Implementing Data Governance at Internet Scale
Two authors have recently raised important ideas on Internet data governance. Microsoft’s Craig Mundie in his recent paper “Privacy Pragmatism” and MIT’s Alex Pentland in a series of academic papers and recent book “Social Physics” both espouse on the need for governance of data usage to ensure maximum benefit for society as a whole but also maintaining protection for the rights of individuals who actively or passively provide their data.
In this blog we will summarize the ideas of both authors and show how it is possible to implement their ideas at the scale needed for modern networked society.
Craig Mundie writes that regulations around data privacy are inadequate and have the wrong focus. The explosive growth of data being collected (either actively by consent or passively via sensors and the Internet of Things) makes it almost impossible to legislate collection and retention requirements.
Even when collection is consensual, the 300 pages of legalese that typically comes with an end user license agreement may simply confuse the consumer as to what they are consenting to. The focus, he argues, should not be on collection and retention but on how personal data is used, with a framework so that consumers can control under what circumstances usage is acceptable, no matter how it is collected. He goes on to propose how this could be implemented:
"A good place to start would be to require that all personal data be annotated at its point of origin. All electronic personal data would have to be placed within a “wrapper” of metadata, or information that describes the data without necessarily revealing its content. That wrapper would describe the rules governing the use of the data it held. Any programs that wanted to use the data would have to get approval to “unwrap” it first. Regulators would also impose a mandatory auditing requirement on all applications that used personal data, allowing authorities to follow and observe applications that collected personal information to make sure that no one misused it and to penalize those who did."
- Craig Mundie, Microsoft
We agree, however the solution he proposes, along the lines of Microsoft’s Office DRM system relies on a central authority to define truth and can never work for massive-scale open systems such as the Internet. He may be unaware that the Guardtime KSI scheme was awarded top prize by the media in Microsoft Ventures China accelerator and that we have been working with Microsoft to implement it in Microsoft’s Smart Cities initiative, and IBM on their health-cloud initiatives, both in China where “trust” may not extend beyond immediate family.
Alex Pentland is his book “Social Physics” talks about a “data-driven society”, and how the value of our data is greater when it is shared because they inform improvements in systems such as public health, transportation and government. At the same time he points out that it is necessary to maintain the protection of personal privacy to ensure our future success as a society. Pentland comes close to Mundie’s argument in focusing on the use of data and not just collection. His second item of a New Deal for Data:
"You have the right to full control over the use of your data."
- Alex Pentland, from “Social Physics”
It is in line with Mundie’s thinking and although he talks of the need for “more powerful and sophisticated tools for data privacy” he stops short of making concrete proposals. Both authors make valid and important points and what is needed next is a simple and practical mechanism for implementation. In the next section we introduce KSI technology and show how their schemes can be easily implemented at Internet scale without the need for central trust authorities.
KSI (Keyless Signature Infrastructure)
After suffering a crippling, prolonged national-scale cyberattack, in 2007 Estonia Inc. recognized that a new approach was needed to restore and guarantee trust in digital systems. Under the auspices of the Estonian Government and the small country’s private sector, a team of specialists designed and implemented Keyless Signature Infrastructure (KSI) – an exabyte-scale real-time authentication scheme for the world’s networked digital assets.
The signatures generated by KSI can be used as a wrapper (or stored as additional meta-data depending on the data model) for any size and type of data such that the signature is cryptographically linked to the underlying data. The cryptographic link allows assertions to be made at a later date regarding the time, integrity and provenance of the data. Relevant properties of KSI for data governance include:
- Scale: The signatures can be generated at exabyte-scale. Even if an exabyte (1000 petabytes) of data is generated around the planet every second every data record (a trillion records assuming 1MB average size) can be signed with negligible computational, storage and network overhead.
- No Trust Authority: the properties of the signature (time; when was the data signed, integrity; i.e. the underlying data has not changed) can be verified independently without reliance on or need for a trusted authority. Individual or organizational identity information can be added by any traditional authentication mechanism.
- Portability of evidence: The verification of the data can be verified even after that data has crossed organizational boundaries and service providers, and even offline.
- Real-Time: The signatures can be verified in real-time i.e. once the signature is generated they can be verified immediately afterwards by anyone, anywhere.
- Indefinite Expiry: The cryptography behind the signatures ensures that they never expire and remain quantum-immune i.e. secure even after the realization of quantum computation.
The Years of PKI
For the last 40 years PKI has been the only tool in the cryptographic toolshed for authenticating data via digital signatures. PKI relies on trust authorities (a Certificate Authority, CA in the case of identity or a Time Stamp Authority (TSA) in the case of time). As we outlined in a previous post, if all you have is a PKI hammer, then everything looks like a nail. PKI was invented before the Internet existed and was designed so that two parties can share a secret across an insecure channel – and for that purpose and that purpose alone it has been a massive success. For everything else, and especially for large-scale authentication of data at rest, the complexities and cost of key management make it impossible to scale. 1990 to 2000 were the “Years of PKI”. Nothing materialized then and in 2014 nothing much has changed. Like eating soup with a fork, it is the wrong tool for the job.
KSI extends Ronald Reagan’s Doctrine to Cyberspace
When presented with KSI the first reaction of most technicians is disbelief – how can you prove time without a trusted time source? How can you authenticate an exabyte of data within a single second? Typically, after the multi-hour math fight the understanding dawns and the implications are understood – for cyber security, for insurance, for financial transactions, for health-care and for governance, both national and Internet – it is now possible to eliminate the need for trusted authorities to validate electronic information.
To us in Estonia the “transparency reports” published by Google remind us of Soviet production reports – a noble and worthwhile goal but how can you trust the message if you can’t trust the messenger? Prior to the digital age the solution would have been “доверяй, но проверяй” a Russian saying that was translated for Ronald Reagan and became his signature phrase “Trust, but Verify”.
This worked in the physical world of nuclear weapons because it was possible to have extensive verification procedures to monitor compliance on both sides. What however of the digital world? How to verify anything at all when all activity is represented in digital form and easily manipulated without leaving a trace? KSI achieves exactly that for the digital world – it is possible for outsiders to verify everything that happens to data, independently from those who manage the data.
Jason Hoffman, founder of cloud computing company Joyent and currently head of digital strategy at Ericsson along with Rainer Gerhards, German author of the Linux logging daemon were among the first technical visionaries to understand the implications of KSI.
In 2013 Gerhards integrated KSI into the de facto standard logging daemon for Linux, rsyslog. Available as open-source on most Linux distributions KSI allows event-level verification for logging i.e. the time, integrity and provenance of every individual event in every log file in the Linux operating system can be verified without the need to trust the administrators of those machines or the security of cryptographic keys, with important implications for addressing the insider threat, a topic often in recent headlines.
The implications for data privacy and security are profound. Cyber security is concerned with reducing the likelihood of a threat being realized (think malware, IP theft, espionage, ID theft), whilst privacy is concerned with the aforementioned, plus, demonstrating compliance with global and country specific legal requirements. Both these goals can be achieved simultaneously with KSI.
SecurityBy integrating KSI into networks every component, configuration, and digital asset can be tagged, tracked, and located with real-time verification no matter where that asset is transmitted or stored. Subsequently with this real-time awareness, real-time incident response, real-time data-loss prevention, investigation, and/or network resilience it is now possible to detect and react to any misconfiguration, network and/or component/application failure. Privacy is what you get from effective security.
ComplianceWith the portability of evidence afforded by KSI signatures, implemented within governance frameworks as proposed by Mundie and Pentland consumers can define how their data is to be used, service providers can provide service, auditors can audit, regulators can regulate, and nothing can be covered up – effectively complete transparency and accountability for networked society. Hoffman points out that with KSI implemented across service providers it is still impossible to prevent crime, but it is possible to have 100% detection and actions taken to hold accountable those responsible.
ConclusionHans Vestberg, CEO of Ericsson in a recent interview commented (on security) “Of course there are concerns, That’s why vendors like us must operate with complete transparency and trust.” The good news is that by adopting frameworks such as those proposed by Mundie and Pentland implemented using KSI, delivered as a core network service to world governments and global corporations via their telecommunication partners it is possible to deliver complete accountability and transparency, re-establishing trust in global business, achieving the mutual benefits of shared data and still guaranteeing full compliance with the privacy rights of individuals.
To quote Victor Hugo:
“Nothing is as powerful as an idea whose time has come”.
For KSI, that time is now.