A National Registry for Personally Identifiable Privacy Data

Response to a Jon Udell blog post

Jon Udell, one of my favorite rumininant / prognosticator / savvy brilliant futurist web dudes, wrote a response to a piece in a local NH newspaper, the Keene Sentinel, about RealID and other national identity card initiatives.  Here I'm responding to Jon and some of the commenters to his blog.

Some of the people speaking against the RealID system seem to think that by preventing the construction of a public, national identification system will prevent one from existing.  But that's just silly - if you've watched any of the documentaries on post-911 security measures or if you're familiar at all with the biometric identification technologies available to private firms, you can see that through face recognition and more extreme stuff like gait recognition it's not going to be any challenge to identify anyone who ever appears in public.

Have you ever seen the videos (from almost ten years ago now, I think) of the MIT student who built a backpack computer with a camera mounted on his glasses and set up face recognition software with a database made of the scanned-in freshman year book?  Then he walked around campus and his video display goggles would do face recognition on each person he met, look up their name, and display it for him.  He knew the names of people he'd never met, much to their confusion and his advantage.  Why would the cabbie ask for your RealID when his security camera probably already knows who you are and whether there's enough money in your bank accounts or credit on your credit cards to pay his fare?

And forget more passive systems that do stuff like processing video - if Walmart and other retailers accomplish their RFID projects, every article of clothing you wear and every product you buy is going to have a radio-recognizable unique identifier that probably can be traced back to you some way.

As reflected in Jon's quote of Phil Windley, it seems to me that the issue is being clouded and confused by conflating the construction of an official public authentication system with the ability of malicious individuals and organizations to collect and use private data, which a moment of thought demonstrates to be very different things.  The construction of many authentication systems that will permit "spying" on us through coordination of accumulated data - systems that will be in both public and private hands - is inevitable.  The data stores we're afraid of already exist.  We should be focusing on and legislating about the data stores and the laws that govern their use, not fiddling around with particulars of how drivers licenses or passports are scanned.

Personally-identifiable data is a commodity in the twenty-first century and it needs to become a heavily-regulated commodity, like controlled and hazardous substances are.  We need to regulate how it is acquired, stored, and transferred.  Today's privacy legislation in the U.S. is a good start at controlling how it's acquired.  But we need more of that and we need new measures to regulate how it's stored and transferred.  Personally-identifiable data should be treated like a prescription medication that's a controlled substance: the producer needs to report the production of the data like a pharma manufacturer does, anyone storing such data should be required to clearly and fully report that the way a pharmacy reports on its inventory, and any transfer of the data should be reported the way a patient filling a prescription for a controlled substance is.

A further step is needed: we should establish a national registry where every corporation, church, political campaign, charity, government agency, maybe even private individuals, etc. must disclose the fact that they're holding personal data on someone.  Sort of like the way the maintenance and disclosure of credit report data with credit agencies works.  They wouldn't have to disclose the data itself, they'd just have to disclose the fact that they *have* it, with severe penalties and enforcement against those not making the disclosure.  The disclosure registry could define standard hashing algorithms that would require data to be registered under a number of particular identifiers - a hash of the social security number, a hash of the essential face recognition points, etc.  But hashing algorithms must be defined for all types of data so that a company can't claim that it's not required to comply because they lack one of the keys - if the database doesn't hold social security numbers, or if they've been purged, they have to register under a hashed form of the USPS-normalized home address.  Or the originating IP address in the case of web / internet apps.

We ought to fund creation of the software and software tools that facilitate converting proprietary database records into the format that would be submitted to the registry.  It needs to be lightweight enough that a small business or individual can comply easily and with relatively little expense; it should cost no more to comply with privacy data registration regulations than it costs to set up the database of private data in the first place.

Oh, that's still too expensive for the company or government agency to comply with this regulation?  Well then, simple solution - just don't store the data.

Maybe the registree would also be required to submit a list of which pieces of information they have stored.  I'm not sure if you'd want that, I haven't thought it through.  And it seems like you'd want to limit access to data to someone who can provide proof that the registry key corresponds to them, and I guess also some kind of administrative agency could also access it... however HIPPA works, I suppose, HIPPA seems well-thought-out (from the privacy side of things, at least - HIPPA is no fun to implement in computer software, let me tell ya.)

Once we have a registry like this and we're successfully enforcing compliance then we can start developing some real, concrete privacy laws that have teeth.  Maybe there eventually would be something like a Freedom of Information Act that gets you access to the data stored by the registrees.  But even if that never happened it would be an important achievement simply to have this registry, a way to know who is accumulating the data goods on you.

comment on this article....

© 2007 Tim Denby • tdenby2007@bluevertex.net • 603.565.2273