archive about

Not just what you know, but who you are too.

Privacy and identity are hard to separate.

"This system instantly edits videos to make it look like you’re saying something you’re not"

It’s spooky. But it shouldn’t come as a surprise: Even if the specific implementation is not 100% there yet, it’s something anyone following technology would expect to happen at some point in the near future.

So, when this happens, how are we going to be able to verify that the video of our spouse, friend, client or associate, our doctor, a prime minister, or a terrorist is authentic? I think it’s valid to say that any answer will involve some kind of digital signing.

Which is one more good reason to stand behind strong encryption: Encryption and digital signatures are two faces of the same coin. And not only this, but digital signatures are of limited value if we can not reliably protect the digital keys used to generate these signatures, i.e. to encrypt them.

In the last years, encryption has been a central point of most discussions about privacy, and digital signatures are usually discussed in the context of identity, but technically and practically, any discussion about one would be incomplete without bringing in the other. Whenever we talk about encryption strength, master keys and backdoors, we should also evaluate how these affect digital signatures.

And when we talk about privacy, we can not leave out identity. Because in 2016, getting access to my data, is also equivalent to being able to impersonate me.

If someone gets access to the data on my smart phone, they don’t just know everything about me. They also get all the digital credentials required to impersonate me to my friends, my work environment, my bank, my phone operator. They can make deals using my business email, they can mislead my friends on Facebook, they can make transactions using my bank account, they can access my company’s VPN as if they are me — in some countries, they would also be able to change the medication of my patients if I were a doctor, open a company on my name, or even vote on my behalf! (Just google “identity theft”.)

Even when it comes to a lawful request, thirty years ago the authorities would need a warrant to search my house, an other one to open my bank accounts, a different one to get access to my business mails and phone records, and an other one to get my medical records. Each one of these, would have had to be issued after taking into account different laws that ranging from constitutional rights to bank confidentiality to doctor-patient confidentiality, to debating the ownership of some piece of information with my employer, to international laws. And it would be even more difficult (if not impossible) to ask my bank to send money from my account to someone else.

Today, all they have to do is get access to my smartphone and impersonate me (using my username/passwords, digital tokens, etc.) to all of them, and get the information they want — or even worst, act on behalf me.

Privacy and identity are more interweaved today than ever before. Digital security (including encryption, biometrics, multi-factor authentication, etc.) is not there only to protect your privacy, but your identity too: not just what you know, but also who you are and who can act as you.

It’s hard to imagine our society moving forward with digital technology (especially considering the things to come in VR and AI), without strong protection of identity, and I can’t think of doing so without the strongest possible protection of privacy.