You’ll be familiar, of course, with Dr. Who’s psychic paper. As any devotee of the BBC’s wonderful series knows, the psychic paper shows the “inspector” whatever it is that they need to see. If the border guard is looking for a British passport, the psychic paper looks like a British passport. If the customs officer on Alpha Centuri wants to see a Betelguesian quarantine certificate, the psychic paper looks like a Betelguesian quarantine certificate.
Now that is what I call a vision for an ID card. And what’s more, it will work.
The variant I propose is to be known as Dr. Brown’s psychic paper, named in honour of the Prime Minister who will scrap the current ID card scheme to universal acclaim and replace it with something fit for the 21st century (namely, this scheme). Unlike Dr. Who’s psychic paper, Dr. Brown’s psychic paper only shows the viewer what he or she wants to see if the holder has the relevant credential. If you are trying to get into a nightclub, you need to prove to the bouncer that you are over 18. The bouncer is looking for a credential that proves you are over 18. You show your psychic paper to the bouncer and all it reveals to the bouncer is whether you are over 18 or not. That is all the bouncer is entitled to see, so that is all they can see: not your name, not your date of birth, not your inside leg measurement, not your address, not your employment status, sexual orientation or credit rating. All the bouncer sees is that you are old enough to drink. Provided you are over 18, of course. If you are not, the psychic paper remains blank, as shown below
You cannot forge this credential because it is digitally-signed by the issuer. If a 16-year old copies an 18-year old’s certificate into their psychic paper, it won’t work, because the incoming messages will be encrypted using the 18-year old’s public key, but the 16-year old lacks the corresponding private key (which can’t be copied because it’s never given up by the psychic paper — sorry, ID card). Since transmitting the photograph and appropriate credentials directly into the brain of the nightclub bouncer isn’t possible, we will of course need to use some kind of device instead. Luckily, just such a device already exists: the mobile phone. Now that manufacturers are starting to deliver mobile phones that can read contactless smart cards (such as the Nokia 6131 that we were using at the O2 Wireless Festival and London Fashion Week), we have a straightforward way to implement psychic paper.
This isn’t really magic, or even that complicated. It’s all done using standard contactless communications, standard cryptography, standard protocols, standard chips, cards, phones and photos. In 99 out of 100 cases, displaying your photograph is the only authentication required: There’s no need for the supermarket to check your fingerprints, for the doctor to demand a PIN or for the pub to take a DNA sample.
Why bother doing this? Well, no-one can read your psychic paper — sorry, ID card — unless they are allowed to and when they are allowed to, all they can see is what they are allowed to see. No more showing the guy in the pub your name, date and place of birth and goodness knows what else just to prove you are 18. Under the hood, it’s all done using keys and certificates, credentials and local authentication: The nightclub bouncer has had to obtain a digital certificate that allows him to interrogate your ID card. His phone sends the certificate to your ID card. The ID card checks it, sees that it is asking for a proof of age. It sends back your photograph, digitally-signed (that’s how his phone knows it’s a real ID card, because it can check this signature). If you’re not old enough to drink, it sends back a digitally-signed red cross (or whatever). Yesterday, the Prime Minister said that the ID card will help people
if they want to prove their age, or open a bank account, or apply for a job, or register with a GP – it will provide a better, more convenient and more secure way of doing it[From Speech on Security and Liberty – 17 June 2008]
So will the psychic paper, but with an important difference: It will show the GP only your health service number (if you have the right to NHS healthcare, otherwise it will be blank), it will show the employer only your national insurance number (if you have the right to work in the U.K.), it will show the bank only your financial services number and it will show the pub absolutely nothing except your photograph (if you are old enough to drink). So this is a user-friendly way to implement all of the privacy-enhancing technologies that we would like to see incorporated in a modern national identity card scheme: sector-specific identifiers, pseudonyms, mutual authentication. It’s a way of tapping into the identity utility (as ably described by Neil McEvoy) without needing to understand how it all works (and, as I presented at EEMA, the combination of mobile phones and identity utility looks promising).
This is a way to deliver an identity card scheme that provides both more security and more privacy. It does not need a big database with everyone’s details and it does not need expensive, custom-built, specialist equipment. We (by which I mean people who post on Digital Identity blogs) know perfectly well how to implement such a system with mathematical rigour. And now that Microsoft have purchased Credentica, I look forward to seeing it deployed on a large scale. It’s about time. I argued in favour of this approach during the government’s first consultation on what was then known as the Entitlement Card, to no avail. Back in 2005, I wrote a piece for Prospect magazine arguing that the government’s vision for the proposed ID card scheme was tragically out of date and backward-looking. Even No2ID were nice about it…
At last someone in favour of an ID card who knows what he’s talking about and cares about privacy and security. Unfortunately his preferred scheme is incompatible with the Government’s plans.[From ID in the News» Blog Archive » A Better Class of ID Card]
As I said at the time “The glory of using computers, biometrics and digital signatures is that they can work together to disclose facts about someone without disclosing their full identity”: I can now see that trying to explain asymmetric cryptography, blinded digital signatures and pseudonymous certificates was a waste of time. I should have had more faith in The Doctor!
I shall be unveiling my new scheme — well, actually the same old scheme, but without mention of anything frightening such as daleks or public key infrastructure — at the Royal United Service’s Institute’s conference on Science and Technology for Homeland Security and Resilience conference in London next week. See you there.
P.S. I wonder if other large scale government IT flagship projects — such as the Ministry of Defence and the Child Support Agency — might have got off on a better foot if they’d watched more of The Doctor?
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
Interesting idea, Dave.
It raises some questions – perhaps I don’t fully grasp this, so here goes:
How do I know that the nightclub bouncer is only going to extract my photograph from my Psychic Paper, and not some other data? Clearly, this is limited by his certificate, but how do I (as the holder) know that he’s using the certificate I think he’s using – and that he hasn’t (nefariously) obtained some other certificate? Blind trust in issuing authorities?
And how does one explain this aspect of it to the man in the street?
Excellent points Tom and I will try to address them in a longer paper on the topic. As for explaining it to general public: psychic paper!
Dave, got this link from the KTN Cyber Security User-Centric Id Management list (which I will explain if you want it and call or email me).
First, like so many new things that I have witnessed or even helped create in ICT, this class of system is being explored, albeit in different and not so well described format, in other places.
Second, we have to (try to) stop the data that is revealed being re-used, either through specification creep or for nefarious purposes (permission-based disclosure with traceability).
Third, we need a public sector that can cope with implementing it.
In my college i purchased first cell phone with digital. At that time my is very crazy. All my friends learned how to capture the photos and searching the gallery. All my seniors identify with my mobile oh that mobile baby. Thank you for giving this useful information.
Hard enough to get private sector to do such things.
Public sector could not run a pie stand.
I think this type of solution is being actively considered/worked by the data sharing summit (datasharingsummit.com). It seems the right direction to pursue. Just one modification I would suggest. The ‘over 18’ card must actually display 2 pieces of info: the indicator that I am over 18 and the identity of the person/organization who SAYS SO. Clearly if I say so that should not be considered trustworthy except by my close associates who trust me implicitly. Alternatively, of course, a reputation system score could theoritically be attached which speaks to how often I am found to lie about my age, but this is ever more complex and further from implementation.
Thanks for the link to the data sharing summit. As for the issue of authority, I think we need to distinguish between what the pub machine accepts as an authority and what is displayed. Why does the barman need to know which authority says I’m 18, so long as his machine accepts it?