Dan Geer, CISO of In-Q-Tel, gave a speech (for the record he was "... speaking as myself and not for anybody or anything else") at the MIT KIT Conference last week. Highly recommend reading the full text (PDF) of the speech. Some interesting nuggets:
How do you feel about using standoff biometrics as a solution to authentication? At this moment in time, facial recognition is possible at 500 meters, iris recognition is possible at 50 meters, and heart beat recognition is possible at 5 meters. Your dog can identify you by smell; so, too, can an electronic dog's nose. Your cell phone's accelerometer is plenty sensitive enough to identify you by gait analysis.
Technical progress in image acquisition guarantees observability pretty much everywhere now. Those standoff biometrics are delivering multi-factor identifiability at ever greater distances. We will soon live in a society where identity is not an assertion like "My name is Dan," but rather an observable like "Sensors confirm that is Dan."[...]
If data kills both privacy as impossible to observe and privacy as impossible to identify, then what might be an alternative? If you are an optimist or an apparatchik, then your answer will tend toward rules of procedure administered by a government you trust or control. If you are a pessimist or a hacker/maker, then your answer will tend towards the operational, and your definition of a state of privacy will be mine: the effective capacity to misrepresent yourself.[...]
The Obama administration's issuance of a National Strategy for Trusted Identities in Cyberspace is case-in-point; it "calls for the development of interoperable technology standards and policies an 'Identity Ecosystem' where individuals, organizations, and underlying infrastructure such as routers and servers can be authoritatively authenticated." If you can trust a digital identity, that is because it can't be faked. Why does the government care about this? It cares because it wants to digitally deliver government services. Is having a non-fake-able digital identity for government services worth the registration of your remaining secrets with that government? Is there any real difference between a system that permits easy, secure, identity-based services and a surveillance system? Do you trust those who hold surveillance data on you over the long haul by which I mean the indefinite retention of transactional data between government services and you, the individual required to proffer a non-fake-able identity to engage in those transactions? If you are building authentication systems today, then you have to play in this league.Dan Geer: Personal Data and Government
Was there a video of this presentation made?
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.