Re: Nigeria launches national electronic ID cards

On 9/9/14 9:18 PM, Manu Sporny wrote:
> Moving this discussion to Credentials Community Group, bcc Web Payments.
>
> Origin of thread is here:
>
> http://lists.w3.org/Archives/Public/public-webpayments/2014Aug/0077.html
>
> On 09/02/2014 11:25 AM, Kingsley Idehen wrote:
>>> The main purpose of this Web Payments work is to provide options
>>> for citizens, governments, and commercial enterprises.
>> Yes, and Nigeria isn't a good example. In short, its ID system is
>> the antithesis of what I believe you are seeking.
> I seem to have miscommunicated my point, let me clarify. I'm not arguing
> that we should model anything after the Nigerian/MasterCard government
> ID system. You're right, Kingsley, it is the antithesis of what we want.
>
> That said, technology can only go so far, and if a government mandates
> that an identity solution must, for example, report back to the
> government whenever a passport is requested from any identity system
> used in the country, then there is not much we can do to prevent that
> from happening (other that providing solid choices for Nigerian citizens
> outside of their country). Our technology will be used in ways that we
> don't want it to be used and we have to accept that as a truth.

That is an eternal truth, as far as I know, with regards to technology.

>
> The question is, and this is a philosophical one (and should probably
> not be discussed on this mailing list, so I apologize in advance for
> bringing it up): Is it better for a non-privacy protecting government
> that has been put in place by its citizens to use the identity system
> we're creating here in a way that we don't approve of, or to build a
> proprietary one?

We have no control over either. What we have control over is the 
development of standards that make reuse, in regards to privacy very 
difficult. Put differently, misuse leaks by design. Example, HTTP URIs. 
These kind of identifier is fluid, so pinning it down isn't that easy, 
and even when you do, preventing leaks isn't that easy, ultimately you 
needs acls and logic etc..


>
> I'm arguing that the former is preferable. We shouldn't make value
> judgements wrt. the use of a corrupted version of our technology as long
> as it is a citizenship that has approved of the use of that technology
> through a democratic means.

I don't have a problem with that point, even when citizens haven't 
necessarily put the government in power, via open and audit-friendly 
(transparent) democratic processes :-)

>
> I was just having this discussion with an Argentinian friend that
> thought many US citizens push against a national ID card system was
> strange.

No surprised about reaction. It's a reaction driven my a 
misunderstanding of what constitutes identity and identification. For 
instance, you can have a national identity card, but shouldn't have 
anything to do you finances, club memberships, and other societal 
relations. It just means the government could require use of the card in 
relation to specific government services:

1. Visas for travel
2. Passports for travel
3. National Insurance Cards -- for health services
4. Driver's licenses -- for driving
5. etc..

Each to its own purpose, with authentication provided by the relevant 
authentication protocol etc..

> He said that many Argentinians don't think twice about having
> the government play a major role in their identity.

Because he doesn't understand how identity, identification, and civil 
liberties intersect. I think most Nigerians would actually react in 
similar fashion, at first blush.

When I was a kid in Nigeria, I was clueless about civil liberties until 
I returned to England (my place of birth).

>
> Even looking at the differences between Hong Kong and China wrt.
> identity and privacy issues is illuminating. What some citizens allow,
> others detest.

Those who don't understand civil liberties do so because its never been 
palpable to them. That's a major difference between the USA, United 
Kingdom etc.. and many countries across Africa and Asia.
>
>>> If some government and their banks want to track their citizens
>>> movements and expenditures, it would be better for them to use a
>>> world standard to do it (at least there are efficiencies gained /
>>> money not wasted there) than build something proprietary.
>> They SHOULD never be surreptitiously violating the privacy of
>> citizens. Period!
> Sure, but some citizens openly push for this sort of violation of
> privacy.

Yes, because they were successfully presented with a false dichotomy in 
regards to security and privacy.

> Case in point, the USA post-9/11. A government is only as good
> as what its citizens tolerate.

Always the case. Which is why this issue of privacy ultimately 
triangulates back to the democratic process i.e., even when citizens 
make a mistake, there has to be a process the lets then undo said 
mistake. Thus far, the USA and UK (and most of Europe) have kept this 
process intact. Not so (at all) in Africa, and its patchy across Asia.

>
> My point is that we can't go in and tell a nation how they should be
> using our technology.

Of course we can't.

My concern is to not make a specification that makes it easy for nations 
to surreptitiously usurp the privacy of its citizens. Put differently, 
if we don't tamper with AWWW, in its current form, we don't have a 
problem. They key is to build atop AWWW rather than inadvertently 
compromise its dexterous core.


>   What we should be doing is giving them options,
> and they will pick what works for them.

See my comment above.

> It's a double-edged sword.

No.

> None
> of us want our technology to be used for "evil" purposes, but even that
> term is highly dependent on your perspective.

Its not about "evil" its about "privacy" i.e., self-calibration of one's 
vulnerability.


>
>>> As much as it makes my skin crawl to say that, this is more or less
>>> the deal with the devil that the HTTP Encrypted Media Extensions
>>> (EME) work had do.
>> I don't buy that.
>>
>> The issue is that Privacy != Secrecy. It is simply about one's
>> ability to calibrate one's vulnerability. In the Nigerian case, the
>> govt., for all the usual corrupt reasons has sold out to Master Card
>>   and really put our citizens in a broken situation.
>>
>> Please note, for most of Nigeria's history, military oppression and
>> dictatorships have been the norm. And when the military aren't doing
>>   it you have a corrupt civilian governments doing much of the same,
>> albeit in different ways.
> Yes, and in the Nigerian government case, I'm completely in agreement
> with you. This decision was most likely not made or supported by the
> citizens.

I doubt 10% of the citizens even understand that:

1. they (all 100 million+ and counting) are now (or will become) 
Mastercard customers
2. their ability to live is inextricably linked to data directly 
accessible to the government, in the most opaque manner
3. their government traded their privacy for some bizarre arrangement 
with a commercial entity .
>
>>> For those governments/corporation initiatives, they should be able
>>>   to use the same set of standards as the non-privacy protecting
>>> governments. I think we'll be more successful enabling choice
>>> rather than mandating solutions based on our particular idealism.
>> Privacy is a non negotiable idealism. Please, don't take your
>> privacy lightly, many before us expended blood to get us where we are
>> today. We should never ever forget this fact of human history. Let's
>> not make the Web our nightmare!!
> I don't think those of us that are committed to this work take our
> privacy lightly.

Literally, no. But as a consequence of actions, I need to be convinced :)

> Saying that privacy is a non-negotiable idealism is
> going a bit too far, it is for some of us (myself included).

It is non-negotiable in democratic society. It isn't possible to be 
party pregnant. You can't be partially private, and then functional 
effectively as a democratic society.


>   Some don't
> value their privacy, some do.

Everyone values their privacy. Not everyone understands privacy. That's 
the problem. Why do you think privacy freakouts are long-tail affairs 
across social media spaces? Because, people only realize the nature of 
privacy when the "opportunity costs" of losing it become palpable.

Yesterday, Apple announce the Apple Watch, and its utter interest in 
Health Data. Apple like many of these commercial behemoths doesn't have 
some genuine desire to compromise the privacy of their customers, the 
problem is actual protection is a combination of platform, user 
controls, and mercurial knowledge. Its the mercurial knowledge that lays 
the foundation for privacy compromises i.e., to be "big brother" (hold 
on to the "shared secrets") or to let "little brother grow up" (be 
allowed to own the keys and learn from exprience).

> We should provide options for both, and in
> the case of Identity Credentials, the option that we provide is with the
> identity provider you choose (do you choose your government, a private
> off-shore corporation, or one that you run?).

I don't have a problem with that kind of loose coupling. My only concern 
is that we don't make standards that aid the antithesis of what we seek.

>
>>> If we are successful, the US, EU, Nigeria, China, Hong Kong, and
>>> Singapore would use the same base financial Web standards with
>>> differing values on the privacy/tracking/market-based dials.
>> I wish, but it really isn't going to be that straight forward. What
>> the W3C MUST do is devise open standards that do not compromise the
>> privacy of Web users. Anything less defeats its mission.
> I agree with the end goal, I just think that there is a ton of money out
> there trying to make the opposite happen.

20 years ago there must have been something like the combined market 
capitalization of Google, Facebook, Amazon, Twitter, LinkedIn etc.. 
looking for a place to park. But 20 years ago, nobody would have 
believed such a claim. My point here is that "ton of money" is context 
sensitive, as exemplified by the very World Wide Web (which made Google, 
Facebook, Amazon, Twitter etc. possible). Thus, money will always follow 
the people, so people simply need to be actively engaged in the pursuit 
and protection of their civil liberties (for which privacy sits at the 
core). People have always had the power, the only problem is that most 
of the time this isn't obvious to them.


> We plug one hole and 10 more
> open up.

Not, not if you keep AWWW intact. Basically, you have the opposite 
effect i.e., just when they think they have you locked-in, you slide 
out. Look at Web 2.0, a live and contemptuous example of AWWW 
incomprehension that's driven the masses into mass surveillance. Then 
enter Web 3.0 (where identity, identification, and logic are 
cornerstones) still built around the same AWWW, and you have the 
opposite effect.

>   I don't mean to sound defeatist, quite the contrary, we should
> strive to create the best, privacy protecting identity and payment
> system out there.

Yes!


>   We have the right people involved to make it happen,
> but that doesn't mean that corporations and governments that are
> obsessed about defeating the privacy-protecting measures we create won't
> find a way around what we're doing here.

They found a way to the Web, very reluctantly, then tried to impose 
their predictable myopia, which simply created their own hell. That's 
the kind of dexterity built into AWWW (it does Judo very well too!) . 
Those who seek to control end up relinquishing control because they too 
become victims of the very controls they seek to impose on others.

> Safeguarding privacy, just like
> security, is a constant struggle.

Less of a struggle when the new landscape is built atop solid 
foundation. In my eyes, the real power of AWWW is yet to fully manifest. 
Basically, as the struggle relevant aspects of its dexterity will emerge.

As a wise man once said, "any fool can make a complex system, but it 
takes true genius to make a simple system, that works".  In my 
experience, with technology, the underlying design of AWWW continues to 
amaze me, and there's no secret about my not exactly being the easiest 
person to impress or please -- in regards to technology :)

>
> -- manu
>


-- 
Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog 1: http://kidehen.blogspot.com
Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this