How do I demonstrate that I am me?

The question of identity, how the question in the title gets answered, is one with an interesting history; and one that is changing again at the moment.

For much of human history, identity was almost completely determined by the fact that a person was born and grew up in a community where everyone knew them, and never moved far from this community. This is still true in many parts of the world, but was surprisingly true in the developed world until quite recently.

Things changed when migration to cities started in a big way, in Western countries perhaps around the 16th century and accelerating since then. Someone who moved to a city could become anyone they wanted as long as they kept away from people from the same general area as they were, who might know them or know of them. This was harder than it seemed, mostly because of the tendency of people with the same origin to live contiguously when they arrived in a city (so if you were from X but didn’t live in the X area, you automatically attracted attention). This ability to assume new identities was grist to the mill of detective stories up to about 100 years ago (notably Austin Freeman).

In the last 100 years, governments have become the guarantors of identity because of the requirement to collect taxes, mostly income taxes; and, for an increasing number of people, because of the need to cross borders. So governments issue identity documents that are tied to a single person via some kind of link, perhaps a biometric or even an address. And, for most people, this is where things stand now.

But there are new forms of identity beginning to be created, and new ways to blur identities as well.

I have had a web page with my photo on it, and links to my papers, and so on, since the web began. Copies of this web page have been periodically archived, at moments that I can’t control, by the Wayback Engine and probably several other places as well. If I want to prove my identity, I can now do it without any government intervention by pointing to these copies of my web page which have information that links them unqiuely to me. For many people, their Facebook or LinkedIn profile pages would do the same thing if they were publicly archivable. So identity is once again moving away from something that is government mediated to something that is more decentralized and community based.

On the other side of the coin, governments and others are actively creating artificial personas, sometimes called sock puppets. These personas are controlled by a real person, but one person can control many of them, and the postings of each persona don’t need to be the ones that the controller would naturally make. In other words if, on the internet, nobody can tell you’re a dog, it follows that nobody can tell you’re not a construct either.

In order to make these sock puppets realistic, a back story has to be created for each one; increasingly, this means that they have to have a created trail in places where this might be looked for. Once upon a time, intelligence organizations would go into official records and create entries for non-existent people; this is inherently difficult, especially in records that are owned by other governments (remember, governments validated identities); so often identities of people who had died were used as starting points. I expect we’ll see that same thing happening in the online world.

But there’s an important difference: while governments can go back and change history embodied in records, neither they nor anyone else can change the history embedded in web sites that, at random times, take a snapshot of some part of the web. So creating realistic sock puppets is actually really difficult.

There’s also the issue of language: one controller runnning multiple sock puppets cannot avoid using detectably similar language patterns for all of them; and eventually this will make it possible to detect artificial personas.

Thoughts on the Australian Government White Paper on Counter-terrorism

The Australian government has just released a White Paper updating their policy on counterterrorism. Most of the content is eminently sensible, but there are a couple of questionable assumptions and/or directions.

1.  The section on resilience assumes that radicalisation can be mitigated by “reducing disadvantage” using government actions to address social and economic issues. This may well be so, but I don’t think there’s much evidence to support it. It’s clear that there are countries where economic and social grievances are significant drivers for radicalisation (e.g. Southern Thailand); but the results of a recent survey in Canada with which I was involved showed clearly that attitudes about economic and social issues were uncorrelated to radicalism. Although many Islamic immigrants to Canada (and indeed many immigrants) struggle with e.g. access to jobs, this does not seem to turn into a sense of grievance that might lead to radicalisation. Australia may be different, but there doesn’t seem to be any particular reason why it should be.

2. The section on intelligence-led counterterrorism talks about three components: the ability to collect; the ability to analyse; and the ability to share. There is existing capacity and proposed actions for the first and the the third — but there is a great black hole in both existing capacity and proposed action for the second: analysis.

It’s easy to skip over this word and assume what it means; but I suspect that, when it’s unpacked, it tends to be taken to mean either “looking stuff up” or “having a human put stuff together to discover its significance”. It doesn’t take much thought to realise that this can’t be enough. The challenge in intelligence is (a) deciding how important each dot is, and (b) finding the interesting constellations of dots from among the many possible constellations. In practice, the number of dots is in the thousands (and up) each day, so this process must be largely automated.

There is a strange blind spot about the role and importance of analysis. I suspect that this is mostly because it’s not obvious how powerful inductive data modelling can be and it’s not on the conceptual map of most people, especially those whose training has been in the humanities and social sciences. But talking about collection and sharing without talking about analysis is like a sandwich without the filling — and you don’t make a better sandwich by improving the quality of the bread, if there’s still no filling.

Analysis is tough for intelligence agencies, who are fighting a battle to upgrade their capabilities at the same time as meeting the real-time challenges of what analysis they can already do. And, although data mining/knowledge discovery is a well-developed subject, adversarial data mining, which I’ve often argued here is quite a different subject, has received little attention. One way that governments can help is to let some of this upgrading happen in universities. As far as I am aware, there is almost no work on counterterrorism analysis happening in Australian universities, and the possibility gets only a tiny mention in the National Security Science and Innovation Strategy. There are several research groups looking at the social aspects of terrorism and counterterrorism, and one or two looking at the forensic aspects of data analysis, but a conspicuous absence of work on data analysis as a preventive and preemptive tool.

A part of the report that has attracted media attention is the intent to impose special visa requirements for applicants from 10 as-yet-unidentified countries (but the US imposed special requirements on 10 countries so it probably isn’t too hard to guess the list). Two parts of this are problematic. First, it will use new biometrics — although this seems to be a grand way of talking about fingerprints and facial photos. Biometrics get over-trusted; they are mostly relatively easy to spoof. Second, the report promises to use “advanced data analysis and risk profiling” to identify risky visa applicants. It’s hard to know what to make of this,  but it sounds like either something quite weak, or something with unworkably high false-positive and false-negative rates.

3.  The problem with treating home-grown terrorism as a law enforcement problem is that catching and sentencing those who have planned or carried out attacks doesn’t do anything for those who are “next in line”. There’s a risk that dealing with a home-grown group simply radicalises their supporters to the point of violence. For example, this seems to be a potential risk after the sentencing of five men last week.

Other countries, for example Thailand and Saudi Arabia (although with questionable success), take a wider view and try to deradicalise those whose involvement with terrorist activity is marginal. In other words, any criminal events in the terrorism area are regarded as the tip of an iceberg; and other approaches (sometimes called “smart power”) are used to address the less-visible hinterland of the criminal event. While a law enforcement approach is good, there seems to be some scope for a wider approach to the problem. And the great majority of home-grown attacks have been discovered and prevented because of the actions of a whistle-blower within the attackers’ community, so motivating such whistle-blowing and making it easy seems like it should be a centrepiece of any proposed strategy.

More on Identity

I’ve mentioned the problem of figuring out when data records describe the same person in the two most recent posts. Casinos are required to ban certain people who have self-identified themselves as having a gambling problem, so they have to look carefully at everyone who books a room. They also, of course, have an interest in noticing when certain other people show up, for example card counters.

As I said yesterday, identity is a slippery thing to manage algorithmically. It’s only in the last century that governments have gotten into the act of certifying identity, via various forms of government-issued identification, going back to birth certificates.

Such documents are not necessarily very reliable. There’s a long history of forging them. But mostly identity gets fudged because people don’t use them directly — they copy names and addresses with characteristic human errors; and this process can be helped along by those who want to hide their identity. It’s socially acceptable to use variant names, and people constantly make mistakes with numbers. Those who want to can use these deniable mistakes to create multiple versions of their identities.

This is partly why there’s such an interest in biometrics. A biometric is an identity key that was given to you by God. The important distinction in biometrics is between a digital biometric and a non-digital one. A photo in a passport is a non-digital biometric — it can be used to associate the passport, and so its contents, with you, but doesn’t do much else. A digital biometric, such as a digitized photo, can act as a key to a large database of information about you.

Most biometrics are extremely easy to fool. You can read about some of the easy tricks here. Fingerprint scanners can be fooled by plastic wrap; iris scanners by printed photos of an iris.

In relationship/graph data, the problem with multiple records describing the same person is that they blur the structure of the connections around that person — making some paths seem longer, and some properties more diffuse. That’s why it’s important to be able to resolve identities when possible; but also why it’s important to stay agnostic over the long haul.

What are no-fly lists for?

There’s a great deal of confusion in the discussion of airline security because several things are going on at once.

It’s sort of clear what the point of passenger screening is. The goal is to prevent anyone from carrying out an attack, either a hijacking or a bombing. The mechanism is to make sure that nobody can take the required tools or devices onto a flight.

Why is there an analysis component? Why not simply search everyone in exactly the same way, to make sure that they aren’t carrying anything they shouldn’t be? It’s a question of managing the costs and the risks. Analysing data about potential passengers allows them to be placed in categories. Each category consumes a different amount of resources to check; the amount is related to the perceived risk of people in that category.

Of course, there are advantages to not making these categories too rigid or predictable, as I discussed in the previous post.

This idea of risk management is a sensible one. But, given this framework, what is the point of a no-fly list? If I can be absolutely sure that a terrorist who gets on a plane does not have the ability to do anything different from the other passengers, is there any reason not to let him fly.

There are two reasons why a no-fly list might still be a good idea:

1. It’s actually impossible to be sure that someone who gets on a plane cannot do anything destructive, no matter how much time is spent on checking beforehand. Even the Israelis, who are no slouches when it comes to airline security, and who’ve been doing it a long time, cannot guarantee that someone is actually innocuous. It’s not clear what the issues are, but it seems at least possible to make a swallowable IED, or for a group to take on board objects that are individually innocuous, but together could make something nasty.
   As a matter of practicality, it’s also the case that people who are highly motivated to carry out an attack are not worth the resources to screen completely. In other words, the point of passenger screening is to act as a safety net, catching people who aren’t known to be terrorists, either terrorists not yet discovered, or people who’ve suddenly snapped.
2. A no-fly list puts barriers in the way of terrorists, making it hard for them to move and meet. This only makes sense for domestic travel, since borders already perform this function for international travel. In other words, once you become a terrorist you cut yourself off from moving freely around a country, because you can no longer use air transportation. Obviously, this matters more in large countries, and those with lots of islands or other physical barriers, than in small countries like those in Europe.

The biggest worry, and problem, with no-fly lists is their false positive rate, that is the number of innocent people who are mistakenly identified as terrorists and prevented from flying. This is partly a self-inflicted problem by governments which rushed to implement no-fly lists for largely cosmetic reasons, without taking the time to think about and implement reliable lists to begin with.

However, constructing and maintaining such lists is difficult because it requires making secret information widely available, which is not the way to keep it secret. (The list has to be at least partly secret because covert means might have been used to put some people on it; if they knew they were on it, they might be able to work out how.) There are technical ways to check whether someone is on a list without having to make the list public, using encryption techniques, but this idea has not, afaik, been used.

The second big problem with no-fly lists is that they are lists of identities, and it’s quite hard to robustly establish the identity of the person standing in front of you, if they are motivated not to make it easy. That’s why there’s such high levels of interest in biometrics — they provide a way to link some property of your physical presence to other data about you, and so to establish your identity. As a result, identity theft is big business — according to Bruce Schneier, a bigger business than drugs in the U.S.

Governments have also piggybacked law enforcement onto no-fly lists, so that people who are wanted for crimes of sufficient seriousness can be added to such lists. Whether or not this is a good idea is a complex subject; but it does make ordinary citizens suspicious about how much mission creep is a factor in government programs aimed at detecting and preventing terrorism. More another time, perhaps.