http://www.msnbc.com/news/392086.asp?cp1=1
Digital signatures a threat to privacy?
They verify your identity, but may reveal more than you think
By Robert Lemos
ZDNN
TORONTO, April 7 � Your ability to surf the Internet anonymously could be lost in the near future, if current plans to roll out digital signatures stay on track, warned a panel of experts at the Computers, Freedom and Privacy Conference.
MUCH OF THE concern stems from companies that use digital signatures to verify a consumer�s real-world identity � destroying anonymity � and proposed laws that place the onus of damages caused by the new technology onto consumers, resulting in a less secure system.
�Congress is about to pass a bad electronic signatures law, and that will lead to many of these problems,� said Margot Freeman Saunders, managing attorney for the National Consumer Law Center.
Saunders� and other panelists� worries surround current plans to use digital signatures as a form of authentication � a way for consumer to prove credentials to an online site.
Digital signatures essentially use encryption to scramble information in a way that only the party who issued the certificate (usually the online store or a trusted third party) can decrypt and read.
CERTIFICATES LEAK INFORMATION
The problem for anonymous users is the amount of personal information that is encoded with the signature. For example, a site selling beer online may ask for proof of age. Current digital certificates would not provide that information but would identify the user by name or an ID.
That�s way too much information leakage, said Austin Hill, president of online privacy firm Zero-Knowledge Systems Inc.
�It�s like handing over your wallet full of ID to prove your age,� he said.
With dotcom sites actively collecting information on users and selling that information without their knowledge, the result could be extensive databases of consumer habits connected with real-world information.
The situation becomes worse because digital signatures are not 100 percent safe from theft, stressed Carl Ellison, a security architect for Intel (Nasdaq: INTC), who participated on the panel. While the encryption is strong, the system itself may have flaws that can be exploited.
�People are dazzled by the cryptography,� he said. �They assume that strong encryption gives you strength, but it�s like building a vault door into a cardboard box.�
Suggestions to add a fingerprint scan or other biometric features to security help little, because the underlying information-handling procedures are flawed, Ellison said. In addition, a thumbprint only has about 10 to 12 bits of entropy, or randomness, making it only as powerful as a 3- to 4-character password, he said.
Future cybercriminals may decide that using brute-force computing to break a signature, a difficult task, is worth it, said Phil Hester, vice president of systems and technology for IBM (NYSE: IBM). �With enough motivation or time, any digital signature can be broken,� he said.
SIGNATURE LAWS CUT BROAD SWATH
How bad are today�s information-handling practices?
Many online companies allow credit card purchases, but some such as CDUniverse put those files on a server accessible from the Internet. Unsurprisingly, those files have increasingly been raided by cyberthieves and the credit card numbers sold or posted on the Internet.
It would be much worse for consumers if the stolen information included such personally identifying information as surfing habits, date of birth and social security numbers.
In one proposed application of digital signatures, cards with signatures would be used to prove the identity of patients and doctors in both the Canadian and U.S. healthcare systems. On the Internet, doctors could use their cards to prescribe drugs, and patients could then fulfill those prescriptions online.
But a patient�s files are accessed by a host of other people in the doctor�s office: nurses who administer drugs, receptionists who log patients in and insurance companies who pay for the services. That opens up several potential paths for information to leak out.
CONSUMERS HELD RESPONSIBLE?
The ultimate result: Insecure real-world identities used online could easily be stolen, said Intel�s Ellison. �A digital signature stands for a human in cyberspace,� he said. �Yet, it can be used by others.�
In fact, if consumers are to be held responsible for damages resulting from the use of their card, then security won�t get better, said National Consumer Law Center�s Saunders. �For an ATM, the banks bear the loss of a card,� she said. �That�s why security is so good and improving. With digital signatures, the issuing company does not bear the loss of any breaches in security.�
Currently, two congressional bills will put consumers in the hot seat if their digital signature is used improperly. Saunders said such laws can only hurt consumers and online businesses both.
Some companies are beginning to listen to the criticism, said Hammett Hill, chief operating officer for Montreal-based Zero-Knowledge, in a separate interview.
�There�s a carrot-and-a-stick (approach) to privacy,� he said. �Today, most companies are worried about the stick ... of invading customers� privacy.
�But more often, businesses will want to attract the 90 percent of consumers worried about privacy,� he said.
Zero-Knowledge has pushed the concept of digital credentials that only reveals the exact information that needs to be checked by an online firm. The Department of Motor Vehicles could sign a credential that essentially states, �The bearer is 21,� hiding the consumer�s real age and birth date. A bank could sign a credential that states, �The bearer�s credit line is $5,000,� eliminating any need to pass along exact bank records and credit reports.
LAWMAKER BECOMING SYMPATHETIC?
The Montreal-based company recently acquired patents that will enable them to tie such certificates to a person�s online identity without revealing that identity.
Better yet, some policy makers seem to be listening as well.
�Being on this panel has ... made me even more skeptical,� said David Flaherty, a professor at the University of Victoria, who had previously served as the privacy commissioner for British Columbia.
�Digital signatures no longer seem like a Holy Grail to me.�
-- (news@of.note), April 08, 2000