TheScarab

In the annals of cryptography’s transcendence from the obscurity of geekdom to the central place it occupies in today’s privacy and human security discourse, Whitfield Diffie’s intellectual clash in the late 70s with the NSA, which was intent on limiting the spread of strong encryption it could not break, has attained the heights of legend.

But the more dramatic episodes in the crypto epics belong more aptly to the saga of Lucifer, IBM’s first major foray into commercial cryptography and the earnest efforts in the early 1970s by Horst Feistel, who had joined IBM after growing disillusioned at the NSA, to portray Lucifer as something much grander than a mere prop for banking IT security.

It is perhaps also worthy of note that it was at IBM, and within the same rarefied circles spawned by the Watson Center, that Diffie met Martin Hellman, his now equally famous co-conspirator against the 56-bit data encryption standard (DES) that the NSA induced IBM to foist on the emerging world of network computing.

In Feistel’s 1973 paper on cryptography and “computer privacy”, published well before the more celebrated Diffie-Helman monograph, he not only outlined the vision for 128-bit encryption, something considerably more robust than the NSA-preferred 48-bit ciphers, he also exhibited a prescience about modern day concerns about individual and, more vitally, group “data bank privacy” that is truly remarkable.

It would seem that Feistel’s understanding of Lucifer’s true possibility was, at least during the early development phase, connected with some of the conclusions he drew in that paper: “it would be surprising if cryptography, the traditional means of ensuring confidentiality in communications, could not provide privacy for a community of databank users.”

Feistel’s strong interest in the cryptographic prospects of networking security and the privacy needs and rights of user groups cuts a direct line to today’s complex transactional and interoperable frameworks, starting with a modified Lucifer’s application to banking ATM configurations and the presaging of future e-commerce platforms by its successors.

In a cloud computing world, some of the faint echoes of Feistel’s work on Lucifer have started to ring louder again. His concerns that networking magnifies the risks of privacy breaches are now standard fare in most analyses of the need for “pervasive cryptography” and “encryption by default”, both positions that he clearly articulated half a century ago.

It is not surprising then that the same arguments made by state security and law enforcement authorities in that era concerning the risk posed by ubiquitous strong encryption to legal surveillance for crime prevention, appear to have resurrected en masse as debate over the role of cryptology in safeguarding privacy has picked up again.

This is sad because in the intervening period since the days of Lucifer so much has happened to warrant a more nuanced view of the risks addressed through, but also complicated by, ubiquitous encryption.

The crowning glory of the Diffie-Helman turn in cryptography is undoubtedly the solving of the key distribution problem through the path shown by Public Key Infrastructure (PKI) design. The core logic of PKI has, however, always been driven by a chain or web of unilateral and bilateral functions. One person encrypts, and only they or a second nominated person can decrypt. In solving the problem of how two parties can securely exchange information without fear of interception by an eavesdropping third party, a new risk was introduced: the complete repudiation of third-party rights in the transaction, however legitimate.

In a polycentric computing world, there are some important limitations to this model, which go beyond the usual discussions about private key compromise, revocation, complexity, and certificate authority integrity. There are concerns about justified access to medical records in the event of an emergency, parenting obligations towards minors, cryptoviral extortion, and the data considerations involved in executing the digital estate of deceased persons as a function of probate law. When cross-border issues arise in any of these contexts, confusion multiplies multifold. A veritable tragedy of the cryptocommons, a situation where everyone in pursuing their best privacy interests enfeeble our collective respect for privacy, may lie just across the horizon.

Yet, not only are such discussions often overshadowed by the narrower concerns and perspectives of enterprise actors, their civil implications have also become hijacked by the focus on governments’, particularly the US Government’s, desire to insert backdoors into encryption or limit the spread of strong encryption.

The US is, of course, far from being the only major country with curious export/import restrictions on encryption products or “forced decryption” rules/regulations, many of the world’s sophisticated governments have similar or even more stringent precepts.

The US however gets a lot of attention because of its completely outsized position in the global app economy. Its disproportionate influence on digital commerce means that until September 2016, many of the world’s startups were in violations of its cumbersome laws requiring advanced registration before products containing cryptographic tools could move in and out of the US. That is essentially every app today; and with the major app stores largely controlled by US owned firms but used for distribution by tech companies around the world, the notions of what constituted an “export” or an “import”, perceptions developed when software was still predominantly sold on disks, were becoming strained to breaking point.

Cloud computing and the digital distribution of software thus interacted with ubiquitous encryption in ways designed to frustrate law enforcers, a situation thrust into the limelight, but also much obscured, by the FBI-Apple iPhone forced unlocking dispute. It is fascinating how such an interesting incident raised so few of the profound issues precipitated by polycentric ubiquitous (PU) encryption.

The real, deep, problem posed by the current model of heavily interoperable digital applications hosted remotely, used collaboratively across multiple domains and geographies, and intimately intertwined with all manner of everyday services that have only recently been digitised, is that a “trust management” problem is still being treated as an “information security” one. Even worse, this dissonance has been fully globalised.

The Wassenaar Arrangement, an international soft law regime promulgated in the Netherlands by 42 states, has a few loose provisions in its infosecurity section attempting to deal with the trans-frontier issues.

It would surprise some commentators to find out that within this club of advanced cyberpowers (although missing China, Israel and emerging cyber powers such as Brazil), the US posture towards strong encryption proliferation is actually dovish, which is saying a lot about state attitudes globally.  More importantly, Wassenaar is far from offering any framework for addressing the broader transnational civil and social complications arising from PU encryption culture.

Attempting to address this complex, multifaceted, problem starts with recognising the “distributed” and “disaggregated” nature of the strong encryption – third party rights conundrum. In many ways, blockchain is a crude attempt to address this puzzle, but more in favour of transparency than of privacy. It is sad that Ralph Merkle’s ideas, co-opted for this agenda, contain at their root much more than have been realised in the crypto-trust space.

The key to unknotting the conundrum, I think, is “civil sortition”, a new institution that enables the formation of trusteeship rings and groups as a form of “trust collateral” in the deployment of strong encryption. This is precisely what “key escrows” are not.

Key escrows, having begun life as a discredited “compromise” pushed by some law enforcement authorities in response to the tech industry’s denouncement of attempts by the former to push breakable encryption and/or backdoors in ciphers, all in the name of denying criminals the safe haven of totally impenetrable communications, never really matured into anything technically significant. They have been criticised as being open to abuse because their implementation often requires reliance on legacy social institutions highly susceptible to establishment manipulation.

Civil sortition offers a radical approach whereby a pseudorandom chain of network participants (human and parahuman) receives fragments of a “scrambler/descrambler” keypad. Whilst the real-world identity of the participants are obscured, they are uniquely identified and securely and consistently reachable so long as they remain active in the network. Any member of the network can request decryption of any encrypted message backed by a pre-programmed escalation matrix. The number of lots required for descrambling or permanent scrambling, for the sequencing of lots, and for the weighting of lots must all fit into this matrix. For some data types, influence of matrix design is heavily weighted towards the data contributors, and in others less so.

In this manner, whenever strong third party rights to data arise in any context, the communal groups affected cannot be held hostage to the whims of the nominal controller of such data. The extent to which government agencies genuinely reflect strong and legitimate third party rights to any particular data would then become a matter for network adjudication without allowing for oppressive determination by arbitrary privilege.

s data repositories continue to intermingle, and the demand for stronger forms of privacy protection grows in tandem, only radical new data access regimes can reconcile all legitimate rights, and thus avert any prospective tragedy of the crypto-commons.

The Chinese Government’s plans to introduce a “social credits” scheme to rate and rank the behaviour and conduct of its citizens far beyond their financial circumstances (the current focus of Western-created “credit scoring” systems) has predictably rattled observers.

One journalist summed up the situation starkly:

“The Communist Party’s plan is for every one of its 1.4 billion citizens to be at the whim of a dystopian social credit system, and it’s on track to be fully operational by the year 2020.”[i]

Many of the discussions have followed similar lines, focusing on the harrowing implications of such an intrusive state-run machine for individual freedoms and the right to privacy.

What has been less investigated is the essential structure of the social algorithms required to achieve the objectives of the Chinese government, and in particular the tensions between technical efficiency and political economy when mass surveillance is devolved to machine power and incorporated into social-behavioural systems in the presence of capitalist incentives.

Few treatments of the notion of “sovereign privacy” give it any respect. Yet, there are framings of the “state secrecy” question that goes beyond mere necessity (especially in such contexts as “law enforcement” and “national security”).

LSE’s Andrew Murray provides an interesting angle in his brief 2011 take on transparency:

“All bodies corporate (be they private or public) are in fact organisms made up of thousands, or even tens of thousands, of decision makers; individuals who collectively form the ‘brain’ of the organisation. The problem is that individuals need space to make decisions free from scrutiny, or else they are likely to make a rushed or panicked decision.”[ii]

When viewed as a “hive” of personnel insecurities, biases, errors, stereotypes, ambitions and proclivities, Central Governments emerge out of the monolithic pyramid we tend to envisage atop the panopticon of general surveillance and descend onto a more examinable stage, where their foibles and miscalculations and misdiagnoses can also receive useful attention.

Because the Communist Party’s 90 million members are an integral part of its overall structural integrity, its social management policies rely greatly on their ability to participate and contribute.[iii]

Many of the 20 million people who work in the 49000 plus state enterprises, especially from middle management and up, are fully paid-up members of the party. Some estimates put the percentage of the country’s 2 million press and online censors who belong to the party at 90%. Last year, the last barrier between the Party and command at all levels of state paramilitary and security institutions was removed, bringing an even larger number of non-career security commissars into both operational and oversight positions.

Such broad-based participation in the “social management strategy” might at first sight appear to favour the decentralised nature of social credit-based control. The only problem with that view is that the strategists behind the scheme see it in purgatory terms:

“The main problems that exist include: a credit investigation system that covers all of society has not yet been formed, credit records of the members of society are gravely flawed, incentive mechanisms to encourage keeping trust and punishments for breaking trust are incomplete, trust-keeping is insufficiently reward, the costs of breaking trust tend to be low; credit services markets are not developed, service systems are immature, there are no norms for service activities, the credibility of service bodies is insufficient, and the mechanisms to protect the rights and interests of credit information subjects are flawed; the social consciousness of sincerity and credit levels tend to be low, and a social atmosphere in which agreements are honoured and trust are honestly kept has not yet been shaped, especially grave production safety accidents, food and drug security incidents happen from time to time, commercial swindles, production and sales of counterfeit products, tax evasion, fraudulent financial claims, academic impropriety and other such phenomena cannot be stopped in spite of repeated bans, there is still a certain difference between the extent of sincerity in government affairs and judicial credibility, and the expectations of the popular masses.”[iv]

The goal is as much about moral self-policing as it is about social control. Self-policing inevitably induces low-intensity and highly diffuse factionalism and clique politics.

Chinese observers certainly understand the critical factor of power-play in these circumstances, as is obvious from the following passage by PhD student, Samantha Hoffman:

“The first is the struggle for power within the Party. The Party members in charge of day-to-day implementation of social management are also responsible to the Party.  As the systems were being enabled in the early 2000s, these agencies had a large amount of relatively unregulated power. The age-old problem of an authoritarian system is that security services require substantial power in order to secure the leadership’s authority. The same resources enabling management of the Party-society relationship can be abused by Party members and used against other within the Party (War on the Rocks, July 18, 2016). This appears to be the case with Zhou Yongkang, Bo Xilai, and others ahead of the 18th Party Congress. The problem will not disappear in a Leninist system, which not subject to external checks and balances. And it is why ensuring loyalty is a major part of the management of the party side of “state security”.[v]

But Hoffman and many like her misconstrue the implications of fragmented trust for social credit based control.

Complex social algorithms over time start to amplify signals that their makers do not fully understand and cannot control in advance. We have seen this many times with even much simpler systems like Facebook, Twitter and Instagram, whose operators have extremely narrow objectives: maximising attention retention to attract advertisers.

In a system designed to compel conformance to ideal criteria and yet dependent on large numbers of participants to shape that criteria, deviance can easily become more prominent when algorithms start to reinforce once latent patterns. Whether it is preening on Facebook or bullying on Twitter, there is a fundamental logic in all simple systems trying to mould complex behaviours, and this logic tends to accentuate deviancy because algorithms are signal-searching.

This is where the “sovereign privacy” point comes in. A state like China seeks inscrutability. It also seeks harmony of purpose. Social algorithms tend to want to surface hidden patterns and concentrate attention. A time-lag renders algorithm-tweaking for specified ends in advance highly unreliable. Very often, the operator is relying on surfaced trends to manage responses. The danger of rampant “leaking” of intention and officially inadmissible trends rise exponentially as the nodes in the system – financial, political, social, economic, psychological etc – increase. The “transparency” that results from the inadvertent disrobing of the intents of millions of Chinese state actors does not have to be the kind that simply forces the withdrawal of official propaganda positions. It can also be the kind that reveals which steps they are taking to regain control of the social management system.

The problem is somewhat philosophical. Right now, membership in the Communist Party and public conformance with the creed is non-revelatory. Integrating multiple “real behaviour” nodes together to compel “sincerity”, as is the official goal of the program could immediately endanger the status of tens of millions of until-that-moment perfectly loyal cadres and enforcers of moral loyalty. The proper political economy response, at least in the transition stages, is to flatten the sensitivity of the algorithms. Doing so however removes the efficiency, which alone makes the algorithms more effective than the current “manual” social conformity management system.

Unfortunately, such efficiency would render redundant large swathes of the current order. Which in turn means that lower levels of the control pyramid have very little incentive in providing complete data. The effect of highly clumpy data exacerbates algorithmic divergence from other aspects of social reality (in the same way that Twitter fuels political partisanship in America as oppose to merely report it) and prompts “re-interpretations” of the results churned out by the system. Over time, the system itself begins to need heavily manual policing. The super-elite start to distrust it. Paranoia about the actions of their technocratic underlings grow in tandem. Along with dark fears about a “Frankenstein revolt”.

At the core of all of this is the simply reality that any system that can realistically achieve mass deprivation of privacy will threaten sovereign privacy as well, and would thus not be allowed to attain that level of intrusion by the powers that be.

Notes:

[i] “China’s ‘social credit’ system is a real-life ‘Black Mirror’ nightmare”. Megan Palin. 19th September 2018

[ii] Andrew D Murray. 2011. “Transparency, Scrutiny and Responsiveness: Fashioning a Private Space within the Information Society”. The Political Quarterly.

[iii] See: Yanjie Bian, Xiaoling Shu and John R. Logan. 2001. “Communist Party Membership and Regime Dynamics in China.” Social Forces, Vol. 79, No. 3, pp. 805-841.

[iv] “State Council Notice concerning Issuance of the Planning Outline for the Construction of a Social Credit System (2014-2020)”. GF No. (2014)21.

[v] Samantha Hoffman. 2017. “Managing the State: Social Credit, Surveillance and the CCP’s Plan for China”. China Brief Volume, 17 Issue 11.

It is trite knowledge that all biometric systems rely on probabilistic matching, and that every successful biometric authentication of an individual is merely a statement about the likelihood of their being who they are expected to be.

What is more interesting is the determination of the factors that go into establishing what the reasonable margin of error should be when processing such a match, or, more accurately, when estimating these probabilities.

Officially speaking, the error tolerance margin should be determined by empirical testing based on data about the false match rate and the false non-match rate; in essence: the interplay between the “false negatives” and “false positives” record obtained from the field.

The practice in many situations, however, flouts this normative standard, with the effect of leaving calibration determination to the competing forces of commercial logic and political expediency. And no where more so than in the context of sophisticated African elections.

To fully illustrate this point, it bears clarifying, at a very high level, some key technical concepts.

Some errors are intrinsic to the probabilistic nature of biometric technology itself, but many others are non-inherent or extrinsic, and these sources of defect include factors that range from the technical to the sociological, such as:

• Topological instabilities in matching as a result of source object (such as a finger) positioning in relation to the measurement device
• Poor scanning of biometric attributes
• Storage and retrieval quality
• Personnel and manpower inadequacies
• Environment and ambience (for example, lighting and aural ambience can affect voice and visual biometric authentication in varying ways)

Extrinsic sources of error are typically institutional, and thus literally impossible to eliminate without wholesale interventions in the design and user environment typically considered out of scope when constructing even the most complex biometric-enabled systems.

Intrinsic sources of error are far more complex in their provenance and, not surprisingly, very difficult to adequately explain in a post of this length.

In general though, these errors emanate from the statistical procedures used to reduce ratios, measurements and correlations compiled from the physical imaging or recording of phenotypical (or, in the near future, genotypical) features of designated source objects associated with the target individual or subject of interest. We might refer to this type of error as representing a level of “systematic risk” indispensably present in the use of the underlying concepts of biometry themselves as a means of precise differentiation of sociobiological humans.

The common effect of both types of error is however straightforward: the need for large-scale biometric-enabled programs and systems to anticipate considerable errors in the margin of performance.

The anticipated risk that results from this error-certainty bifurcates into a probability that the machine shall include individuals who should be excluded from authentication, and an alternative probability that the machine shall exclude individuals who should have been included.

At the intersection of these two sets of expectations lies the acceptable threshold, which, of course, moves up or down depending on which of the two main probabilities are of the strongest concern, a determination strictly dependent on institutional context and the stakes of failure.

In the case of elections, the strongest tension is between the delegitimating of results by permitting a certain margin of the same fraud against which biometric systems are usually introduced to stem, on the one hand, and, on the other hand, disenfranchising several electors whose right to vote and influence the selection of their leaders many constitutions insist should be treated as sacrosanct.

Empirical testing in the user environment prior to the design of the biometric instruments would be the obvious sensible prerequisite to the calibration of the thresholds for rejection and inclusion. Yet, they are almost always, across Africa, performed hardheartedly, with the result often that basic challenges stemming from occupational (some types of work deface fingerprints faster than others, for example), environmental (higher amounts of dust, sweat, etc), infrastructural and other challenges, quickly ricochet into higher than expected rates of false negatives.

Because false negatives are more “visible” (they exclude and therefore antagonise), the feedback loop against false non-match rates are far stronger than false match rates, which in the field can only be surfaced by mystery shopping, a prospect highly infeasible in the normal, politically charged, election scenario.

False positives do show up in the end though, when despite biometric authentication and biometrically sanitised electoral registers, overvoting incidents, notionally impossible in the presence of the technology, are recorded. But this being a delayed effect, and likely only discoverable in the event of a disputed and judicially scrutinised outcome, the incentive to set threshold rates low enough to minimise false non-match rates and, as a corollary, raise the prevalence of false match rates, is much stronger.

Consequently, in the two African countries where the most sophisticated biometric systems have so far been deployed in recent general elections – Ghana and Kenya – an interesting trend was observed. Whereas in previous elections, biometric exclusion incidents were numerous and resulted in serious altercations at polling stations, more recent elections saw very few of these types of incidents. Yet, following the decision of Opposition parties to challenge the elections in the law courts, alarming evidence emerged of outcomes that should theoretically have been barred by the deployment of biometric apparatus. Incidents such as over-voting.

Why is testing so poorly done? Primarily because most of the vendors behind these solutions tend to be foreign systems integrators with minimal exposure to the sociological context of processes they are expected to model, and also because commercial considerations often militate against a serious examination of system design. Much too often, contracting procedures are shrouded in technical secrecy and undue backroom backscratching, with claims of proprietary standards and jostling for advantage by political connected rent-seekers.

With cost per voter in the most sophisticated African electoral systems now among the highest worldwide, many observers are beginning to wake up to the urgent need for outcomes-driven reforms of the technical safeguards of universal suffrage on the continent.