Report - Guardian

The LSE Identity Project Report: June 2005 265Carving out independent “circles of trust” is not a solution to this problem either. Theonly way to break out of the individual circle-of trust “silos” that would result would beto merge them into a “super” circle by reconciling all user identifiers at the level of theidentity providers, which would only exacerbate the ID-FF privacy and securityproblems.More generally, panoptical identity architectures may be perfectly legitimate for acompany to deal with the access rights of its own employees, but they haveunacceptable privacy implications when adopted for government-to-citizen interactions.They would also eliminate the ability of government service providers to functionautonomously, and would introduce enormous security risks to citizens and governmentalike; fraudulent insiders and successful hackers would have the ability to electronicallyimpersonate citizens across government areas, to cause false denial-of-access to citizenson a fine-grained per-transaction basis, and to cause massive identity theft damage.How to design a privacy-preserving national ID cardOver the course of the past two decades, the cryptographic research community hasdeveloped an array of entirely practical privacy-preserving technologies that can readilybe used to design a national ID card that eliminates any unnecessary powers. Thesetechnologies can be used as building blocks to design a national ID card system thatwould simultaneously address the security needs of government and the legitimateprivacy and security needs of individuals and service providers. The resulting ID cardwould in fact be much more secure than the currently envisioned national ID card,because it would minimize the scope for identity theft and insider attacks.Individuals would be represented in their interactions with service providers by localelectronic identifiers that service providers would electronically link up to legacyidentity-related information (i.e., accounts) that they hold on individuals. These localelectronic identifiers within themselves are untraceable and unlinkable, and so any preexistingsegmentation of activity domains would be fully preserved.At the same time, certification authorities could securely embed into all of anindividual’s local identifiers a unique “master identifier.” (Different sets of the localidentifiers issued to an individual might have different master identifiers embeddedwithin them.) The embedded master identifiers would remain unconditionally hiddenwhen individuals authenticate themselves using their local electronic identifiers, buttheir hidden presence can be leveraged by service providers for cross-domain securityand data sharing purposes without causing privacy problems.For example, service providers can securely share identity assertions across unlinkableactivity domains, in a privacy-preserving manner and under the user’s control. Invisiblyembedded master identifiers of fraudulent users can be revoked in a manner that doesnot violate the privacy of individuals.Figures 2, 3, and 4 below explain the basic architecture, which ensures that citizensenjoy the convenience of single sign-on with government services while the governmentservices enjoy the benefits of secure authentication in their respective domains.