|
|
|
|
|
|
by djsamseng
1463 days ago
|
|
|
A possible solution? Would love to hear any feedback - please shoot this down with any flaws you find! What if we had a centralized certificate authority that verified a person? Imagine you walk up to the DMV and get a private key (password). When you go to a website you generate a public key and send it to the website you visit. That website uses the public key it received to send a message to the certificate authority to verify you (true/false). Now Instagram knows you are real, but are you faking? I claim to be "First Last" to Instagram. Instagram encrypts "First Last" using the public key and sends it to the certificate authority. If the certificate authority is able to decode "First Last" using the private key then it returns (true/false). Could we extend this to solve user privacy?
What if users said "Track me all you want as long as you don't know who I am". Websites can still serve targeted ads but users get the privacy that you are incognito. Instagram now knows your name but they also want to be able to identify you across the internet. So Instagram could also ask the certificate authority for a "personId" that identifies the person across the internet. But now you say, wait now Instagram knows my name and all my activity through my "personId". This is where the Engineers come in. We would have to make any code or action that connects "personId" to a human _illegal_. You write the code, you go to jail. This burden would only fall on websites that ask for someone's human identifiers (name, address, common geolocations, etc.). But that code isn't needed anyway! There is no reason to store "personId" and "First Last" together because you can always get a "personId" when the user gives the public key to the website. So if someone ever writes that code / uses that data query it's punishable by law. So now we have
1. Every website knows it's users are real
2. Every website can know a user is who they say they are
3. Every website can track unique visitors and their internet activity (while not knowing who they actually are)
4. Every user is completely "anonymous". Yes the information could get out, but only temporarily because any code (even a news article or blog) that contains this connection is illegal. |
|
|
So, the government has control over your identity. If it wants to shut you down, it would just refuse to verify your certificate. And you'd instantly lose access to every website, bank account, phone number, etc. you had. The government would also automatically know every time you create any account anywhere - as they get a ping on their auth services. Does you trust in the government extend this far? Fo you have any politician you do not trust? Imagine he or she becomes in control of the system. Are you still OK with the government controlling the keys to your life?
Ok, let's assume it does. What happens when (note, I do not say if) somebody unauthorized gets access to the keys stored at the DMV? They'd be able to fake any identity the want to. And the only way to fix it is to force everybody (hundreds of millions of people) to re-certify. Imagine how well will that go.
> Track me all you want as long as you don't know who I am
There's massive body of research that indicates unless you take special measures, like injecting noise into the system, tracking can lead to identification in a very short time. Just think about it - tracking will immediately tell where you live, where you work, where you shop, which businesses you patronize, which music do you listen to, etc. etc. - how many people have exactly the same profile as you do? Likely not many. Now if at any point connected to your profile any piece of your identity leaks out - your anonymity is gone forever.