Transcript: CMU, Lark Allen, LA

carnegie mellon university

The Relationship between Privacy & Security
May 29-30, 2002

User Managed Privacy Technology Presentation
Lark Allen

Start time: 46:20 into clip

[Accompanying PPT: http://www.security.scs.cmu.edu/privacy/privacy%20presentations/the%20slides/Lark%20Allen%20FINAL%20PRES.ppt]

[If that is not available, a pdf of that presentation is here.]

It's taken me all morning to not read both screens to figure out if I missed something on the other screen. (laughter) The basic intelligence test.

My background actually is, I was educated in nuclear physics and spent a career in marketing and sales, which are actually a pretty deadly combination. And so it was natural for me to get into the privacy and security area.

But one of the challenges, and we're going to talk a little bit today about maybe a different approach to privacy, but it seems to me, I actually spent a career at IBM and having watched what the PC did to the mainframe, and what the Internet did to proprietary networks, and actually it's interesting because Carnegie Mellon is a real anachronism. It's been a long time since I've seen a real chalkboard, and then I notice a Token Ring adapter down here. I was actually at the announcement manager on Token Ring on October 15, 1985. So I've a lot of history in this room, and then digital light processors in the ceiling, so we've got it all here.

But part of the challenge that I see in the Internet today is that we're in the mainframe era of e-commerce on the Internet. That is virtually everything is centralized, while the entire infrastructure has become decentralized with things like TCPIP and PCs, and all kinds of access devices. The reality in the e-commerce and the e-mail world is that it's all centralized. And my identity, I'm no one on the Internet until Hotmail declares me to be someone. You know in the physical world my parents vouched for me; in the digital world Yahoo, Hotmail and Google are my identities in these places. So part of the challenge is how do I... and the approach we're going to talk about here... is how do I replicate what I had in the physical world when I move to the digital world.

In the physical world I'm never without my identity - credentials, if you will, are in my back pocket, and I can't think of the last time they were more than a few feet from me. And, I choose when I open it. And, I choose which thing I use and what I want to share with you in that environment.

The problem we have today as we move into the Internet world is as a normal course of business in the Internet today, in this mainframe era, it exposes or creates all kinds of personal information that automatically gets collected, and now with the ability to communicate, replicate, do everything that the music industry has suffered through with sharing of music, is exactly the same problem as sharing personal information: easily copied and communicated.

And, in fact, the whole explosive era of the Internet was essentially the currency that funded all of the dot com era was your personal information. And it was this natural war that's going on - a merchant sees your money and says I want it, therefore my mission is to market to you and sell to you. So the whole idea was, the funding was how many eyeballs could you attract and how much information could you mine from those eyeballs. And so if you think of this as a war between the merchant and the individual - there were tens of billions of dollars spent by merchants with a single focus to get you to pay attention to them and find out about you so they could sell to you.

So if I look at this in nuclear weapons terms, the merchants had nuclear weapons. On the other hand, if as a consumer I wanted to protect myself, I had sticks. And I'm sitting there fighting a war with sticks against someone with nuclear weapons.

And I applaud all of the years of work that Lorrie [Cranor] and the P3P folks have put in to get to the point where they are, which is some very important work that's been done to try to bring a balance of the set of tools available to you. But if you looked the amount of money and funding that when into automating cookies, and doing all kinds of things necessary to collect your data, there was absolutely no match between them in terms of the funding. So one of the challenges is how do we bring a balance back into this, both from a legal standpoint, but also from a technology standpoint that allows the user to control the access to their data.

And so much of the approach has been they already have my data. So the legislative propositions are how do I keep them from doing bad things with my data after they already have it. As opposed to an approach that says, how do I restrict access to data in the first place. And there's actually a number things on how long can you retain it and what can you can collect and other things, so to be fair there is something going on, but for the most part it a fait accompli, they already have all the stuff. It's a question of how widely can they share it and under what conditions and a few other things.

And so as we looked, and there are other things happening, as all of the debate, in fact the last workshop we had was on identity and authentication in the context of states and the DMV and drivers licenses, all the things going on... We're, as a company, we're a member of the Liberty Alliance, and so we've been involved in this whole discussion with lots of companies - the cell phone companies, the travel companies, the technology companies, they're all there, the Web the companies - they're there having this discussion around how do we bring an identity layer to the Internet for Web services, which is the next generation of the Internet as we move forward. It becomes an incredibly important set of discussions over what is your identity and what are the identities of businesses. Today, the only identity that exists for things on the Internet in reality are machines have identities. They're called URLs and TCPIP addresses. Individuals don't really have identities, other than you can think of emails, and IDs and others, but it becomes important.

So the evolving identity systems will collect even more and expose more information, unless they're designed to do otherwise.

So the approach here is how do I then provide you with a repository, a local and secure wallet for your data, and give you the tools and agents -- in many cases this could be your P3P agent. And, as Lorrie has talked about moving forward, the more intelligence of an XML-based agent, with a lot more intelligence, how I can extend that all the way from allowing no release of information to full disclosure. One of the things that becomes critical and we've seen over and over again is the PC is not a trusted device. Much of the problem that we experienced today is because the PC as an open device, that made it very successful, is also the core of much of the problem. The fact that anyone can put cookies on my device and track me by those cookies and do all kinds of things... and actually Bob Thibadeau has got some great analogies he uses about the PC and how un-trusted it is... but the notion and in the content industry, Hollywood, it's been really entertaining to watch the Hollings discussions around security, putting hardware security into consumer devices, and the debate between Michael Eisner and Andy Grove about where the technology side, what their responsibility is for protecting intellectual property. But needless to say from Bill Gates' pronouncement of trustworthy computing and other things, people are now becoming aware of the need to have trusted devices, user devices, and I'm sure that will continue to move forward.

And, one of the things we spent three years on you'll hear more about tomorrow in the ISTPA Framework presentation is the notion of once my personal information is released how do I bind it so that whenever someone encounters my information they know what to do with it, and what my preferences are with that data after it's left my control and is out onto the network somewhere. So, part of the challenge that we have that we talked about in the state session was this notion of authentication and credentials to get on airplanes and to do various things in the world. How do I find the balance between privacy and the need to authenticate you with multiple, with your fingerprint, your facial print, your DNA, all of these kinds of things...

And so the notion of trusted intelligent edge devices to do authentication is actually a very important architectural piece that we believe needs to be added to the infrastructure. And, in the case of authentication, what you're looking at is this notion that if I can authenticate, if I have a credential, I have my drivers license and it has my fingerprint on it, and it's encoded on the back of my drivers license or in the smart card, so I've got this stuff. If I put my fingerprint onto a reader, all I'm doing is authenticating me against my license, to make sure that whoever holds this is also the person that it was issued to. But that data never goes anywhere else, so I'm authenticating myself near the user. I'm much less concerned about my privacy than when I put my fingerprint on, it comes to some worldwide database, and compares my fingerprint to a worldwide database. I am not trusting at all in that. So the further that I get away from how far these databases, becomes a major problem. So there's the notion of the airport security system. I have been working on how do you secure the perimeter, so that you check everything at the perimeter, so nothing gets inside the system, because it's all checked at the perimeter. You could have a policy that says it's perfectly legal to bring bombs and weapons and guns onto the plane, but you're not allowed to use them when the plane is in the air. Okay, so that's the mainframe approach to legislating security as opposed to the perimeter approach to handling this.

So a couple key technologies that are associated here, some Trusted Client Devices and then the intelligence of where my wallet resides in an Intelligent Web Agent. And one of the technologies that we worked a number of years on is called the EMBASSY technology. It's actually a hardware platform in a security chip. The EMBASSY name came from a sovereign and protected place in an otherwise hostile territory. In this case, it's the PC. So this chip gets embedded into a keyboard. What you now have is the ability to have secure input. The keystrokes themselves are captured inside first of all the chip, as opposed to going into the PC in the open. You've got a smartcard reader. You've got a secure display, so I can send messages back securely and know that they can't be intercepted. And I have the ability to securely process them, timestamp them, store them and provide strong cryptography as associated with this. So what I've done is now put a peripheral device, that's capable of authenticating your password against your card in a peripheral device, which can't be seen by anything inside the PC. So I've now solved the problem at least at this level of securing this environment.

And what you have is a pretty simple, straightforward crypto chip, no magic here, but it's got an OS that allows you to load and unload secure applets into this device. So one of our friends at Intel described this, he said, "Well, what you've really built is an empty secure room with a Marine guard with a gun outside that you can rent out by the 50 milliseconds."

And so there's a trust network, with things, applets, that could be my wallet, my digital signature, when I want to do an application it will load cryptographically [??] And will load it in so I can now apply digital signatures in a secure location. If I now want to use my identity application I load the wallet instead, in this case I didn't update that one so that looks like music DRM, and the other one I want to do authentication of a local credential, so I load those, and load and unload them.

Tomorrow you are going to hear about a technology called XNS, eXtensible Name Service from OneName, which is very complementary to the work being done by P3P as a technology set, but it's essentially Intelligent Web Agents and rather than using Drummond's [Reed's] stuff for tomorrow I'll let him explain that tomorrow. But it essentially says, I now have an identity credential that has lots of stuff on it: my name, address, biometrics of all kinds, my criminal history, my healthcare information, you know, all of the easy stuff that the legislatures will snap right to on putting on a smartcard. And I have a perimeter device, an intelligent reader and part of this notion is that even though I have all this information how do I make sure that not everyone gets access to it. So in this case when I use my reader, or a use my card into a reader, I load an applet. So as a bar the only applet I'm allowed to have is an applet that says "age" is the only information off this that you're allowed to have. So when that card is read in a bar all they can do is validate my age, but they can't collect my name, address, and all the other stuff.

The police have their own kind applet that says one I pull you over and look at your identity card, I actually get your criminal history, and I can verify your identity and other things. We're actually working with a one of the large state governments on exactly this application today for authenticating the identity of people they pull over with portable readers and so on.

Same thing with the hospital applet that needs access to your healthcare information. You can actually even load an applet, that's just your local authentication applet, that doesn't reveal any of your personal information, all that it says is, is this the person whose card is being read based on their password or biometric or facial scan. The answer is yes or no, but doesn't expose any of the personal information out there.

So you now have the ability to start to restrict the amount of information that can be released, by having a trusted perimeter device and credentials. So today the security in most cases, as they say, the security model for the Internet is almost backwards -- we protect the stuff while it's going across the Internet using firewalls, but it's in the clear out at both ends of it. It's kind of like using a Brinks truck to deliver the gold, but you leave it on the front doorstep until the people come home to pick it up.

And so part of the notion is how do I extend my security perimeter all the way to the user level of devices for doing things like authentication, and checking tokens, and so I can now start to build an environment where any two trusted devices, I can do trusted operations locally. I can use that authentication to either log me onto my PC or log me directly to a server. This is actually the implementation in Europe. There's a specification that was announced last summer called FINREAD, which is a trusted financial reader. It was developed by the banking community in the European Union for doing card holder present authentication for e-commerce transactions. Because the liabilities are different in Europe than they are in the US, the merchants and consumers bear much more of the fraud responsibility there. So in this case, this provides a way to give a card holder present with both with a password and the card necessary, but you have to have a trusted location to do the authentication and so in that case it's in the keyboard or the smartcard reader itself.

So the benefits of this, it says it gives the user the tools and much more control over the release and usage of their information. So you've minimized the amount of stuff that's out there about you. Your privacy preferences have the opportunity to be much more granular and situation based, and the extensions that Lorrie talked about - it gives the platform where those could be more effectively implemented. And the authentication at the network edge gives the ability to control that, which actually if you look at a lot of the laws that are out there, think of how much it's going to cost you to do the enforcement of those. In these cases you can do, it's much more scalable and enforceable controlled approach. And it also starts to address some of the major challenges with the un-trusted PC itself, by securing its input and output devices. And you also can also minimize the need for very politically insensitive centralized databases to do many of the same functions, and provide an opportunity for need-to-know release of information.

So as the debates start to come up about multi-function identity credentials and what am I going to put on a driver's license or what am I going to put on any of these credentials, we've got a solution that may be able to solve at least some of the core problems that they face from a legislative and a technical standpoint.

So anyway, that's the notion that we have on distributed and user managed privacy as an approach.