[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Negative reputations

With Chaumian style credentials, both positive and negative, even
anonymous individuals can respond to such questions as:

	- Prove that you are over a certain age
	- Prove that you have paid back all your debts
	- Prove that you have never rented a pornographic movie
	- Prove that you don't live in these red-lined areas
	- Prove that you aren't Jewish
	- Prove that you are either a minority or a woman
	- Prove that you are a legal resident in this country
	- Prove that you are a graduate of a college on this list
	- Prove that your GPA was over X
	- Prove that you have never been arrested
	- Prove that you have never been convicted of a felony
	- Prove that you have a valid driver's license
	- Prove that you have passed an AIDS test in the last 6 months
	- Prove that you have never failed a drug test
	- Provide references from people who were happy with your work
	- Provide refs from five people to whom you have paid back loans

...and so on, all without revealing anything more than the specific
information in the credential itself.  The general idea is that
credentials can be given for these various characteristics in blinded
form, and then transferred among the various anonymous pseudonyms that
a person uses in different transactions.  Is-a-person credentials lie
at the foundation to make sure that people can't show credentials
belonging to others.

These would require a certain amount of infrastructure to exist.  For
example, for the pornographic movie example, there would need to be a
certain credential that each person could get only one of which he
uses whenever he rents such a movie.  The list of such "used" porn
credentials would be publicized.  Since they are blinded and
unlinkable to identities, doing this leaks no information about who is
actually renting pornographic movies.  But it allows people to prove
that they haven't rented porn by exhibiting their porno-movie
credential, which can be checked to see that it is not on the list.

It also must be assumed that the questions can be answered at all, so
for example to have an anonymous credential proving that you are
Jewish, there has to be an organization qualified to issue such
credentials in the first place; then they can be blinded.

The question is, then, how would such a society compare with our own?
What advantages would it have?  How should we view the amount of
privacy protection available under such a system?

Clearly these capabilities don't match some people's idea of the kind
of privacy they expect to see in a system where anonymity is the norm
in many kinds of relationships.  If these kinds of credentials are
possible, it is plausible that showing them will become required as a
condition of a relationship.  Few people will lend money unless they
have some evidence that the borrower pays back his loans.  And the
more information they have about a borrower the more confidence they
can have about the loan.

What use is it to be anonymous when you can be forced into revealing
every intimate detail about your life as a condition of relationships?
You might have privacy by some technical definition, but in fact it
seems like much of what people want privacy for is lost.  In fact it
could even be suggested that such a system is worse than the present
one because it provides only an illusion of privacy protection, which
could even be used to justify more invasive kinds of credentials than
we presently allow.  People wouldn't permit their race to be stamped
on their licenses, but perhaps a *blinded* credential of Jewishness
isn't so bad, since it is unlinkable to your person and only shown

I have mixed feelings about this argument; I think these kinds of
credentials can be used for both good and bad purposes.  However I do
think that the prospects for privacy in the present system are very
bad and getting worse.  Most of the questions above are in fact
answerable now via databases, without the knowledge or permission of
the individual.  So even if a credential based system would allow
answering similar questions it is really no worse than the status quo.

I think there are other kinds of advantages in the alternative
system, things like making costs more explicit and keeping information
more localized.  With a credential system, the only conduit for
information about myself is me.  If the relationship is such that I
find myself compelled to provide a great deal of information about my
past, at least I know what is happening.  I have control over exactly
how much detail is provided; there are no back channels or indirect
references where information is transferred that I don't know about.
Everything is out in the open.

This is a big difference from the present system, where large
databases of financial and medical information exist which I may not
even know about.  And in the future there could be many more of these,
possibly spread across different jurisdictions which will make them
hard to regulate and control.

When information flows through me, I am better able to weigh the costs
and advantages of revealing it.  I still may not have much individual
leverage in terms of negotiating what credentials I provide; in many
cases large institutions will probably have the same kind of "take it
or leave it" attitude that they do today.  But at least I know what is
happening.  And to the extent that alternatives exist or people can do
without these services, each extra piece of information that must be
revealed represents a cost which will make some people go elsewhere.

The absence of large databases of personal information should also
help prevent creeping encroachments of privacy, where more and more
organizations take advantage of information just because it's there.
In a credential system each additional request for information must be
explicit and can't be hidden.  Organizations will not be able to
quietly look up information about individuals without their knowledge.
This should provide an additional barrier to that kind of surveillance.

It is hard to judge whether there would turn out to be a net gain or
loss of privacy in such a credential system.  It could be that people
really won't care that much about privacy, compared to the advantages
that organizations get in terms of knowing more about their customers
or employees (or subjects).  In that case people may routinely submit
a dossier describing every detail of their past life, back to their
"plays well with others" credential from kindergarten.  Or it could be
that when people know just how much they are being asked to reveal,
they won't stand for the amount of invasion of their privacy that
occurs today.  They will choose organizations which ask for fewer
credentials, demand to know why certain questions are being asked,
complain to the management.

The real advantage in either case is that the decisions would be more
informed than what we are likely to see in the present system.  More
information will be available to the people making the decisions.  The
effect will be as though there is a market in privacy, with costs set
via normal market mechanisms.  I think this is more likely to lead to
a desirable balance of privacy and information exposure than with the
current system.

Hal Finney