“Your papers, please” (or “Papers, please”) is an expression or trope associated with police state functionaries, allegedly popularized in Hollywood movies featuring Nazi Party officials demanding identification from citizens during random stops or at checkpoints. It is a cultural metaphor for life in a police state. (
inertia, not-invented-here and divergent interests is sufficient to radically slow disparate systems.
I don't understand your second question. I think private enforcement of local norms isn't hampered by lack of data sharing. How would private actors benefit from hiding what rules are applicable in a private space? How would that increase the danger of privacy invasion compared to the common, centralized approach you described?
What do you think will prevent the merging of non-govt systems? And what about the potential for private law that is hobbled by a lack of seeing what law people around you have?
Just the suggestion that it might encode whether the person is an ex-con or has outstanding warrants points directly at one of the issues that worries me most. There are very limited circumstances in which people with outstanding warrants and ex-cons are prohibited, but the number of places that accidentally make things more difficult for them, or lump all ex-cons together keeps growing over time, making it harder for these categories of people to move toward a more normal life. Different people have different ideas of who else should be added to those lists. The no-fly lists are notoriously difficult to get off of even when the listing is erroneous. Only a few years ago it wouldn't have been surprising to hear proposals that gays should be added to some registry so they can be excluded from some places. The currently outgoing president would surely want accused antifa members added to lists, and a previous administration would have wanted some of his supporters added.
The reason people don't like the idea of governments requiring citizens to provide identity pervasively is that governments have abused this power so often. The obvious examples are the Nazis and the Stasi, but the Apartheid regime and the present Chinese government are also examples. The US use of Census data to find people of Japanese descent to send to our own concentration camps shows that even a mostly liberal democracy can do similar things, and the fact that Trump was recently in office should scare us all about well-meaning politicians respecting norms or promises made by others.
I've long felt that facial and fingerprint recognition systems would be a lot less objectionable if every developer used a different encoding. My employer could still use it for access control to sensitive areas, but they'd be shared a lot less. I've long argued that a major problem of the widespread use of SSNs is that some people/organizations think that they're a public identifier, and others treat them as a secret that only the owner could know. The analogy here is that the benign packaging makes it possible to sneak in many hidden forms of social control. The Chinese have bundled citizen ID (with ethnicity and political leanings coded in) with a system that is used for everyday payment transactions, and is required for interacting with the government. The people in Hong Kong should resist the introduction of such a system with all their strength because the enforcement part of it will make their attempts to retain separate control progressively harder.
I agree that there will be creeping uses of separately developed systems, but I prefer that to a mandatory universal system. David Brin's Transparent Society makes a cogent case that a society without privacy for people or the government is conceivably a reasonable end point, but the direction we're heading and your proposal don't include the all-important sousveillance he advocated there.
If you have to have download their app, applied and been approved to each kind of space, there can't be very many such kinds. There is then a coordination issue of what will be the standards in the few kinds of spaces. I'm proposing such a standard.
Great proposal, but why not flip it upside-down and independent privately controlled spaces (zones) each pick the appropriate ID system and required trust level rather than mandating one?
For example, to enter my house I must personally recognize and trust you or someone I trust must have vouched for you. I don't need RFID - I know if I recognize you or if you have a valid ConEd meter reader badge.
To enter an Amazon Go store, you must have the amazon app installed on your phone - which means that Amazon trusts you not to shoplift since they have your credit card. Amazon could also make "Amazon Safe Spaces" where they warrant you would not be a victim of a violent crime by not letting in anyone who their algorithms suggest was an undue risk based on any measure Amazon wanted to use (including court records and past knife purchases!). Since Amazon is insuring the risk, I trust them to make good decisions on this.
Because zones are private property, people who try to enter without complying with whatever the authorization requirements are (try to sneak in without app, for example) are immediately trespassing so can be arrested for that rather than waiting for them to shoplift or assault. But importantly, the requirements to enter a zone are chosen by the owner of that zone rather than generally mandated from above, so they are likely to be better and cheaper and more dynamic.
You could see networks growing up where, say, Amazon and Costco share info on shoplifters and both benefit from each others' information. They have incentives to pick the required ID type well (possibly different for different customers). Eventually there could be credit reporting agencies that report (or even insure against) shoplifting risk (or violent crime) for any individual that has their app (or holographic face tattoo or registered iris pattern or sequenced DNA), and there might even be ways for people to buy trust by posting bonds with these private agencies.
Thanks to network effects, we would expect these controlled zones to grow and merge until it is was potentially possible to wake up, walk your dog, go shopping, and play frisbee at the park all without ever being in a place where the risk exceeded your personal preference level. Maybe Trader Joe's has special grandma hours 5-6AM and convicted felons hours 11pm-midnight. Maybe private gated towns emerge where everyone gives up large amounts of privacy in exchange for security - but these towns would be opt-in and would grow to be whatever size matched how many people were willing to make that trade off (in competition with other towns making other trade offs, possibly with vouching treaties between them).
It all rides on the private property right of exclusion, so the more property that is privately controlled the better. Realistically the barriers to a system like this evolving up are misguided rules like SF's saying stores must take cash rather than requiring credit cards and even Amazon Go stores have already gotten push back for excluding people - maybe driven by the people who are excluded?
So the real question I think is, how can we encourage these systems to grow organically? Why do/will people oppose them when they seem to give optimal protections at optimal cost for people with wide ranges of preferences?
Of course I'm not going to argue that! The null hypothesis here is not "no one should ever store info about you because the govt might get it in secret,", that's obviously a strawman. The null hypothesis here is current reality. Society, via the communally accepted method of the judicial system, decides what is and is not reasonable with respect to fundamental laws and morals. My position is that your hypothesis fails to defeat that null, based partially on the weakness of D), but more broadly on the intractability of unwarranted pervasive mandatory identification as a violation of the fourth amendment.
If you are going to argue that no one should ever store info about you because the govt might get it in secret, you are arguing for drastic changes to our current society.
A general argument only works if you are willing to endorse a general rule that ANY info ever storied about you by anyone else is always a terrible evil to be opposed with all available energy. Without that, you have to talk about concrete costs and benefits.
Well that wouldn't have much value. (So given that I haven't given up phone use, I guess you're next going to ask why I'm getting so exercised about location privacy. On reflection, perhaps this is just a consequence of my not yet fully appreciating all of the location-enabled benefits that await me).
PS. I am getting good at passing reCAPTCHA w/o knowing the target and with only 2.1 columns of photos to work with:-)
I find Charlie's general slogans to be persuasive versus your specifics. E.g., to reject a proposed perpetual motion machine consisting of a thousand gears, weights, and pulleys, it is legitimate to cite the unbroken general law of conservation of energy. Coincidentally, it is typical of those who propose such machines that they dismiss all such criticism as too general, insisting that their proposed vastly complex machine be analyzed in every detail. Hmm.
My point was that if people have concerns about how much privacy and anonymity your design guarantees, there are well understood mechanisms to give greater guarantees. At higher cost of course. So the particular tradeoffs of your design are not reason for rejecting the basic mechanism.
I am aware of such things, but was seeking as robust a design as possible. I don't think my design much depends on details of crypto procedure security.
Unlike currently, *this* location data would be massively comprehensive. And given past gov't behavior, I don't see how we can be confident it will stay in the hands of the identity orgs.
As you probably already know, if you're willing to have even a modest amount of computing power on the device (which you seem to have assumed here), you can use cryptography.
In general, one can design cryptographic protocols for this sort of thing to guarantee pretty high levels of privacy and anonymity if you're also willing to assume certification authorities who have physical details about you.
So while people might be able to quibble with the details of your specific design, I think they should accept that your basic use case here is technically feasible and that independent experts could verify the stated properties of the final design and and any implementations.
inertia, not-invented-here and divergent interests is sufficient to radically slow disparate systems.
I don't understand your second question. I think private enforcement of local norms isn't hampered by lack of data sharing. How would private actors benefit from hiding what rules are applicable in a private space? How would that increase the danger of privacy invasion compared to the common, centralized approach you described?
What do you think will prevent the merging of non-govt systems? And what about the potential for private law that is hobbled by a lack of seeing what law people around you have?
Just the suggestion that it might encode whether the person is an ex-con or has outstanding warrants points directly at one of the issues that worries me most. There are very limited circumstances in which people with outstanding warrants and ex-cons are prohibited, but the number of places that accidentally make things more difficult for them, or lump all ex-cons together keeps growing over time, making it harder for these categories of people to move toward a more normal life. Different people have different ideas of who else should be added to those lists. The no-fly lists are notoriously difficult to get off of even when the listing is erroneous. Only a few years ago it wouldn't have been surprising to hear proposals that gays should be added to some registry so they can be excluded from some places. The currently outgoing president would surely want accused antifa members added to lists, and a previous administration would have wanted some of his supporters added.
The reason people don't like the idea of governments requiring citizens to provide identity pervasively is that governments have abused this power so often. The obvious examples are the Nazis and the Stasi, but the Apartheid regime and the present Chinese government are also examples. The US use of Census data to find people of Japanese descent to send to our own concentration camps shows that even a mostly liberal democracy can do similar things, and the fact that Trump was recently in office should scare us all about well-meaning politicians respecting norms or promises made by others.
I've long felt that facial and fingerprint recognition systems would be a lot less objectionable if every developer used a different encoding. My employer could still use it for access control to sensitive areas, but they'd be shared a lot less. I've long argued that a major problem of the widespread use of SSNs is that some people/organizations think that they're a public identifier, and others treat them as a secret that only the owner could know. The analogy here is that the benign packaging makes it possible to sneak in many hidden forms of social control. The Chinese have bundled citizen ID (with ethnicity and political leanings coded in) with a system that is used for everyday payment transactions, and is required for interacting with the government. The people in Hong Kong should resist the introduction of such a system with all their strength because the enforcement part of it will make their attempts to retain separate control progressively harder.
I agree that there will be creeping uses of separately developed systems, but I prefer that to a mandatory universal system. David Brin's Transparent Society makes a cogent case that a society without privacy for people or the government is conceivably a reasonable end point, but the direction we're heading and your proposal don't include the all-important sousveillance he advocated there.
If you have to have download their app, applied and been approved to each kind of space, there can't be very many such kinds. There is then a coordination issue of what will be the standards in the few kinds of spaces. I'm proposing such a standard.
Great proposal, but why not flip it upside-down and independent privately controlled spaces (zones) each pick the appropriate ID system and required trust level rather than mandating one?
For example, to enter my house I must personally recognize and trust you or someone I trust must have vouched for you. I don't need RFID - I know if I recognize you or if you have a valid ConEd meter reader badge.
To enter an Amazon Go store, you must have the amazon app installed on your phone - which means that Amazon trusts you not to shoplift since they have your credit card. Amazon could also make "Amazon Safe Spaces" where they warrant you would not be a victim of a violent crime by not letting in anyone who their algorithms suggest was an undue risk based on any measure Amazon wanted to use (including court records and past knife purchases!). Since Amazon is insuring the risk, I trust them to make good decisions on this.
Because zones are private property, people who try to enter without complying with whatever the authorization requirements are (try to sneak in without app, for example) are immediately trespassing so can be arrested for that rather than waiting for them to shoplift or assault. But importantly, the requirements to enter a zone are chosen by the owner of that zone rather than generally mandated from above, so they are likely to be better and cheaper and more dynamic.
You could see networks growing up where, say, Amazon and Costco share info on shoplifters and both benefit from each others' information. They have incentives to pick the required ID type well (possibly different for different customers). Eventually there could be credit reporting agencies that report (or even insure against) shoplifting risk (or violent crime) for any individual that has their app (or holographic face tattoo or registered iris pattern or sequenced DNA), and there might even be ways for people to buy trust by posting bonds with these private agencies.
Thanks to network effects, we would expect these controlled zones to grow and merge until it is was potentially possible to wake up, walk your dog, go shopping, and play frisbee at the park all without ever being in a place where the risk exceeded your personal preference level. Maybe Trader Joe's has special grandma hours 5-6AM and convicted felons hours 11pm-midnight. Maybe private gated towns emerge where everyone gives up large amounts of privacy in exchange for security - but these towns would be opt-in and would grow to be whatever size matched how many people were willing to make that trade off (in competition with other towns making other trade offs, possibly with vouching treaties between them).
It all rides on the private property right of exclusion, so the more property that is privately controlled the better. Realistically the barriers to a system like this evolving up are misguided rules like SF's saying stores must take cash rather than requiring credit cards and even Amazon Go stores have already gotten push back for excluding people - maybe driven by the people who are excluded?
So the real question I think is, how can we encourage these systems to grow organically? Why do/will people oppose them when they seem to give optimal protections at optimal cost for people with wide ranges of preferences?
Great book describes different types of real-world trust zones...https://amzn.to/3ahA7rs
Of course I'm not going to argue that! The null hypothesis here is not "no one should ever store info about you because the govt might get it in secret,", that's obviously a strawman. The null hypothesis here is current reality. Society, via the communally accepted method of the judicial system, decides what is and is not reasonable with respect to fundamental laws and morals. My position is that your hypothesis fails to defeat that null, based partially on the weakness of D), but more broadly on the intractability of unwarranted pervasive mandatory identification as a violation of the fourth amendment.
If you are going to argue that no one should ever store info about you because the govt might get it in secret, you are arguing for drastic changes to our current society.
A general argument only works if you are willing to endorse a general rule that ANY info ever storied about you by anyone else is always a terrible evil to be opposed with all available energy. Without that, you have to talk about concrete costs and benefits.
Well that wouldn't have much value. (So given that I haven't given up phone use, I guess you're next going to ask why I'm getting so exercised about location privacy. On reflection, perhaps this is just a consequence of my not yet fully appreciating all of the location-enabled benefits that await me).
PS. I am getting good at passing reCAPTCHA w/o knowing the target and with only 2.1 columns of photos to work with:-)
I find Charlie's general slogans to be persuasive versus your specifics. E.g., to reject a proposed perpetual motion machine consisting of a thousand gears, weights, and pulleys, it is legitimate to cite the unbroken general law of conservation of energy. Coincidentally, it is typical of those who propose such machines that they dismiss all such criticism as too general, insisting that their proposed vastly complex machine be analyzed in every detail. Hmm.
Phone data is similarly comprehensive. Would you be comforted by a requirement to delete data after some time delay?
My point was that if people have concerns about how much privacy and anonymity your design guarantees, there are well understood mechanisms to give greater guarantees. At higher cost of course. So the particular tradeoffs of your design are not reason for rejecting the basic mechanism.
I am aware of such things, but was seeking as robust a design as possible. I don't think my design much depends on details of crypto procedure security.
Unlike currently, *this* location data would be massively comprehensive. And given past gov't behavior, I don't see how we can be confident it will stay in the hands of the identity orgs.
As you probably already know, if you're willing to have even a modest amount of computing power on the device (which you seem to have assumed here), you can use cryptography.
In general, one can design cryptographic protocols for this sort of thing to guarantee pretty high levels of privacy and anonymity if you're also willing to assume certification authorities who have physical details about you.
So while people might be able to quibble with the details of your specific design, I think they should accept that your basic use case here is technically feasible and that independent experts could verify the stated properties of the final design and and any implementations.
But only the identity orgs have the location data under my proposal. Just like many orgs today have location data on you.