RTP Discussions

[HarryStottle]

The Independent published on 13 January. In short, the idea is to implant verichip-type chips in prisoners to make it easier to track them.

I posted an extensive comment, but the bastards moved the article and all the comments have evaporated. Fortunately, on this occasion, I not only had a backup, but managed to find it - so I now republish it here where no-one else can get their mucky little hands on it!
***********************************

OK, what are the problems with this proposal?
After all, they're only criminals, and, given the choice, they'd probably prefer to be chipped than imprisoned.

The first set of problems is technical. To begin with, why do we want to track the relevant individuals? If the purpose is mere curfew monitoring, we can tolerate a higher failure rate than if the purpose is community protection. But if the purpose is simple curfew monitoring, we don't really need implants or ankle bracelets at all. Periodic random phone calls to a landline would be cheaper and more effective.

Purpose of chipping
So, for chipping, we must presumably be talking about community protection. In other words the purpose of the device is not merely to ensure that they stay in a prescribed zone but to enable alarms if they enter proscribed zones. For this, we cannot tolerate a failure rate in excess of - say - 1 in 10,000. The existing and proposed systems have failure rates of up to 5% (i.e. 500 times any reasonable failure rate). The only way to achieve such a low failure rate is to have minimal redundancy built in to the system. Instead, therefore, of just one chip (or ankle bracelet) we should require at least 3. Instead of one mobile phone, there should be at least two and a land line and an internal wireless communication system.

Alarms
Alarms would sound at level 1 (hardware failure) if one of the 3 chips failed to respond or one of the 3 communication channels failed to respond. Level 2 would indicate two failures in either chips or communications and level 3 would indicate zero response from either the chips or the channels. Level 4 would indicate "subject out of curfew zone" and level 5 would indicate "subject approaching proscribed zone or vulnerable target". Levels 1 or 2 should trigger an urgent technical "repair" visit within a couple of hours. Levels 3-5 should trigger an emergency police response within a couple of minutes.

The description above should indicate how far off a "proper" tracking system the current ones already are.

Integrity and Privacy
The second problem is integrity. As some (of the other lost comments) have already mentioned, cloning a single id chip is trivial. This means that we can never be sure that a response from a given chip is actually coming from the given chip. This, in turn, means that a) we can't be sure that the holder of the chip is the person we think they are and b) we can't be sure that the person who we think is chipped is where we think they are.

A related problem is privacy. As the devices must be readable from a reasonable distance, unauthorised readers could track the individual and place both them and the community at further risk.

The solution to both the integrity and privacy problems is to replace single id chips with devices which broadcast pre-implanted one time keys. The one time keys block cloning (each time the device is read it responds differently. Repeated keys are invalid) and protects privacy (each key is unique and does not need to be stored anywhere else, so reading a key cannot, on its own, reveal identity)

However, given that we don't, for obvious reasons, want to replace chips every five minutes (or five days) such devices will have to contain enough memory to hold a few hundred thousand keys and a few hundred bytes of processing circuitry. Such devices do exist but they're certainly not yet down to the size of "two grains of rice". A fifty pence piece is about as small as we can get such devices to date. And, remember, we need to implant 3 of them (all with different key sets). This clearly implies non trivial invasive surgery and, as such, is entirely unacceptable other than on a genuinely voluntary basis of free and informed consent.

Trust
The third problem is Trust. A "single point of failure" (SPF)is any potential link in the security chain which, if broken, breaks the security of the system. Any security system which has SPFs is not worthy of the name and any system which is dependent on Trusted humans has multiple SPFs. This, in short, is why large databases full of sensitive data which require access from many individuals CANNOT be protected to any satisfactory standard of security and why the Government's proposed ID card scheme is a failure before it even gets off the drawing board.

A key indicator of design failure for security is when the proposed protection is a rule or law constraining humans, as opposed to a technical protocol constraining systems. Such protections are only feasible when each step of the process requires multiple humans and an immutable audit trail. Example? The firing procedure for nuclear missiles and access to some bank vaults both require at least two people to collaborate. Such measures can reduce casual security breaches, but not deliberate ones. This is acceptable when the Reward to Risk ratio is quite low. In nuclear situations, the risk is obvious and universal. In the bank vault the risk of exposure is high (only a handful of individuals have legitimate access) and the individual's career and liberty are at stake.

But in centralised administrative or tracking databases, the Reward to Risk ratio is far too high. i.e. The incentives for political, financial or social corruption are (occasionally) enormous while the risks of discovery or retaliation from a compromised target are (usually) very low. This is why we see such routine and widespread abuse by the authorities in what has become the . In any intelligent assessment, individual abuse or illicit collaboration for corrupt purposes should be - for security purposes - regarded as inevitable and should, therefore, rule out ANY such systems where such abuse or collaboration could breach the security of the system.

The only systems where such collaboration or abuse can not breach security are those which do not reveal priveleged data to the users who have access to them. Such systems are compatible with the one time key exchange protocols mentioned above which are required to preserve the reliability, integrity and privacy of the tracking devices themselves. Essentially all keys are anonymous and tell those with access to the data nothing. Only those with access to matching key sets (which are not part of the central database) can decipher the exchanges to learn who is doing what and where.

Jury Controlled Key Escrow
For private citizens the matching key sets would be held by Trusted 3rd Parties of their choice. These would be widely trusted organisations - like Liberty, Privacy International, ACLU etc - with a track record of privacy concerns. Many citizens might be prepared to trust commercial organisations like Banks, Insurance Companies, Lawyers, even Supermarket chains. Access to their data would be internal to the organisation only, protected by a Jury selected from the members and publicly audited.

For criminals the "Trusted 3rd Party" would be an appropriate legal monitoring body, presumably an agency of the Police or Home office. Their access would, again, be internal only, protected by Judges and also publicly audited.

There are a few other details we need to sort out, like a Strong Revocation/Non-Repudiation Protocol to deal with loss or failure of tracking device and/or its key set, or changes to key identifiers like name and address or legal status. But that, in brief, is what a half decent tracking system, capable of protecting the community from criminals or individual citizens from breaches of their liberty and privacy might look like. It clearly bears no resemblance to anything proposed by governments anywhere.

I have been trying to get the British Government to consider such proposals since 2002. If anyone thinks they could help me persuade the ignorant and arrogant political imbeciles to start taking these issues as seriously as they should be taken, I would be more than grateful. And, yes, I appreciate my obvious hostility doesn't help, but frankly, their incompetence is so dangerous and long standing that we can no longer afford to be diplomatic.

[Darque]

Interesting issue... I wonder if it would run afoul of the Eight Amendment's prohibition of cruel and unusual punishment, or in the case of UK, the English Bill of Rights, which has an almost identical passage. Of course, recent events have shown that neither government is particularly concerned with playing by the rules anymore, so that may not be an issue.

I'd worry about the hackers. I'm afraid this isn't my specialty, so I'm forced to use the very general terms of the layman. Time and again, just the mere mention of the word, "unhackable," has been enough to bring out some of the best in the world - everything from government databases to video game consoles to the Roomba. I wish we could put some faith in pure digital security measures, but the reality has been that the best software experts in the world can't help because they're working for the other side. Even banks, with some of the best electronic security that can be found anywhere in the world, still rely on old-fashioned safes and vaults (okay, not really old-fashioned, more like state-of-the-art, ultra-sophisticated, highly evolved, and fiendishly complex, yet entirely devoid of electronics). Once hacked, these chips would be a very expensive sense of false security, and I can't help but feel that a hack is inevitable.

But, honestly, I could see the promise: revolutionized prisons, a much more reliable and effective parole program, and that makes it worth pursuing the idea in my book. The issues of privacy are, while relevant, hardly insurmountable. What makes my skin crawl is that companies here in the US would drool over the chance to force employees to take on these implants - and they would not be bound by any such constitutional restrictions as any government. I objected the same way to drug testing and then spyware programs, and now drug tests are mandatory for nearly every job in this country and a fast-growing industry has sprouted to allow companies to spy on every keystroke or mouseclick that an employee might make in the course of a day. That is, I fear, the real slippery slope of this issue - not the government using such technology on all of us, which I'm sure would result in armed revolt, but the companies, which would be met with a giant shrug of compliance and indifference.

Still, a thorny issue, with plenty to chew on. I'll keep thinking about this.

[HarryStottle]

[Darque]

[HarryStottle]