Privacy and the digital citizen

1. Privacy and the digital citizen Gene Tsudik ICS Dept, UC Irvine www.ics.uci.edu/~gts NSF DG Workshop 2001, Privacy Panel

2. Who? Why? What? • Background • Research: applied crypto and network/computer security • Anonymity and privacy in e-commerce • Anonymous communication (e.g., email, mobile) • Group signatures (can be used for group membership, petitions, voting, etc.) • Revocation of credentials and tight control over security privileges NSF DG Workshop 2001, Privacy Panel

3. NSF DG Workshop 2001, Privacy Panel

4. My current pet topics • Secure e-Voting • Timestamping • Anonymous authentication • Hosting and manipulating encrypted content NSF DG Workshop 2001, Privacy Panel

5. Terminology:Privacy, Anonymity, etc. • Not that closely related • Privacy (passive) – I do nothing but want you to stay away from me and mine. • Anonymity (active) – I do something (e.g., buy) and wish to keep my identity secret. • Unlinkability (active) – I do something a number of times (anonymously) but don’t want you to “track” me. NSF DG Workshop 2001, Privacy Panel

6. Example • Voting: not private but anonymous and unlinkable • Must prove group membership • Must make choices (submit vote) only once • Vote must have integrity • No one but I should know my vote or link my votes • Must be able to verify that my vote counted  • Should not be able to demonstrate my vote to others (else I might sell it) NSF DG Workshop 2001, Privacy Panel

7. One possible foundation for secure voting:Group Signatures • Chaum and Van Heijst (1991) • Like a normal PK digital signature (more structure) • Members and group manager (maybe distributed) • Anonymous, unlinkable signatures • Open possible but hard • Impersonation impossible • Phantom membership possible but avoidable • Revocation… a headache • Can be extended to support voting • MORE RESEARCH NEEDED!!! NSF DG Workshop 2001, Privacy Panel

8. Secure and Reliable Time-stamping • Need to prove possession of something (e.g., idea, manuscript, will) at a certain point in time • Sequencing (causality) • Must be • Public • Anonymous • Unlinkable • Oblivious to content (no censorship) • Requires digital signatures and other tools • Currently (can be poorly) done via USPS and/or notary public • MORE RESEARCH NEEDED! NSF DG Workshop 2001, Privacy Panel

9. Authentication/Identification Government bestows upon a citizen: • SSN • DL • Passport NSF DG Workshop 2001, Privacy Panel

10. Why Anonymous Authentication • Driver’s license is overloaded, overused, insecure • SSN is overloaded, insecure • Usage of SSN’s for identification and “authentication” is a national disgrace • Credit card numbers are trivial to fabricate, steal, etc. • Bottomline: we trail as a country… NSF DG Workshop 2001, Privacy Panel

11. What is AA? Example: • Unique permanent ID embedded in a secure device • One-time ephemeral ID displayed/produced upon each use • PIN/PW- or possession-based authentication • E.g., Social Security or Credit Card • One-time CC# isn’t worth stealing NSF DG Workshop 2001, Privacy Panel

12. In conclusion:What (I think) we need: • Stop relying on SSNs and DLs for extraneous purposes • Devise a national ID scheme (lunatic fringe notwithstanding) • Promote one-time-id AA devices for credit/debit cards and other (perhaps only non-visual) forms of id • For E-commerce, privacy QoS with consent: give up info  get a $$ discount! NSF DG Workshop 2001, Privacy Panel