A Question Of Identity

NEVILLE WATSON, in his reply to Julian Ware-Lane, on this blog, raises some interesting issues regarding the right to hide behind an online alias.

His remarks actually take me back to the ‘80s when the World Wide Web was just being established and there was a hard-core Internet community consisting mainly of students, technicians, scientists and journalists. Software was not so advanced in those days and, to access most material, it was necessary to know the telephone access number to a server (or Bulletin Board) and connect your own machine via a modem with the help of a command-line interface.

In those days, the Internet community was focused upon one important aspect – how its users could ensure that whom they were apparently speaking to was the actual party they thought. There were not any online scams or paedophile activity in those days; but Internet users were concerned about the relative ease by which criminals might exploit a World Wide Web when it eventually came about.

The old Internet policed itself. In order to establish a connection, you generally needed access to a University’s intranet – and that was often by being permitted to use one of its own terminals. But the move towards cabling all universities together and permitting private networks to join the expansion focused everyone’s attention on the security aspects.

At that time, the best solution seemed to lie in encryption; and many mathematicians, all over the world, joined forces on the Internet to establish a secure public key system. It would mean having a secure node from where uses could publish a unique key and others could then use it to decrypt communications apparently produced by that individual. But the trick was that anyone could use the public key to encrypt communications to the person that published it – and the only person that could decrypt that information would be the owner of that public key. (In other words the full key was composed of a public and private component).

That system was originally referred to as RSA and is now better known commercially as PGP (standing, with typical Internet understatement, for ‘Pretty Good Privacy’).

It never took-off.

The problem with RSA was that it was not ‘instant.’ Some time was needed to encrypt and decrypt what was being exchanged (although you would hardly notice it now with modern-day processors).

There is a fundamental problem with the World Wide Web – it has no rules except those imposed by responsible Websites and Internet Service Providers (ISPs). But the lack of being able to identify the particular person behind an Internet chat-room exchange has put many of our children at risk. Never before have paedophiles been able to gain easy access to their prey. And, the fact is, Websites like Facebook, do not have the tools to ensure their facilities are not misused. (I am still awaiting a charge-back on my credit card regarding a bogus Facebook advertiser who used a PayPal account to defraud me).

All these problems could be solved by a mandatory public-key system in which the main database recorded specific details regarding its clients – and allowed ISPs the ability to provide a user’s public key to Websites along with their Internet Protocol (IP) address.

We can argue about what information should be made available by public key providers; but top of the list must surely be sex and date-of-birth. Just permitting such basic information would enable chat-room hosts to screen users and immediately flag possible problem areas. Webmasters could also make use of the information by explicitly showing, alongside an individual’s screen name, their actual age and sex.

Civil rights campaigners will not like what I am suggesting; but maybe we should be looking at some kind of, vetted, internet ID – perhaps by providing an individual with a public key as part of a passport or national ID system.

And I would go further. I would suggest that that no ISP should permit any UK resident to have an internet account without a valid public key – and I would move that all other countries do the same.

I am not advocating that all one’s personal details should be made public. Nor am I advocating that posting comments under an alias should be prevented. Web users would still be able to set-up email accounts in various names, with different providers – but they would be unable, as suggested here, to prevent all Web users from knowing their actual age and sex. (Just those qualities that we reveal to others whenever we face them).

Whichever government is returned at the next general election will seek to make savings by replacing existing paper systems with new technology. There are even rumours that polling too will be placed online. The question raised by all such moves is how government can be certain that a vote is actually made by the individual it is allocated to – and how citizens, when accessing their personal records, can actually prove who they are.

And, for the critics, adopting such a system would have one considerable benefit. While Internet users could still communicate openly in unencrypted emails, everyone would have the opportunity of holding secure conversations away from prying eyes. It would establish, on the Internet, the same security in personal conversations as offered by the Royal Mail.

It might be thought that, given the threat from terrorists, Britain’s Security Services would be at pains to prevent such a world-wide system. But, the fact is, it is not what is actually said in email exchanges that those services initially respond to. It is to whom and from where communications are taking place. Implementing a public key system would not prevent that surveillance from taking place.

True, they would not then be able to immediately focus their attention on what was being said; but they cannot do that now when terrorists choose to use their own form of encryption. All it would do is ensure that the Services would need to obtain a warrant to access an individual’s private key – in much the same way as they now need a warrant to intercept an individual’s post.

Please feel free to comment – using an alias; or not…

Something for the techies: Permitting a user’s public key to follow them wherever they go would remove the need to provide passwords. When providing personal details or information that is only directed at an individual, the server just needs to encrypt the resulting Web page using the previously registered public key. (There is no need to try and validate the visitor’s identity – other than to determine if someone else is trying to access information to which they are not authorised).