Personal ID infrastructure - a proposal

[helene_t]

In Denmark (other Scandinavian countries similarly, I believe), each newborn child and each new immigrant gets a CPR (Central Personal Registry) number, which is used as a key in many information systems in which physical persons appear in the data model. Not only government information systems. When I call my Danish bank, for example, the first question they ask is my CPR number. Of course they could have asked my account number instead, but since CPR numbers are used all the time, most people know their CPR number by heart.

 

This is a good thing for many reasons, as compared to other countries in which a lot of different keys are used in different information systems:

- Everyone has a CPR number (unlike telephone numbers, driving licenses numbers, credit card numbers).

- CPR numbers are guaranteed to be unique (unlike phone numbers, name+birthday etc).

- CPR numbers do not change when one moves, gets married etc.

- CPR numbers are numeric so that you don't have problems with storing them in information systems using different alphabets (for example, Russian immigrants in the West typically have their names transcribed differently in different information systems).

- CPR numbers have no ethnically, social or religious implication (unlike names) so they can be used where such information must be concealed (for example when student's exam answers are forwarded to censors who are not allowed to bias their verdict on racist grounds). Similarly, the family of Adolf Hitler etc. will not feel a need to change their CPR number.

- CPR numbers have a check-sum. Compare to the name of a Polish child who was baptized in Japan and later got his data transferred to Greece and try to make a rule to decide if the spelling of his name can be correct or must be a typo.

- CPR numbers are just single numbers so the semantic parsing is straightforward (think of Spanish and Chinese immigrants in Scandinavia who sometimes get their first/second/third names swapped because the primary alphabetization key is the first name in China, the second name in Spain and the third name in Scandinavia - IS clerks are either unaware of the problem or deal with it inconsistently).

- A single key is used in (almost) all information systems, making integration of systems smooth.

 

Anyone who has been involved in the engineering of information systems in a country with widespread use of CPR numbers (Denmark, in my case) and also in a country without such use (Netherlands in my case) knows how an enormous difference it makes. From a Danish perspective, sociological and epidemiological research in the Netherlands is a joke. I'd rather use Danish statistics and try to extrapolate them to Dutch conditions than relying on Dutch statistics for an epidemiological or sociological research project. I don't known how much Euros per year the lack of CPR number usage costs the Dutch society (government and business) in terms of more money payed for lower quality data, but I guess it's in the billions.

 

One might ask why so few countries use CPR numbers or even have them. By far the most frequent objection against the use of CPR numbers is on the bottom of my list of advantages: CPR numbers make the integration of information systems smooth, making it easier for Big Brother to monitor you.

 

Personally, I'm not afraid of Big Brother and would actually like him to monitor me much more closely because the government can help me better if it knows everything about me. But since most people are less confident in Big Brother than I am, I think the problem must be addressed seriously before CPR numbers can become more widely used. My point is that:

- For a particular purpose for a particular user, particular data about a particular person should either be available or not available, and whether the data are available should be transparent. They should not be "in principle available but in practice not because of all kinds of clumsiness in the infrastructure". Nor should they be "in principle not available but in practice they are because of all kinds of loopholes made necessary by the clumsiness".

 

My idea is the use of surrogate keys. People create multiple identities for themselves, or get identities assigned by different employers, government offices, banks, etc. Some of my identities could be

2606663528@cpr.dk

helene_t@forums.bridgebase.com

member35274833@bridgefederation.nl

customer75638365@amazon.com

etc.

 

The conflict arises when some users (say, a credit assessment agency, or the North Korean secret police) want two or more of those identities to be linked, i.e. to be able to know that they refer to the same person, while I do not want them to know that. I can protect my privacy by not making the link public. But my whole point is, of course, that such links should be easily available to legitimate users.

 

To resolve this, identities should be accompanied with "link permissions" which the owner of the identity (almost always the same as the person referred himself, but in some cases, such as tourist63438643@immigration.au, could be a police office) grant on the basis of how much trust the owner has in the IS administrator in question.

 

Suppose I have reasonably trust in Fred and Uday. When creating the identity helene_t@forums.bridgebase.com, I agreed to establish a link between that identity and the my main identity 2606663528@cpr.dk. This does not mean that Fred and Uday get to know that my main identity is 2606663528@cpr.dk. Rather, the link is stored at cpr.dk, and Fred and Uday get a password to cpr.dk allowing them to perform certain operations on the identity forumuser7489564756@internalkeys.bridgebase.com@cpr.dk, where the link between 7489564756 and helene_t is known only to BBO. For example, I might grant them rights to

- send money to me (cpr.dk has a link from 2606663528@cpr.dk to customer4546754@funnybank.nl, another identity of mine)

- call me per phone in case of emergency (I trust Fred and Uday to judge when this applies). Note that this is not the same as giving Fred and Uday my phone number: They can only call me via cpr.dk. If I ever loose the confidence in Fred and Uday, I just break the link.

- use most of my personal data for statistical purposes (market research). It works like this: Fred and Uday send a statistical query stat.wto.int, containing all bbo internal keys. stat.wto.int forward the query to each of their participants, one of which is cpr.dk. cpr.dk only has data for those bbo users who happened to establish the link bbo->cpr.dk (basically Danish users) so the number of summary statistics they return is too large to assure against a privacy break. But cpr.dk trusts stat.wto.int to aggregate the statistics from different participants and only return the result to bbo if the total number identities used is large enough to assure against privacy break.

 

Of course it will be my personal choice to rely so heavily on my trust in cpr.dk. Others may use their church, or their trade union, or their employer, or their own garage-shop Linux server shared with some friends, as administrator of their main identity. Or they may have no main identity at all but just granting multiple links, for example a direct link from bbo to the phone company and another direct link to the bank. Some would have a more strict policy than I, for example not to participate in market research.

[Winstonm]

Helene - you cannot begin to imagine how counter-inuitional this would be to most Americans whose country was founded on the priciples of limiting powers of government. Then on top of that you have a large religious community that would view any such attempt as a move toward the one-world government and world numbering system they believe would be a sign of the end times.

 

If you polled most Americans you would probably find on the absolute bottom of their wish list more government intrusion into their lives.

[pbleighton]

Helene - you cannot begin to imagine how counter-inuitional this would be to most Americans whose country was founded on the priciples of limiting powers of government. Then on top of that you have a large religious community that would view any such attempt as a move toward the one-world government and world numbering system they believe would be a sign of the end times.

 

If you polled most Americans you would probably find on the absolute bottom of their wish list more government intrusion into their lives.

 

I think you overestimate the degree of opposition. However, it IS strong enough on the left (including me) and the right (and not just the loony black helicopter crowd by any means) that it's going nowhere.

 

Helene: would you support this if you thought that George Bush might be elected in your country?

 

Peter

[helene_t]

But Winstonm, my whole point is to make the government control transparent. I want people to know what data can be used for what purposes. And I want de-facto access to data to be more closely related to intended access.

 

Who decides what data can be used for what purposes is a different matter. In my example with BBO, each individual is in total control. It is possible that the government would like to control certain links, for example requiring banks to give the revenue service certain access rights on the bank's information system. That's a different discussion.

 

Helene: would you support this if you thought that George Bush might be elected in your country?

Why not? It might be my personal choice to move my master record from cpr.dk to, say, some Switzerland-based NGO in case George Bush became king of Denmark. Then I could tell the Switzerland-based NGO not to trust any Danish government offices but still to trust certain other governments and private organizations.

 

With the current system, I can do no such thing. A lot of private and goverment information system contain the text string "Helene Hoegsbro Thygesen" with lots of completely unnecesary links. Of course I could change my name. But that's impractical since it would destroy a lot of benign links between my pre-namechange data and post-namechange data.

 

Practical example: suppose you don't want the government to know your home adrees which happens also to be your snail-mail adress. That's impractical if a lot of government offices have the policy of using precisely your home address for identification purposes. You could make a fake adress change but a lot of information systems keep track of previous adresses. And even if they don't use your adress for identification purposes, a lot of information systems will contain your adress anyway because they use it for sending mail to you. Worse, they also contain your name. So all the the government (or the mafia) needs to do to find your home is to break into some leaky information system. Worse, if you want old, lost friends to be able to send mail to you, the goverment can find your home adress on www.findsnailmailadressesofoldfriends.com.

 

The solution is to keep your home adress in only one central place, namely the local post offcie. Everyone who wants to send you a letter will send it to e.g. snailmail6374534523@mailcenter.somestate.us, where 6374534523 is a surogate key linked to your home adress at the local post office and linked to, say, your Bridge World subscriber number at the BridgeWorld subscriber database. Now if the evil goverment breaks into the post office and points a gun to the head of someone who has a password for the database, and do the same at the BridgeWorld office, they will be able to link your BridgeWorld subscriber number to your home adress. If subscribing to Bridge World is sufficient to mark you as an enemy of the goverment, you're in troubles.

 

Now you may think that the government could still use www.findsnailmailadressesofoldfriends.com to find you and then point a gun to the head of the mail clerk, or send you a box of poisoned chocolate. But the point is that I don't want the government to know any of the names that old friends might search for! All the goverment knows about you is that you're taxpayer7436534576@revenues.gov and maybe a few others like voter45475....

[mike777]

".....Personally, I'm not afraid of Big Brother and would actually like him to monitor me much more closely because the government can help me better if it knows everything about me...."

 

Has anyone ever gotten a false CPR and used it? Two CPR numbers for one person? Has a crook ever gotten ahold of a CPR number and if they do did they do any damage with it?

 

In any event I think how can this be a bad thing esp. if you want the government to know more about you do to do a better job.

 

Heck if an AI is going to be 100 billion times more intelligent than the entire human race by 2050, do we really think she cannot get our CPR number or whatever?

[pbleighton]

"Heck if an AI is going to be 100 billion times more intelligent than the entire human race by 2050"

 

I don't think this at all. I think it's nonsense. But hell, I'm a computer programmer, what do I know.

 

Peter

[mike777]

"Heck if an AI is going to be 100 billion times more intelligent than the entire human race by 2050"

 

I don't think this at all. I think it's nonsense.  But hell, I'm a computer programmer, what do I know.

 

 

Peter

You would know much better than me.

 

If it is impossible, against the laws of science for software, strong AI, computers, robots to have any measured degree of intelligience...ok....

[pbleighton]

"If it is impossible, against the laws of science for software, strong AI, computers, robots to have any measured degree of intelligience...ok.... "

 

That's not what I said :)

 

Peter

[mike777]

"If it is impossible, against the laws of science for software, strong AI, computers, robots to have any measured degree of intelligience...ok.... "

 

That's not what I said  :)

 

Peter

ok if not impossible..by laws of science..than perhaps we just disagree on the timetable? 43 years compared to ....much much longer....

 

I do think watching the advances in the science of the brain as compared to software/hardware is an important intermediate step. I expect huge/great advances by 2028..if not....then.....

 

But back to helene's topic...have the CPR databases been breached? Do you expect them to be soon?

[pbleighton]

ok if not impossible..by laws of science..than perhaps we just disagree on the timetable? 43 years compared to ....much much longer....

 

Much, much longer.

 

Peter

[sceptic]

Helene, my name is Wayne, I would hate to be called 66673645527834

[mike777]

Helene, my name is Wayne, I would hate to be called 66673645527834

What in the world makes you think you have a choice..live with it. :) Everyone must make a sacrifice.

[Winstonm]

But Winstonm, my whole point is to make the government control transparent.

 

Helene:

 

Absolutely no disrespect intended, as I am a great admirer of your intellect, wit, and charm. BUT........

 

to understand the depth of ironic chortle that eminates from an American who lived through Nixon's reign of secrecy and is now living under Bush's rule of "omerta" when you use the phrase "transparent government control" would require a Vulcan mind probe and several shots of fine Irish Whiskey to comprehend.

 

Your cpr and what the government's utilization of it was for would simply be classified as a national security secrect and no amount of Freedom of Information Act requests would ever be acknowledged. I think it simpler to simply have them install a camera unit in the television and mini-microphones and speakers all over the house for "newspeak" - then I always did think Orwell had good taste in naming his characters. :)

[pbleighton]

Helene, my name is Wayne, I would hate to be called 66673645527834

 

Well, my name is Peter, but you may call me 666 if you like...

[Winstonm]

Well, my name is Peter, but you may call me 666 if you like...

 

I don't think it will ever fly with the Nascar, Bud Lite, Nashville crowd.....(with apt apologies to Johnny Cash) My name is two, how do you do, now you're gonna die!

[hotShot]

Helene the problems I have with your proposal is not what computers do with the data they have, but what people do with the data they get or can access.

 

Having nothing to hide is not the same as a live broadcast from your bedroom.

 

You would be much more transparent, that the state.

 

And just imagine that someone who knows your CPR, can almost do anything with it, that you can.

[Finch]

Anyone who has been involved in the engineering of information systems in a country with widespread use of CPR numbers (Denmark, in my case) and also in a country without such use (Netherlands in my case) knows how an enormous difference it makes.

I thought the Dutch sofi number had much the same meaning.

 

Similarly, in England everyone has an NI number (although it's got letters in it), but the only people who actually use it are the NHS and HM revenue & customs.

[cherdano]

As a side remark, the strong US resistance against any form of government issued ID is a little hard to understand from the outside. The government already has loads of legitimate ways of getting information about its citizens (tracking credit card use, many corporations sharing data with government agencies, etc.), and an ID card would do little to change that. Meanwhile, if done right it could probably help a lot vs identity theft, which is a huge problem here, and I have never heard of that problem anywhere else.

 

I may be wrong, but it seems that some conservatives may have nothing against the wiretapping act, but would run around on the street screaming if anything resembling a federal ID came up. This is so hypocrite that it seems almost ridiculous to me.

 

Arend

[pbleighton]

"I may be wrong, but it seems that some conservatives may have nothing against the wiretapping act, but would run around on the street screaming if anything resembling a federal ID came up. This is so hypocrite that it seems almost ridiculous to me."

 

You are (mostly) wrong. There are a lot of different styles of U.S. conservatives. You'll find many on both sides of this issue. I don't think you'll find many (though you will find some) who like the wiretapping, Patriot Act excesses, etc., who are against the ID.

 

Peter

[Winstonm]

I may be wrong, but it seems that some conservatives may have nothing against the wiretapping act, but would run around on the street screaming if anything resembling a federal ID came up. This is so hypocrite that it seems almost ridiculous to me.

 

I can only speak for myself, but I have some conservative views, some liberal views, and a touch of libertarian thrown in for good measure - a real mishmash and not easily idetifiable with any one group.

 

I am against wiretapping unless under strict judicial control and oversight.

[mike777]

I may be wrong, but it seems that some conservatives may have nothing against the wiretapping act, but would run around on the street screaming if anything resembling a federal ID came up. This is so hypocrite that it seems almost ridiculous to me.

 

I can only speak for myself, but I have some conservative views, some liberal views, and a touch of libertarian thrown in for good measure - a real mishmash and not easily idetifiable with any one group.

 

I am against wiretapping unless under strict judicial control and oversight.

this makes more sense if you think you are not at war.

 

If you are at war I see nothing wrong with tapping incoming overseas/calls into the usa without "strict judicial oversight and control".... a matter of "excessive" control of the war being fought IMHO.

 

I understand many think this is "losing our freedom and liberty" even in the case of war.

[Winstonm]

Seeing that pre-NSA wiretapping the same thing could have been done legally and just as quickly it makes at least this part of your statement correct:

 

this make more sense

 

:)

[mike777]

Seeing that pre-NSA wiretapping the same thing could have been done legally and just as quickly it makes at least this part of your statement correct:

 

this make more sense

 

:)

Winston your facts are simply wrong, it cannot be down legally and quickly. I am not sure why people think so. See WWII.

 

If you just want to tap one or two phone calls or 100 or a 1000 maybe....but they tap...10,000 or 100.000 or more a day. Again if you just want to listen in on a tiny, tiny amount, maybe maybe ok I could buy your point.

 

If you want to listen to 100,000 day after day and run it through some high tech software for key words or whatever, how do you it? You don't. If you want to fight a real war this way, we just agree to disagree.

 

Can we agree that you want to at least listen into Russian phones, in Russia or Chinese phones in China, today even if we are not at war with them in anyway, shape or form without the courts having a say?

 

But if we are at war with Russia or China and they call the USA you want strict Court oversight to wiretap?

[Winstonm]

Winston your facts are simply wrong, it cannot be down legally and quickly. I am not sure why people think so.

 

Perhaps we think so because of this:

 

WASHINGTON, Jan. 17 — The Bush administration, in a surprise reversal, said on Wednesday that it had agreed to give a secret court jurisdiction over the National Security Agency’s wiretapping program and would end its practice of eavesdropping without warrants on Americans suspected of ties to terrorists.

 

The Justice Department said it had worked out an “innovative” arrangement with the Foreign Intelligence Surveillance Court that provided the “necessary speed and agility” to provide court approval to monitor international communications of people inside the United States without jeopardizing national sec

 

If it can be done now, it could have been done then. The only reason the Bush regime backed down is because it knew it had no case and would lose in the Supreme Court.

 

But if we are at war with Russia or China and they call the USA you want strict Court oversight to wiretap?

 

Mike, I think you are missing my entire point. I do not want anyone, no person, group, or single branch of government to have sole and exclusive authority to do anything that violates civil rights and personal liberties, even in times of war.

 

Roosevelt went to Congress to ask for an Act of War. OK. Fine. That is the what consitution provides - that is two branches of government at work. That is not Roosevelt secretly ordering wiretaps without oversight on anyone he deemed a potential enemy (of what we can't know- it's classified - a Nixon "Enemies List?") simply because he deemed them a possible supporter of the Japanese cause with whom the U.S. had not even declared war.

 

The isolated instance is not greater than the overall good. Could it be right to allow one of a group of triplets to die at birth in order to save the other two?

Whether it is Japan, Korea, Germany, or radical Islam, the battle against any one enemy is not greater than the principles for which we fight. We are a nation of laws - to sacrifice law and democratic processes for the siren's song of security and safety by simply turning over rights to an ulitmate "Decider" is to lose without the enemy having to fire a single shot.

 

We supposedly are fighting to keep our freedoms, not to abandon them.

[mike777]

This is the same Justice Dept that you say day after day is lead by incompetents? :o

 

What did the NSA, Defense or CIA say and how many Generals does the Justice Dept have?

 

I guess we take our lead from the Justice Dept next time we declarer war. :)