scramble) their credit card number in such a way that only the web server at the destination is able to decrypt it. When people see the solid lock or key at the bottom of their browser they implicitly know that their credit card number or other private information is being encrypted using the public key of the server at the other end. And, since only that server has the corresponding private key then only that server is able to decrypt the private information. An important question however is who is that web server on the other end? How do you know it really is the merchant or university or government agency that the server’s home page said it was? Answer? You don’t. It could in fact be a hacker who has “spoofed” the web site; i.e. the site could be an imposter. Likewise the web site at the other end doesn’t really know for sure that you are who you say you are. What we are talking about here is authentication. For the most part we do not have it on the Internet today. Yet, it is one of the core capabilities needed to achieve the ultimate potential of the Internet and enable us all to feel we can Trust the Internet.

Today we use the login ID and password as a substitute for authentication. We all use them every day but the problems with them are non-trivial. First is the password sharing problem that enables someone else to be you. If you leave your password on a post-it on on your PC or under your mouse pad then one of your children or a colleague can become you. They can get into your bank account, buy a book at Amazon, or engage in a chat session as you. Assuming you keep your password to yourself, there is another set of problems. Web sites have different rules for login Ids and passwords. Some require that you use your email ID as your login, some require you to use your social security number, others allow you to pick anything you want as long as it is at least so many characters or in other cases as long as it is no more than so many characters. For good reasons they all require that your ID be unique. Sorry, but jjones is already taken. The same thing is the case for the password. Some require at least so many characters, some require that a password must contain at least one numeric character, some require that it be all numeric, and others require that it contain no numeric characters. The variations are vast and the result is that you end up with a lot of different IDs and passwords. In my case, I have a login/pasword at more than one hundred sites.

Digital IDs to the Rescue

There are basically two ways to deal with managing this problem and neither of them is a good solution. First is to devise an ID (and password) that conforms to nearly all web site rules but which is also unique. Maybe you design an ID or password something like k7jyt14s that seems to work just about everywhere and surely nobody else will already have it. On the surface your multipurpose universal ID or password seems to be a good idea until you realize that if one of your web merchants turns out to be a scofflaw or if someone somehow steals your ID and password he or she now has access to your bank account, brokerage account, and every other web site where you have registered! By making things simple for yourself you have compromised yourself with every web relationship you have.

The other potential solution, which many people use, is to create a small database of all your IDs and passwords. Where to put it? On a piece of paper? Where to put that? On the desk. Then it falls off of the desk and the dog eats it. You now have No ids or passwords! Then you decide to get serious and buy some database software and create a PC database of your IDs and passwords. Hmmm, this is a really important database — maybe you need an ID and password for your ID/password database? Hmmm. Maybe you need a backup and recovery scheme? You have now become a database manager!

In case you aren’t discouraged about IDs and passwords yet there is one more peril. Whatever your ID and password are, when you send them they are frequently sent “in the clear”; i.e. not encrypted. Even sites that use encryption for all transactions sometimes do not use encryption to receive your ID and password. This means that an unscrupulous person might be able to “sniff” your ID and password from the Internet. They wouldn’t need to even know who you are. They just know they have a way to gain access to many web sites as an impersonator of you. There has to be a better way. Fortunately there is. Stay tuned for Part 6.