Pondering Birth Certificates, x509 PKI, Digital ID, and Facebook

While scanning my kid’s birth certificate this AM, my mind wandered to Digital ID, x509 pki, and Facebook. Am I guilty of overthinking things a bit? Sure. But this time, I wrote a post about it.

Anyway, here is the child partition’s birth certificate with all the important bits obfuscated:

Just look at that thing. It’s beautiful…everything about my kid is right there on a single beautiful, crisp, official document:

  • Full Legal name
  • Home address
  • Birthday
  • The hospital he was born at
  • Various unique identifier numbers
  • Physical Description and birth weight
  • The physician who helped bring him into the world
  • Mom & Dad’s details, including where and when they were born

Embedded within the birth certificate is data about the authorities that issued it. Across the top blue banner is the highest authority: the State of California. Immediately below that (one might say almost chained to it), is in effect, the issuing or intermediate authority, the County of Los Angeles’ Registrar-Recorder’s office. The Seal of the County is visible in the background near the middle of the document and in the lower right corner. And of course the Great Seal of the State of California is in the lower left. Near the bottom of the document is a signature by the County Registrar-Recorder/County Clerk (an elected office) that testifies to the document’s authenticity. And you can’t really see it here, but there’s a physical stamp on the document you can feel if you run your fingers over it that serves as, in effect, the fingerprint of the issuing authority. In fact, the whole document feels more like a crisp & clean $20 banknote than it does a piece of paper. There are ridges and subtle impressions all over this thing beautiful document signifying when my son came into the world!

With this single document, my child is entitled to the following:

  • He is automatically an American citizen
  • He is automatically a resident of the State of California
  • He can apply for and receive a United States Passport
  • He is entitled to attend public school at no cost
  • He is entitled, when of age, to legally work in this country, to vote, to marry, to serve in its armed forces, and  to contribute to and receive various social benefits

The United Nation’s Convention on the Rights of a Child says that registering every child born is so important it is a human right. To borrow a term from my 80s self, this is pretty heavy stuff.

x509 PKI

How my son’s identity chains up to a trusted source

Now if you’re a technologist, like I am, some of the words above might have tickled your spidey senses. Certificate. Issuing or Intermediate Authority. Seals. Signatures. Chained. Stamps. Authenticity. Identity. Authority. We practitioners of technology are quite familiar with these terms and how they work in the digital world thanks to the Elders of the Internet who developed, over time, the standards we all depend on today for security & identity on the internet: x509 Public Key Infrastructure.

I think x509 PKI is one of the least appreciated yet most important systems ever designed by humans, more important even than the plumbing technologies on which the internet depends on today. x509 PKI is an incredibly elegant system that provides encryption over untrusted networks (the how), identifies with cryptographic certainty the parties involved in digital transactions (the who) and bundles it all up into a neat digital organization chart that anyone can inspect and look at any time (the what).

But x509 PKI is much more than just an elegant set of tech standards. It functions as a digital overlay of our existing, stable and analog identity system, which begins with the Birth Certificate issued to you when you are born and ends with a Death Certificate issued to your family when you die. In this way, x509 PKI is a profoundly democratic and empowering system that takes our real world identity system and makes it available to us over the world’s largest untrusted network, also known as the internet.

The problem is nobody knows that, nobody cares and even those who do aren’t entirely comfortable with extending it past the way it’s currently used.

Digital ID

We have a big problem on the internet today: all of us operating on the internet lack any sort of Digital ID that mirrors the real world identities that have been issued to us by our nation-states. Much of the angst and concern and outright abuse on the internet could be solved if we the people had a Digital ID that, built upon x509 PKI, cryptographically proved our identity during certain important transactions on the internet.

How would that work and what would my Digital ID look like? That’s the beauty of x509 PKI, part of this has already been solved: a Digital ID would overlay the way in which you are identified by government & legal systems in the real world. As to the form it would take?  It could and should be as simple as a credit-card sized device issued to you by local authorities, which you own and care for, and which identifies you and chains up from the local issuing authority to your state/province or nation, just like the Birth Certificate my son was issued.

Having been issued a Digital ID along with a Birth Certificate, my son, once he was of age, would ideally have the choice of where and when to use his Digital ID on the internet. I say ideally because implementation of Digital ID is the fuzzy grey area problem that really needs to be solved in the public square. In my view, a Digital ID should not be required to use the internet (say to search it or read from it), but may be required by companies or institutions that provide services on the internet (such as posting information in a public forum in social media that requires real user names).

For instance, maybe a social media provider that requires users to post as themselves would require you to submit your Digital ID for verification. Public clouds might require your Digital ID whenever you make an assertion that you are who you say you are (such as when you ‘sign’ a digital PDF). You could use your Digital ID when you apply for a job online, or to digitally sign documents you own or any scripts or code you write**. It could be used for a lot of things, but it should be your choice when to use it, and ideally you’d have the right to revoke your Digital ID from any service you wish to part ways with.

Are there serious privacy and security concerns about Digital ID, even in my vision of it? Yes of course. I can’t present a solution for everything here, nor is it my job to. And I’m certain anarchist-techno-libertarians would fight to keep the internet fully anonymous, but I and a growing number of people aren’t happy with how those values have shaped the digital public commons we now collectively inhabit.

I am convinced existing democratic systems, with expert advice & counsel, could legislate a decent Digital ID system that maps most of the things I do online to my real-world identity and is owned by me and me alone. Moreover, I feel that there has been an incidental and favorable ‘split’ in how society uses the internet that suggests Digital ID could work to solve many of the problems. For instance, many people hardly use a browser or a PC at all anymore; their primary compute device is a mobile phone, and their only interface to the internet is the Facebook app. Many others are still using the internet as we’ve used it for the last 30 years: to search, find, and view information. Requiring a Digital ID to be used before posting information to the former would not necessarily mean it’s required while using the latter.

The problem is no one is having this conversation. Digital ID is not on the agenda anywhere in the west, and only India has embraced it at scale.  That’s not only frustrating, it’s really dangerous because the only alternative to Digital ID is going to be something like China’s Firewall or outsourcing identity to a private corporation like…

Facebook

Facebook is in the crosshairs on multiple fronts, and rightly so in my view. The sheer scale of Facebook is incredible.

Let’s do a little thought experiment so we can appreciate the scale of this thing: imagine Facebook as an online society rather than a multinational corporation, Facebook is populated with 2 billion humans and overseen by about 17,000. At the top of this online nation-state is a C-suite, just like other corporations. The Chief Executive of this online society is Mark Zuckerberg. With him at the top are boards of directors, but Zuckerberg calls the shots in the Kingdom of Facebook.

Credit: mrscainsclass.com

The two billion residents of this online society labor without compensation for Facebook, creating then giving data to the giant for free. Every photograph, video, along with data on all the things the residents like and dislike and talk about, is given by the residents to the people who own the kingdom. No compensation is given back to the residents of this nation-state for their work, which means Facebook is historically somewhere between a mercantilist nation-state or a kingdom that extracts wealth from its residents/subjects.

In return, the Facebook nation-state publishes news, information, and photos/videos/posts from other friends  and family who are resident in Facebook. Lately, Facebook is under fire because it does zero to authenticate whether the information its residents consume is genuine. More than that though, it freely makes available to anyone anywhere at any time tools that allow bad actors to reach out and influence any group or sub-group of its residents for pennies.

The other important thing about the Facebook kingdom is this: unlike the stodgy old democracies of the real world, the residents of the kingdom of Facebook have no vote or say in how this mercantilist society is run. In the kingdom that Facebook runs, people do not have rights and there is no rule of law. There is only rule by fiat, so the rules tend to follow that which is good for shareholders.

Government issued Digital ID would solve much of this problem. Facebook knows it and the US Government knows it. But there’s more than enough hubris and conceit in Facebook & Silicon Valley in general that you can bet in the next six to 12 months, someone in Silicon Valley will propose the outsourcing of Vital Records to private tech industry players. And because of our dysfunction in Washington, we’ll likely let them.

I don’t like that future and we should be having a conversation about Digital ID to forestall it from happening.

2 thoughts on “Pondering Birth Certificates, x509 PKI, Digital ID, and Facebook

  1. Another angle… birth certificates are actual bonds for the US government!

    Your value to society was and is still calculated using actuarial tables.

    At birth, average value bonds were created from your birth certificate.

    I understand that this is currently between one and two million dollars at your birth when your mother unknowingly gave her baby, you, away to the UNITED STATES Government.

    These birth certificate bonds were collateralized by your birth certificate and your mother’s maiden name under an Act of Congress in 1921.

    Then your birth certificate bond became a negotiable instrument just like any security instrument under UCC Article 3, code of commercial law in which the world trade falls under

    Like

    1. Hi, I’ve been following your twitter account for a few weeks (months?) and just checked out the website. This particular entry started with an intriguing point (birth certificates) that segued seamlessly into x509 that then went logically into digital certificates, and that is something I know a little about. So if you can forgive my first post being a “yes, but…”, let’s got on with it.

      “The problem is no one is having this conversation. Digital ID is not on the agenda anywhere in the west, and only India has embraced it at scale. That’s not only frustrating…”

      There are two (or four) examples I’d like to use here to illustrate why this isn’t quite right. The first is the US. That’s right, the US uses digital IDs. Actually and to be more accurate the US military, including the IC, (and the civilian government) use digital ID that are issued to all service and civilian personnel, and select contractors that must authenticate to the system. These are euphemistically called “CAC cards”, and the acronym stands for Common Access Cards.

      These are your ID card to prove to military police or records keepers (all officials) who you are, and they are also used to authenticate to the computing network, and they are also used for digital signing and for encryption. They use 2048 bit RSA so the encryption is good enough. They are used when you check with the military base gate guard – you in your car show the card to the guard; and can also be used at your local commercial airport to check in to your flight and to get through the TSA checkpoint. So they are both physical ID and digital ID. They are also widely used within the biggest human organization in the world, but their use is fairly restricted to only within that environment. Within the community though they are so widely used that they are just commonplace. So the US already has a model.

      The more interesting case though is the national electronic ID card for the country of Estonia, also known as the e-ID cards. The cards are used as personal ID and for digital identity cards, and are used for such things as voting, medical records, prescription authentication, real estate transactions, paying taxes, creating a business, document signing, and encryption.

      But it doesn’t stop there. The cards are 2048 bit RSA, and there is also a certificate in an object that you can use in your phone – so you can do all these things from your phone as well as your computer.

      But it doesn’t stop there. Estonia has a closely related program that allows non-citizens to get an e-ID card that allows them to set up a business in Estonia that is recognized across the EU. This has been a small but notable thing in Silicon Valley. Two of the first people to get these e-ID cards were then-President Obama, and Steve Jurvetson of the Draper Jurvetson venture capital organization. (Jurvetson is first generation American, and his parents came from Estonia.) Not only can you start a business, but you can also do digital signing and encryption exchange with others who have the Estonian cards. (I haven’t tested yet with CAC card holders.)

      Of course this is a precedent because it is available to a general public. But it doesn’t stop there. Across the Baltic’s Bay of Finland the country of Finland thought it was useful enough that they have set up a cooperative agreement with Estonia to create their own PKI modeled on the PKI and the e-ID cards used by Estonia. This will be a test of scaling as Estonia has a population of 1.25 million, and Finland’s population is a little under 6 million.

      And it doesn’t stop there. France recently asked Estonia to advise it (France) on instituting a national PKI with matching electronic ID cards. This will be a big test of scaling, to see if it can go up by a factor of 10x.

      You may remember the event early in 2018 when it was discovered that the manufacturer of these cards used certificates that had the possibility of being factored, i.e. “broken”. So Estonia quickly created a crash program to update all users’ cards, and it was quite successful. Aside from a 0-day exploit in the wild this is about as bad a failure mode as an organization might encounter, and the country’s Information Systems Authority handled it very well. This have also published the event and its timeline as a case study, which is quite interesting.

      Lastly, India has asked Estonia for advice. This can be viewed as the ultimate in scaling, if one of the smallest countries in the world can help one of the most populous countries in the world to get its PKI working. We’ll see how it works out with them.

      So that is the summary of how countries can get digital IDs working in a public key infrastructure. Thanks for reading, and apologies in advance if I got any of this wrong as I’m just writing from memory at this point.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s