Long ago, smart people learned that living in
houses and raising food on farms was better than living in caves and eating whatever you could find that looked like food.
Some, however, never got
the hang of farming. Instead, they joined with
other non-farmers in gangs that offered to protect the farmer if he
handed over a couple of geese and pigs.
"Protect from whom?" asked the farmer.
"From me, of course" said the leader of the gang of thugs as he carried off the livestock.
Now the farmers could put up with one gang of thugs but with many competing gangs, each demanding more geese and
pigs, life became very difficult.
Then the
smartest leader of the toughest gang came up with a solution. "I'll
protect you not only from myself but from the other gangs as well. Just
hand over geese, pigs, a few goats, and a son to join my
protection enterprise.
And toss in that shiny trinket so I can add it to this
fancy thing I want to wear on my head. And oh yes, refer to me as 'highness.' "
That's how the smartest gang leader became king. His sons had sons who had sons, and each generation
became more interested in sitting on a comfy throne than riding around
in the cold wet countryside keeping order and exacting tribute. Over
the generations successive kings learned how to build an organization of courtiers
and knights
and justices of the peace and spies that enabled them to maintain a
life of comfort. As long as everyone in the realm acknowledged his
authority, all was cool.
The
king's authority was signified, conveyed and applied through the
use of
a wax seal. But as the kingdom grew it became impractical for every
deed to be made official with the king's seal. Public officials were
appointed and commissioned and given their own seals, which conveyed
the delegated authority of the king.
Over
the centuries, people caught on to the king's little secret: their
consent to his authority was the source of all his power. Gradually
they took more and more of that authority upon themselves. The notion
of "state" came to mean "that which holds and applies public
authority," whether it's the king, the people or, in most cases, king
and people grudgingly acting together to constitute and apply public
authority.
As more and more people wandered away from their villages, that wax
seal conveying public authority in private matters became very
important. For centuries, people would carry notarized letters of
introduction
when they traveled, as there were precious few other sources of
authenticity to let people know who they really were.
Beginning around 1865 a series of inventions allowed people to engage
efficiently with each other over distances. If you wanted to do a
reality check on someone you just met,
you called a mutual acquaintance on the phone. Circles of trust
remained of manageable size, kind of like a village where everyone
knows each other. Wax seals quickly became obsolete in the telephone
century.
Then came the twenty
first century. Those inventions have
brought us to something that has been called the global village.
Except that a village or a circle of trust is defined by the fact that
everyone knows enough about each other, or can find out from a trusted
village acquaintance, to determine the authenticity of their assertions,
starting with their identities. That fact provides accountability,
which is the essential
building block of a village.
In this new mass of six and a half billion
people brought close through technology, there is no accountability,
meaning it's not a village at all. It's a global mob. We regularly encounter people online with no means of knowing
whether their identitiy or their other assertions have any
authenticity. Online, inauthenticity rules.
And it doesn't stop with the online world. The financial world
is in the throes of collapse because those same inventions, applied to
the world of transactions, with the same lack of tools of
accountability, allowed
worthless loans to be foisted off as grade-A securities.
Inauthenticity
rules. Everywhere. The built-in lack of accountability in our systems
of communication have turned fraud and theft into normal business
practices.
But what's the
alternative? Would you want a global village where everyone knows
everyone
else's business? Where a personal identifier made it possible for
snoops and governments and cookie clubs to watch your every move,
building tables of data about all your actions, including the web pages
you look at and the people you
hang out with and the things you buy? Accountability in a village of
650 people may cost a certain amount of your privacy, but that kind of
accountability
in a global village of 6,500,000,000 people would be a Kafkaesque
nightmare.
And that nightmare is well on its way. The title of a recent MIT
Technology
Review cover story says it all: "The Internet Is Broken." Spam
brings us phishing attacks and botnets. Our "information homes" are
intruded upon regularly. Privacy has been thoroughly eroded by both
"legitimate" business and
by a new global online mafia.
Welcome back to the eighteenth century. We need to take a close
look at well-established sources of authenticity and accountability.
And we need to use available technology to build a reliable means of providing individual privacy.
The important news is: it can be done.
In fact it is being done.
THE FOUNDATION OF THE SOLUTION
A source of public authority is always necessary for there to be any kind
of order, productivity,
and progress. In democracies and dictatorships, strong central
governements and federations of cities and provinces, there are always
keepers of the seal who apply public authority - the authority of the
state - in private matters. They are called notaries, justices of
the peace, consular officials, professional licensing boards, building
inspectors, etc.
Did
you know that a document that was notarized by a U.S. notary will be
honored in
Cuba, Iran, and North Korea - and vice versa? (Sometimes an
"apostille" attesting to the validity of the notary's commission
is also required.) We find that unusual because when we think of the
policies of nations we think of governments rather than state.
Public authority is held by, and applied by, the state. State is not the same as government. Government does things.
Government builds roads, fights wars, provides for the welfare of the
disadvantaged, employs people to help the economy, and launches countless other
programs and initiatives.
The state, by contrast, just
is.
It holds authority to be applied according to due process. The main
purpose of that due process is to allow people to discern what is
authentic from what is inauthentic.
The durable asset of the state is
public authority. While the titles of state authority are sometimes gained
through intrigue and maneuverings and inauthenticity, the participants
tend not to mess with the authority asset, because they know it's essentially the state's only real asset.
Without that authority asset they would have no... authority.
Government gathers and applies public money.
State gathers and applies public authority.
THE SOLUTION.
The solution is quite straightforward. Individual privacy
and public security are not antithetical.
We can have both at the same time.
We can have authenticity.
What will get us there?
Very simply, a well-thought-out and well-engineered system that will
replace that which has gone missing.
What has gone missing?
Authenticity and Privacy.
We need an Authenticity and Privacy Infrastructure.
A
real, workable Authenticity and Privacy Infrastructure, however,
requires facing the fact that most of our information security methods
and
procedures are built upon flawed assumptions. Among the things we must
abandon is the basic assumption underlying firewalls and intrusion
detection systems and intrusion prevention systems - and all the
anti-malware software that we dutifully and futilely maintain in our
personal computers.
That is, we must
abandon the preposterous notion that one can determine the intentions
of the sender of a stream of packets by examining the contents of those
packets. Years ago we should have seen how that defies common sense.
You cannot "profile" data. If you rely upon that approach, that
set of assumptions, then you merely eliminate the work of the least talented, least ambitious, and least well funded intruders.
We used to characterize the Internet as an
Information Highway, and indeed it is an outdoor public
transport system. It does that job well.
Now would you have your meetings, keep your files, and
let your kids hang out outdoors by the side of a busy highway?
Typically we use highways to bring us from one building to another -
from one indoor space to another.
So where are the indoor spaces? Where are the buildings?
You
know what indoor spaces require: architecture, building codes,
code-qualified building materials, building permits and
occupancy permits. Each of those is generated by individuals with professional licenses that are issued by public authority.
Let's look at how an Authenticity and Privacy Infrastructure can provide what we need.