History & Rationale

Mr. Cavit explained the new push behind the End-to-end trust initiative.  The Internet empowers the end user, providing instant access to worldwide information and a freedom of expression capable of eliminating waste, eliciting transparency from governments and toppling dictatorial regimes.  ”Blogging is the new town square,” he said during the presentation.  For all of it’s benefits, however, the ‘Net’s threats originally prompted Microsoft’s Security Development Lifecycle (SDL) initiative.  At the beginning the SDL centered on viruses crashing computers and the bad reputation Windows developed from poor coding practices.  More recently though, the SDL and SD³ (Secure: by Design, by Default, in Deployment) work formed the basis in Microsoft’s view of how to tackle such issues as ID theft, child safety and combating zombies and botnets used in nation state attacks.  Microsoft formed a strategy that all of these types of networked issues come down to trust, or the lack thereof, and the successful processes and procedures developed for dealing with security internally at Microsoft should be shared in the name of the greater good of the community.

Reputation in the Wild, Wild West

The parallel Mr. Cavit drew compared the current state of the Internet and the Wild, Wild West.  It was easy in the mid to late 1800′s for an adversary to simply relocate to a different area, blend in and go unrecognized for the rest of their lives.  This anonymity faded away over the next hundred years, with discoveries and wide range use of everything from photographs and fingerprints to car license tags and convenience store videos.  With each passing decade, reputation grew in importance.  A citizen’s fingerprint doesn’t typically show up in databases until after a crime or government service.  A car’s license tag remains unremarkable and a driver may enter another area without real fear of tracking.  However, once the vehicle becomes of interest because of say an Amber Alert, the plates proffer accountability and allow officials fast identification. 

Basis for trust

What is the basis of trust?  What cues define an entity that deserves respect?  Those are two questions posed during the briefing.  In a face-to-face meeting, people use all five senses in evaluating others.  Visual clues such as excessive perspiration or an audible uneasiness in a speaker’s voice are tell tale reliability metrics in a physical meeting.  There are simply no comparable attributes available in digital transactions.  In the physical world, once someone establishes a reputation, it’s relatively static, following the individual in future job prospects, social circles and housing efforts.  In a digital world, trust decisions are very dynamic and may be complete, limited, or untrusted.  Online trust is also quite often unreliable.

Mr. Cavit suggests how to create trustworthiness online, with a basis that “must start with a strong root”.  In Microsoft’s interpretation, that implies hardware, amounting to something such as the Trusted Platform Module, commonly referred to as the TPM chip.  Microsoft calls this layering a trusted stack, and already touts the 64 bit version of Windows Vista as capable of securing up through the trusted applications layer.  The next version of Windows (7) will include something called AppLocker.  Similar to BitLocker, AppLocker controls what software may run in user mode, effectively creating application white lists.

According to Microsoft, end-to-end trust must be built from the bottom up. Source: Microsoft ISSA presentation

Trusted data and trusted people comprise similar verification systems.  To become a trusted person, one must apply in person, providing physical credentials expected to authenticate the individual.  This would be similar to submitting your driver’s license or passport to a Public Notary for practically any legal document.  Trusted applications writing data will access the trusted person’s digital credentials, verify the certificates and read and write digitally signed, thereby trusted, data.   (I’m sure there are several caveats to these scenarios from a security and privacy standpoint, such as an illegitimate in-person verification either due to identity theft or maybe a bribed employee, compromised locally cached credentials or a newly discovered cryptographic algorithm flaw.)  The trusted stack does serve as an academic starting point.

Anonymity

The biggest stumbling block and loudest opposition to the end-to-end sorts of activities described come from the loss of anonymity highlighted by privacy pundits.  Mr. Cavit acknowledges the possibility for privacy protections exist, without delving much into too many details during the one hour presentation.  The one area that he did cover surrounded identity federation, where a user has multiple credentials appropriate to separate tasks they’d like to accomplish online.  One example presented was a bowling league card, a driver’s license and an over 18 validation marker on a driver’s license.  Each of these ID’s are appropriate for completing specific tasks.  Your league card probably won’t do much good if you’re stopped by a police officer, whereas your drivers license won’t necessarily show you paid the $50 bowling membership fee.  

A federated identification system presents the correct credentials without exposing impertinent or inappropriate information, choosing the bowling league card at the lanes and the video rental card for the DVDs.  The over 18 marker is of interest as Equifax apparently offers an I-card credentialing program to prove adult status without exposing any other personally identifying details to the requesting web site.  Federated ID  also avoids creating huge personally identifiable information (PII) databases.  Cavit highlights a successful implementation of a federated credentialing pilot program at the Lake Washington School System.  

Mr. Cavit echoed several of the discussion points found on the end-to-end website, where Microsoft further addresses “Anonymity and User Control”:

First, there is concern about how we protect anonymity (and the values that anonymity supports, such as free speech) in a more highly authenticated Internet. Most have addressed this issue by noting the importance of allowing users to control what they disclose and when, a very important privacy principle (i.e., user control).  One commentator noted, for example, that “I imagine this won’t be perfect for a long time, but the last things I would want to see from these changes are lost privacies, and loss of control. The ultimate control should remain in the end-user’s hands.”  Similarly, another commentator noted that people have the right to “own and control their identity” and “be anonymous while controlling their identity at the same time.” 

Auditing

Another sticking point with privacy advocates lies in auditing.  In a trusted environment, every action must be attributable to someone.  That attribution involves the who, what, when and  where, which flies smack in the face of anonymity.  Mr. Cavit proclaims that much of this information may be anonymized away for privacy protection, but still accessible later for investigations and prosecution.  Challenges exist as there are no industry standard tools, collection processes or data formats.  Lacking common policies, sharing audit information between multiple companies, or even sectors within a company,  also presents liabilities as yet to be determined.  

Risks and Rationale

Mr. Cavit described the risks associated with the Internet’s lawlessness.  People are thinking twice about expanding presence or making futher Internet based decisions for risk of reputation problems.  Teenagers are putting personal information on social sites without regard to the persistence of the Internet.  Cavit specifically cited dating and feuds where teens want to highlight their perspective on a situation before someone else posts something slanted negatively.  Botnets continute growing, and spam overloads 90% of the total mail traffic on the web.  The presentation ended with Mr. Cavit’s ‘One Key Question’:

As we become increasingly dependent on the Internet for all our daily activities, can we maintain a globally-connected, anonymous, untraceable Internet and rely on devices that run arbitrary code of unknown provenance?

We now know the rationale/strategy behind Microsoft’s response.  Mr. Cavit admitted that, essentially some anonymity must be relinquished for higher levels of trust, equating this fact several times to drivers licenses, automobile tags and video surveillance in today’s society.  Cavit said, “Free speech is not the ultimate objective” of the End-to-End Trust inititiative.  Rather, the objective should be allowing users the ability to balance anonymity with trust, to accept communications from unknown senders with full knowledge of the consequences.  Microsoft hopes to “[e]nable law enforcement to find more criminals and thus increase deterrence,” with the “want to be able to prosecute” people who act maliciously on the Internet.

Q&A

The 46 attendees asked Cavit several questions at the end of the presentation surrounding practicality, implementation, other participants in the trust initiative and the progress surrounding the federated anonymization.  Currently there are 3 different bills in Congress discussing cyber defense and security, and most of the technology already exists and is implemented today.  Identity metasystems already exist on Windows since Card Space shipped with XP sp3, and Geneva provides a back end development interface for single sign on and cloud computing authentication.  As with the federated identification, Cavit points out you want the concept, not a standard.  The biggest hurdle surrounds the in-person proofing from multiple sources and what sorts of reputation go along with those credentials.  

The scheduled drug raid was a joint operation with MI5, MI6, the US Drug Enforcement Agency and organized by the Serious Organized Crime Agency.  SOCA received £416 million in funding for 2006 (about $625 million), but did not release how much of that budget went for the covert operation.  An internal source claimed to The Times – London that the aborted operation cost over £100m ($150M). The agent responsible for the loss, referred to only as ‘T’, lost her purse somewhere between the airline terminal, the immigrations checkpoint and a bus from El Dorado airport in Bogota, Columbia.  She was heading to her new office at the British Embassy.

A Soca spokeswoman said: “Soca has introduced its own clearly defined data handling and security policies. During the year to March 2009 — the first year we have been required to report any breaches — there wasn’t a single breach of personal or sensitive data by Soca staff.”

The agencies took the first steps by defining data handling policies and measuring/reporting against them.  An inquiry and formal investigation into the event occurred, and remedies put in place appear to be working.  The obvious question – why was encryption not used for this sort of situation?

The secure computer on a USB key was developed for just this sort of cloak and dagger thing. There are encryption routines built into every commercial operating system available today.  Dozens of security vendors sell encryption software, ranging from Full Disk Encryption, to mobile device encryption, to file level and storage encryption.  The US National Security Agency helped Microsoft with Windows Vista. They designed a security enhanced version of Linux.  The British Intelligence folks have their hands in a few secured systems as well.

Encryption ought to be just another wicket in the engrained security processes of an intelligence operation.  In fact, encryption ought to be a requirement for every organization that processes private or mission critical information.  Security product provider Checkpoint points out the dire situtation best in a February 2009 UK survey: “…less than 50% of the UK public and private sector organisations use any form of data encryption.”

As a privacy professional, knowledge of information security and its ramifications to privacy are paramount to successful data protection.  Personally Identifiable Information, Private Health Records, Personal Financial Information – it’s all only as confidential as the protections surrounding it.  If the security provisions do not guarantee the data are available and the integrity’s intact, there could be more than fines or company reputation at stake.