The KNOW Identity Conference in Washington DC last week opened with a keynote fireside chat between tech writer Manoush Zomorodi and Edward Snowden.
Once again, the exiled security analyst gave us a balanced and nuanced view of the state of security, privacy, surveillance, government policy, and power. I have always found him to be a rock-solid voice of reason. Like most security policy analysts, Snowden sees security and privacy as symbiotic: they can be eroded together, and they must be bolstered together. When asked (inevitably) about the “security-privacy balance”, Snowden rejects the premise of the question, as many of us do, but he has an interesting take, arguing that governments tend to surveil rather than secure.
The interview was timely for it gave Snowden the opportunity to comment on the “Wannacry” ransomware episode which affected so many e-health systems recently. He highlighted the tragedy that cyber weapons developed by governments keep leaking and falling into the hands of criminals.
For decades, there has been an argument that cryptography is a type of “Dual-Use Technology”; like radio-isotopes, plastic explosives and supercomputers, it can be used in warfare, and thus the NSA and other security agencies try to include encryption in the “Wassenaar Arangement” of export restrictions. The so-called “Crypto Wars” policy debate is usually seen as governments seeking to stop terrorists from encrypting their communications. Even if crypto export control worked, it doesn’t address security agencies’ carelessness with their own cyber weapons.
But identity was the business of the conference. What did Snowden have to say about that?
- Identifiers and identity are not the same thing. Identifiers are for computers but “identity is about the self”, to differentiate yourself from others.
- Individuals need names, tokens and cryptographic keys, to be able to express themselves online, to trade, to exchange value.
- “Vendors don’t need your true identity”; notwithstanding legislated KYC rules for some sectors, unique identification is rarely needed in routine business.
- Historically, identity has not been a component of many commercial transactions.
- The original Web of Trust, for establishing a level of confidence in people though mutual attestation, was “crude and could not scale”. But new “programmatic, frictionless, decentralised” techniques are possible.
- He thought a “cloud of verifiers” in a social fabric could be more reliable, to avoid single points of failure in identity.
When pressed, Snowden said actually he was not thinking of blockchain (and that he saw blockchain as being specifically good for showing that “a certain event happened at a certain time”).
Now, what are identity professionals to make of Ed Snowden’s take on all this?
For anyone who has worked in identity for years, he said nothing new, and the identerati might be tempted to skip Snowden. On the other hand, in saying nothing new, perhaps Snowden has shown that the identity problem space is fully defined.
There is a vital meta-message here.
In my view, identity professionals still spend too much time in analysis. We’re still writing new glossaries and standards. We’re still modelling. We’re still working on new “trust frameworks”. And all for what? Let’s reflect on the very ordinariness of Snowden’s account of digital identity. He’s one of the sharpest minds in security and privacy, and yet he doesn’t find anything new to say about identity. That’s surely a sign of maturity, and that it’s time to move on. We know what the problem is: What facts do we need about each other in order to deal digitally, and how do we make those facts available?
Snowden seems to think it’s not a complicated question, and I would agree with him.