How Will the ID Card Prevent Political Corruption?
Posted: Tue Apr 24, 2007 12:54 amI've scrapped the reply I have been working on. Once I got to 16 pages I figured I was going into too much detail! (It's not all wasted, you'll be relieved to hear. I can use it for the fully detailed explanations I have to draft anyway) Here is the one page summary.
The key thing to bear in mind is that the ID Card is merely one component in the Trusted Surveillance system.
The other key element (in this context) is the (IAT).
For corruption trapping what we need first and foremost is a change to the criminal law to the effect that, for public servants, the significant elements of their public duties MUST be recorded AND the resulting data protected by the IAT.
You should read the link to get the full detail but, in short, the IAT - like all other digital data - could be attacked and illicitly amended. What makes it different is that it cannot be amended WITHOUT DETECTION. What that, in turn means, is that we can - for the first time in digital history - test for whether or not data presented to us today is identical to data allegedly recorded yesterday and be mathematically certain about the result. In other words, if the data passes the test we can be certain that it has not been tampered with. If it fails, we can be equally certain that it has been tampered with.
Because we record timed events on this audit trail, and the final proof of the integrity of the audit trail is published, daily, in "newspapers of record", we can also, for the first time, offer the same level of certainty regarding the latest possible time any data could have been created. If necessary, by adding certain other elements to the data, we can also fix the earliest possible creation (or at least storage) date.
No (otherwise) significant or sensitive data is recorded on the IAT - for a number of reasons, not least that it would make such a database a major target for attackers and render the whole system either insecure or ridiculously expensive to protect. All the database holds are timestamped and, optionally, anonymised source keys.
Again, you need to follow the link for a more detailed explanation of what a hash is but, in short, it is a unique fingerprint which is derived from the data we are supposed to be recording. Using a suitable algorithm, the hash generated cannot be "reversed". In other words, given a hash, you cannot work out what data might have produced it. All hashes (produced using the same algorithm) are the same length, regardless of the source data which generated them. The only way to determine what data produced a given hash is to try all possible combinations of all possible data until you find a match (the so called "brute force" attack). Given that "data" includes absolutely anything which can ever be stored digitally (every word/sentence/paragraph/letter/essay/book ever written and all those which haven't yet been written; every note or symphony ever played or dreamed; every picture or movie ever taken etc) this is (at least until we have viable quantum computing) "computationally infeasible". This means that computers could do the job but it would take at least thousands of years, possible millions, sometimes billions - to crack just one hash.
The most common use of hashes today is to prove the integrity of encrypted messages after decryption. The hash a recipient gets after decrypting a message should match the hash the sender generated before encryption. If they match then we know the message is identical at both ends.
We can use the same logic to protect an audit trail. In the context we're talking about here, the public servants will generate vast amounts of data and store it within their own systems. They're already doing that but we'll be adding three legally binding requirements. First, in future, they will obliged to ensure that for any given policy or "significant instruction", they capture the appropriate data which, subsequently, can be viewed by any inquiry, in order to explain how and why the policy or instruction was arrived at. Second, for such items they will be obliged to record the relevant hashes of that data as it is recorded and to store those hashes in a documented hash table. Third, they will be obliged, once a day, to generate the hash of that hash table and send a copy to the IAT.
The effect of these obligations will be as follows:
First, should any controversial issue arise from a policy or instruction, an inquiry can be established to examine the internal audit trail to confirm that it does explain how the decision was reached. If the data does not include the relevant evidence, then the relevant public servant/s are immediately in breach of the law and can be dealt with accordingly.
Assuming that the data exists, the inquiry can re-generate the relevant hashes and compare them to the content of the local hash table. If they no longer match, then we can be sure that records have been altered and, once again, the law has been broken. Assuming they do match, we can now recreate the hash of the hash table for the relevant dates and compare the results to the hashes and timestamps stored on the IAT. Again, if there is a mismatch, we know that data has been altered and the law breached. If everything matches, our final test is to compare the relevant daily hashes on the IAT and ensure that they still match the public record (the version printed for that day in a "Paper of Record" such as the Financial Times). If they do still match then we can be mathematically certain that nothing on the relevant audit trail has been altered. If they don't match then somebody has altered something and detailed forensics will have to be undertaken to establish what was altered, when and, hopefully, by whom. (There are, in fact, already some clever tricks which make "finding the change" relatively trivial - even when attempts are made to disguise the amendments)
In this situation, no politician will ever again be able to sustain any significant lies about what they have done or why they have done it. To take a couple of recent examples, had such a system been in place prior to the Iraq War, then, on this side of the Atlantic we would have access to the full discussion on the legality of proceeding with that war in the absence of a UN mandate. On the American side, we'd be able to review the discussions which took place, in various offices, regarding the evidence for or against the existence of WMD.
What the system will do is remove the biggest aid to corruption - "plausible deniability". It is important to note that it forces no breach of confidentiality even where wrongdoing is suspected. There is no reason why inquiries cannot be conducted (if necessary) "in camera" under the auspices of an appropriately selected Jury. The inquiry can publicise its findings with or without revealing genuinely sensitive details.
Clearly, however, such a system will constrain public servants from including, in their discussions or practices, any matters which are fundamentally illegal or unethical.
Oh, and if you're wondering where the ID card fits into the above - it provides proof of who was present during a given discussion, or who carried out an instruction, drafted a document etc.