Tuesday, March 15, 2005

Epic Ideas for Privacy Reform

Do you want the Good or Bad news first?

EPIC just published a very good paper by Daniel Solove and Chris Hoofnagle that offers suggested proposal for privacy reform in the wake of all the recent privacy breaches (ChoicePoint, Lexis/Nexis, Bank of America, DWS, etc.).

Good News

There may be a way to do this preserving privacy using public key cryptography and digital signatures.

Alice is an public individual or entity, Bob is a registered data holder, Curt is a privacy data register agent, and Darin is privacy data protection agent.

Alice registers her identity details ( name, SSID, current address ) along with her preferences and a public key, "Ap", with Darin.

Alice receives a public key from Darin, "Dp", to verify communications.

Darin verifies Alice's identity ( how? ), and then generates a unique key, "Ak".

Darin registers Alice's identity details along with Ak and Ap with Curt.

Curt has a copy of Alice's identity details associated with Darin's Ak and Ap.

Bob registers with Curt as a data holder, passing Curt a public key, "Bp", and receiving Curt's public key "Cp".

Bob passes Alice address, name etc, along with a unique ID "Bk" to Curt in a package encrypted with Cp.

Curt searches his data base and sends a tuple of Bk, Ak, Ap and Darrin address to Bob in an package encrypted with Bp.

When Bob performers an action where Alice should be notified or consulted, Bob creates a form ( including the public key Bp and reference Bk ) encrypted with Ap, in a package, "BA", address to Ak and sends it to Darin.

Darin receives BA from Bob and digitally signs it, and passes it on to Alice.

Alice receives BA from Darin, verifies it using Dp and can then choose to either:

1) Take note of the form or chose to ignore it;

2) Complete the form and send the result back to Bob, encrypted with Bp;

3) Complain to Bob directly;

4) Take action through the authorities or sue Bob using Darin's digital signature of BA as proof.

Neither Darin or Curt hold the unencrypted details of BA. The origin of BA could be obscured so Darin does not know who it comes from. Bob could cache Alice's privacy contact details for a limited period ( three months? ) to limit Curt's ability to perform traffic analysis. Alice is free to change from Darin to another privacy data protection agent, but would have to wait for Bob's timeout of Alice's privacy contact details before it is switched to the new provider. The latter is preferable to Curt's having to keep a record of each registered data holder that has Alice's details.

Bad News

Any centralized register and tracking system could be co-op'ed by the authorities or any good lawyer to further erode privacy. Each individual/entity would still have "more global" unique key: Ak . Although this would change when they change registered data holder agents, it would still greatly assist data matching. All it would take is a subpoena demanding that the centralized register agent forward the list of registered data holders and subpoenas to the registered data holders demanding that they forward a copy of an individual or companies data. Given the current political climate, do you really trust this current administration to legislate limits to such access by the courts, not to mention certain government agencies?