Schneier on Security

Stephan Engberg • April 12, 2010 2:10 AM

Bruce

Great talk with many insights

One comment
You cannot solve the problems with the way of thinking that created the problems.

Your approach is accepting that all data is identified and regulate it. Whereas you suggest nothing in the direction of preventing data from being identifiable in the first place.

To use your pollution analogy, it is like trying to manage toxic garbage dumps while ignoring the processes creating the toxic vaste in the first place.

We need to change paradigm to one of enabling non-identified services.

Non-identified services is not anonymous if the process naturally cannot be (my employer, doctor and friends will know who I am), but even in these cases we can avoid that any database know.

In my view, you are using double standards when you say that anonymisation is hard and thus only talk about laws but dont include virtualisation of real world entities (physical devices and legal persons) as an essential of to preventive security.

The real public/political choice is to virtualise through infrastructure to ensure online transactions can occur non-identified.

But to start understanding the economics – it is NOT benefiscial to society that gatekeepers take control of information (can identify) or cartel standards prevent innovation by removing the choice from citizens to choose the better service that is not agreeable to some commercial cartel or some bureaucrat control freak.

We need to start by focusing on the value transactions – government and comemrcial. Later dealing with the social transactions which are much harder as – as you so rightly say – the market is distorted when people pay for services with abuse of their data thus becomming providers instead of consumers.

Politely Bruce. Your knowledge of understanding of many of these issues are impressive, but you get the route to re-empowering the citizen wrong.

We need to understand that we are killing markets ability to generate wealth (except for the few war that essentially steal values form others) and democracies ability to ensure stability and balancing of opposite forces.

You dont have freedom of speech if you can only speak identified. You dont have freedom of choice and ability to negotiate if your otential providers are vastly supperior in knowledge ABOUT YOU and processing capabilities.

Re-empowering require the possibility of end-to-end transaction isolation – (having to) trust people but never making systems you are vulnurable towards.

The best example I have is Digital Product (Id/RFID) where I shamelessly refer you to my slides from an EU consultation in 2006.
http://www.rfidconsultation.eu/docs/ficheiros/Stephan_J_Engberg.pdf

This is now hapening in the market place. And just because one provider did, it is altering the structure of markets. RFID manufacturers are scrambling to make RFIDs where consumers get control and enable services without creating identifiable data.