ABSTRACTThreats to privacy are often seen as efforts launched by governments or large corporations, using their power to circumscribe individuals' rights. Yet often individuals voluntarily surrender their privacy for promises of security or, more frequently, pure convenience. Based on technologies already available or certain to appear within the next few years, this paper explores how much convenience could be gained, and how much privacy lost as these technologies enter the mainstream.
The precise form this will take and its immediate and longer-term consequences are as impossible to predict as it would have been to envision, in 1875, all the ways in which the telephone has become a part of modern life. However, just as one could confidently predict in 1930 that eventually one could direct dial from any telephone in the world to any other, we can extrapolate at least the technological capabilities certain to emerge in the near future. Technologies which meet perceived needs are often swiftly adopted. This paper will identify the key technological trends behind this coming revolution, sketch how the products which result from the maturation of these technologies might look and feel to the humans who buy them, and consider some of the social and political consequences, beneficial and adverse, which may result from these developments.
I've created "Unicard™" to be the concrete embodiment of this new technological era. The following definition is taken from the preface of the original document The Unicard Interface--Provider's Design Guide, 1998 edition, published by The Unicard Consortium, describing what is now called Unicard I.
"Physically, Unicard is a 54x85 mm plastic card, 0.5 mm thick, incorporating a standard microprocessor, the Unicard interface software in ROM, its unique identity code, and 4 megabytes of nonvolatile memory. Interface between Unicard and external devices is through an inductive link which both powers the card while it is being interrogated and provides a bidirectional data channel . Each Unicard contains a non-alterable 512-bit identity. Unicard's exterior includes provisions for the owner's photograph, a magnetic stripe for compatibility with first-generation credit card readers, and a holographic validity tag. The balance of the surface is available for decoration.
Operationally, Unicard serves as the cardholder's identification for all forms of transactions and interactions. Unicard can potentially replace all the following forms of identification and credentials:
Unicard does not require any of the above documents be eliminated; They can still be issued and used separately, if desired. But the Unicard holder may, when patronising a Unicard member organisation, dispense with the separate documents and subsume them into Unicard. Most information linked to Unicard is not physically stored on the card, but accessed using a highly-secure key from databases maintained by individual organisations, `Providers', both governmental and commercial, whose computers are linked into the Unicard worldwide backbone."
- Passport and visas
- House and car keys
- Driver's license and automobile registration(s)
- National ID card
- Employee ID card
- Bank credit, debit, and automatic teller cards
- Health insurance card
- Medical history/blood type/organ donor cards
- Automobile insurance card
- Telephone credit card(s)
- Membership card for clubs, museums, etc.
- Frequent flyer club card(s) and flight coupons
- Car rental discount card(s)
- Train, bus, airplane, toll road and bridge tickets
- Airline flight boarding pass
- Train and bus pass and subscription card
- WHO immunisation certificate
- Telephone number
- Personal telephone directory
- Passwords for access to computers, data services, and networks
- Software subscription access keys
- Cable and satellite TV subscriptions
- Cellular phone and personal digital assistant personal ID
- Encryption keys for secure electronic mail, phone, and FAX
- Electronic signature key
The commercial realisation of this trend is visible in the leapfrogging technological development of Personal Digital Assistants (PDAs) such as the Apple Newton and EO. Xerox PARC envisions an era where an individual may have ten or twenty computers--just as one may have ten or twenty books or magazines open at various places, notepads, etc., all able to access the same pool of information and communicate. If these devices become as standard as pads of paper, they will be as individual as the notepad you're scribbling on as you enumerate the holes in my argument, which is personal only in the sense that you're currently writing on it. Once you tear off the pages you've written, it's just a notepad.
Once computers are ubiquitous and universally intercommunicate, what matters is who you are, not which computer you're using. Picking up a computer and identifying yourself to it (by inserting your Unicard in the slot) makes it "your computer"--with access to all of your files, privileges, etc. When you put it down, it ceases to be "yours" and becomes "just a computer", as any pad of blank paper is "just a pad of paper".
Ubiquitous computing manifests itself in other unexpected ways, even in the crude Xerox PARC prototype. Their equivalent of Unicard is called a "tag"--a unique identification of an individual. The ability of tags to be scanned at a distance (a common capability in current commercially-available employee badge systems), permits telephone calls for an individual to be automatically routed to the closest telephone and notification of the arrival of electronic mail, FAXes, and telephone voice mail messages to appear on a LiveBoard wall display in the room where the individual currently happens to be, or to an in-hand UniPad. The active badge, which allows keeping track of people's location wherever sensors are installed, is a commercial product available from Olivetti .
Embodied in the Personal Digital Assistant, this trend is sufficiently visible to have appeared in Doonesbury. Personal communicators, which permit identification of individuals, wireless communication, and continuous location tracking are ubiquitous and unremarkable fixtures of Star Trek: The Next Generation ; the reader is reminded that just because something appears on Star Trek doesn't imply it's currently impossible.
Over the past few years, the growth of the Internet has moved direct access to the global network from a luxury to a necessity for any organisation involved in science and technology. Those institutions and companies who, from fear or a false sense of economy, are not yet connected to the Internet, are presently being carried by their staff who maintain personal accounts on commercial Internet Service Providers such as Panix, Metronet, Netcom, The Well, EUnet, etc. As direct high-bandwidth connectivity becomes essential, these over-cautious agoraphobic organisations will disappear into the bit bucket of history, beside the early Twentieth century businesses who believed the telephone an unnecessary distraction.
As the backbone of the Internet has expanded and increased in bandwidth, the reach of the global data network has expanded. The integration of last-generation X.25 connections with ISDN service has brought packet data service as close as the nearest telephone jack in much of Europe and (belatedly) the Americas. Most first-world countries now have multiple Internet Service Providers who offer dial-up SLIP or PPP connections which provide hard "on the net" connections to any customer with a modem. The emergence of 56kb dial-up modems promises to make this service commonplace even in areas not yet served by ISDN.
The asymmetry of Internet bandwidth to an individual site (wideband in, narrowband out), lends itself to asymmetrical solutions. In the Western Hemisphere, PageSat provides a satellite downlink of NetNews and electronic mail which requires only an unobtrusive 63 cm dish to receive . Some cable television companies (who have bandwidth to burn) are providing a 10 Mb/second Internet link to their subscribers.
As the breadth and bandwidth of the Internet has grown over the last few years, so its ubiquity will grow in the next few. Already, in the San Francisco Bay area, wireless bidirectional Internet access at 19.2kb is available--you can read NetNews while walking the dog or sitting in a traffic jam. The advent of global digital cellular communication (GSM in most of the world, some incompatible but equivalent clone in the U.S. and its technological colonies) will provide wireless mobile 56kb net access anywhere one can use a cellular phone. The launch of Motorola's Iridium (and/or other competing LEO COMSAT swarm systems) will extend network access, albeit at lower bandwidth, to the most remote points of the globe. A member of an expedition climbing Mount Erebus in Antarctica will be able to insert his Unicard into an Iridium-capable PDA and send pictures, snapped seconds ago with the PDA's CCD camera, to a colleague working with the Greenland Icesheet Drilling Project. Putting up with icky delays and gnarly MPEG artifacts, they can discuss the pictures in a picturephone link.
The coming of age of the Internet in the public consciousness has also been signaled by its appearance in Doonesbury and The New Yorker.
From the outset, public key cryptography promised solutions to the most intractable problems of information security: secure communication between strangers without prior key exchange and verifiable digital signatures. Yet still one wondered. Public key cryptography assumed the existence of "trapdoor" functions-- mathematical functions easily calculable in one direction yet intractable in the inverse.
Since there is no easy proof that a given computation meets the criteria of suitability as a trapdoor function, one is forced to submit a candidate to the scrutiny of the mathematical community to see how robust it is.
In the last few years a consensus has developed. Trapdoor functions based upon the prime factoring of very large numbers are secure against foreseeable attacks.
Oddly, validation of this view has come from an effort which has, as its goal, the restriction of access to encryption technology and the granting to government the power to override an individual's right to privacy subject to a court order. The "Clipper chip" proposed by the United States  is a silicon realisation of a public key/private key encryption mechanism. The "key escrow" proposed for this scheme is, therefore, a repository which stores private keys which may be released, in the interests of surveillance, only after a stringent set of legal safeguards have been complied with.
If "public key/private key" encryption schemes were not secure, there would be no reason to burden their users with a "key escrow" mechanism--the organs of internal security could just crack the code by themselves and read everybody's mail. The very existence of key escrow acknowledges that "we have them now"--there is an encryption technology which is computationally intractable even by the codebreakers, to such an extent they're forced to demand legislative relief to continue to read our mail.
Even data security techniques much less secure than public key methods are perceived as threats by Great Power intelligence agencies. The recent successful attempt to limit the anti-eavesdropping security in the GSM digital cellular telephone standard is evidence of this (and provides, to the educated observer, a useful benchmark of the real-time decryption capability presently available.)
Differential techniques, where the GPS receiver communicates with a local station whose precise co-ordinates are known (for example, the transmitter of the nearest mobile telephone cell), routinely permit 5 metre accuracy without access to the military code, and experiments underway at NASA Langley Research Center with a Boeing 737 have demonstrated 2 metre accuracy and suggest 1 metre accuracy is within reach.
If you've worked with GPS receivers, you've undoubtedly observed that they don't work unless the antenna has a largely unobstructed view of the sky. Since the major application of GPS is marine and aircraft navigation, this poses no problem since naval vessels rarely if ever sail down the concrete canyons of Gotham. For broader applications such as automobile navigation systems, tracking of truck location for courier services, etc. GPS is less useful. Numerous navigational technologies are being developed to supplement or supplant GPS for these applications, including transponder-based systems, low Earth Orbit active navigation satellites, possibly piggybacked onto a communication system such as Iridium, and the ground-based "pseudolites" being developed at Stanford , 2×3 inch printed circuit boards which transmit a high-precision GPS-compatible signal to a local area. Both U.S. and Russian Earth resources satellites now carry receivers for the SAREX  system, which enables location of those in need of search and rescue in remote areas. SAREX has already saved numerous lives, particularly in the Arctic.
Looking back over those five years, it's hard to imagine that so few investors believed in Unicard that its IPO, finally completed in August of 1999, sold at a price, accounting for subsequent stock splits, of less than ten cents. It's even harder to imagine a world without Unicard. For what is Unicard today, but the very membership badge that identifies citizens of Earth, making so many previously difficult things easy and sweeping away problems that plagued civilisation for centuries?
With Unicard, doors unlock themselves for you as you put your hand on the knob, while remaining secure against intruders. The starter button on your car works only for the people you've authorised to drive it. You're free from the burden of carrying cash, credit cards, drivers' licences, auto registration, insurance forms, passports, and all that--you don't need them as long as you have Unicard, and you always have it--after all, would you go out without any of the things it replaces?
Gone is the fear of theft. If you lose Unicard or somebody is foolish enough to steal it, simply dial 119 on any communicating device, no Unicard needed, and cancel your old card. You can pick up a new one at any post office or bank within an hour. A crook who tries to use your stolen card will identify his location with each transaction granted while the authorities converge upon the miscreant. And the Unicard Safety Net indemnifies all Unicard clients against all losses incurred through theft or fraud.
With Communicating Unicard IV, first issued on July 20, 2002, the Liberation Through Security™ of Unicard took another leap. Equipped with a local low-power RF transponder, Unicard IV eliminated the need to even produce the card, except when using earlier generation equipment. Remember all the years you spent in the grocery line, watching your purchases be efficiently computer-scanned and yet, at the end, having to fumble with bills and coins? How natural it seems today to just walk through, the Unicard in your pocket automatically charging the purchase to your designated Active Debit Account.
Bridge toll booths, immigration lines at the airport, company security checkpoints, employee badges have vanished like the morning dew thanks to Unicard. Unicard is increasingly not just an "Open Sesame" that makes barriers open, but an invisible force that makes them disappear as obsolete and unnecessary.
How many parents remember the anxiety of child-rearing before Unicard? Now, with your child's Unicard sewn into his or her clothes, your child can never be lost--a simple call to your local Unicard office or police station, verified by your Unicard as a parent, and your child is immediately located. No more little lost children either--a simple scan of their Unicard identifies the nearest parent and dispatches a telephone call to their communicator or, if they have none, the nearest telephone. To increase the sense of security that Unicard provides, many parents are now opting to implant subcutaneous Unicard compatible identity chips before their babies come home from the hospital. A technology proven safe over 20 years of veterinary use and implanted in more than 15 million humans today, the identity chip may, in time and with the development of technology, make the current physical Unicard obsolete. The Unicard Consortium understands that many people are uneasy with the identity chip concept and, while maintaining compatibility between Unicard and the Consortium members who provide identity chips, neither supports nor opposes their implantation. The Unicard Consortium opposes any governmental or corporate attempt to mandate identity chips.
With the adoption of the United Nations Convention on Credentials in 1998, and its subsequent adoption first by the Republic of California in 1999, and then by the United States and the European Union in 2001, all citizens and residents of contracting parties must carry legally valid identification documents at all times. Unicard is, of course, only an alternative to the official national ID card, but in practice, given its advantages, has become the choice of 998 out of 1000 citizens of the US and EU. The adoption of the UNCC, by making lack of credentials probable cause for detention, tremendously constrained the opportunities for crime, since any individual must carry one and only one Unicard (or national ID card), verifiable against a physical identity database in case of suspicion. The virtual disappearance of cash in these developed economies has enabled the rapid location and apprehension of criminals whose Unicards are flagged by a court order--if one's Unicard is blocked, few choices remain but to surrender to the authorities.
The Unigate Scandal of 2000 was a major setback to The Unicard Consortium, but strengthened it and, in time, has reinforced the public's confidence in the legally guaranteed privacy upon which Unicard's Liberation Through Security is founded. Unigate, where low-level Unicard Network Management personnel were extracting luxury purchase records from audit and archival backup files and selling them to mailing list companies, revealed both technological and managerial weaknesses which have been remedied by the Consortium, fully complying with the recommendations of the EU Parliament Special Commission and Unicard's own internal investigation. While not attempting to deny the seriousness of the security breach, Unicard notes that credit card companies in the 1980's and 1990's routinely collected and marketed such information about their clients. Unicard remains proud that in five years of operation and trillions of transactions, banking records, health information, travel histories, tax filings, communication security private keys, or any of the multitude of other items individuals access with Unicard have remained entirely secure, guarded against unauthorised disclosure by key escrow and due process disclosure agreements negotiated between Unicard and the jurisdiction of the cardholder's domicile.
Finally, Unicard has eliminated, for more than 99% of its cardholders, the burden of preparing and filing income tax returns. With all tax-relevant transactions performed through Unicard, the tax preparation or accounting firm of the cardholder's choice will prepare, for a modest fee, complete national and local tax returns for the cardholder, filing them electronically with refunds credited or tax due debited from the cardholder's Active Debit Account. The United States estimates that the adoption of Unicard Automatic Filing has created a net productivity gain of more than US$100 billion per year, while eliminating more than US$50 billion per year in tax fraud. In the words of the Treasury Secretary, "Unicard has played a substantial role in the elimination of budget deficits in America".
Since inception, Unicard has identified a human being. Universal Unicard V generalises this so that, in the words of the original proposal, "every object, agent, or process capable of generating or responding to stimuli will receive a unique Unicard identity, and become able, subject to Unicard's principles of Liberation Through Security, to interact with people and all other such objects."
Just as few imagined how the original, per-person Unicard would change the world, today only a small band of technological visionaries truly grasp the potential of Universal Unicard V. Let's try to capture some of their excitement by peeking into the world they see emerging.
Every person has a Unicard, but that's so commonplace it doesn't bear mentioning. But so does everything else--automobile and airplane, television and telephone, microwave oven and mixer; light switches and lamps, speakers and amps, thermometers and micrometers, electric drills and coffee mills, each with its own Unicard or, more precisely, Unicards. Not physical Unicards as we know them now, but rather a range of addresses within the Unicard Universe which enable every control to send messages and every action to be controlled by receipt of messages--anywhere on Earth and beyond.
Suppose you've installed a new door between the living room and dining room of your house, and you'd like to add a light switch by the door to turn on the living room lights. Call an electrician? Not with Universal Unicard V. Simply go to the store and buy a switch with the Unicard V logo on the package. Take it home, peel off the backing, and stick it wherever you like. Operate it a few times and when you display your house's Unicard environment, the switch has appeared, not connected to anything. Draw a line from the switch to the overhead light and you're done. Would you like your stereo to mute when you pick up the telephone in the living room? Draw a line from the hook switch you see when you display the telephone's Unicard to the mute switch on the stereo front panel.
How about a panic button that turns on all the lights in the house? Stick on the switch, and wire it to the "On" message terminal of all the lights. Wouldn't it be nice if that happened automatically if the smoke detector went off? Draw another line, and it's done. Have trouble finding your car in the parking lot? Draw a line from a button on your PDA to the car's lights, so you can make them flash by pressing the button.
Universal Unicard V will not only let you define the connection and operation of physical objects any way you like, it will largely erase the distinction between tangible objects and software. The button, switch, knob, or slider that activates or controls a real object can just as well be a software button on a computer screen anywhere in the world, a control that can be activated not only by a human, but by programs. Conversely, real world controls and sensors can activate software lights, meters, provide input to programs or trigger the activation of software agents to respond to the external signal again, anywhere in the world.
As the head of the Universal Unicard V design team puts it, "We're erasing the distinction between hardware and software. We're letting people redefine their environment any way they like, exploring new ways to interact with the world around them". As never before Universal Unicard V challenges the Unicard goal of Liberation Through Security. Unicard V will not be accepted unless there is absolute confidence it is safe from abuse. People will not install Unicard V compatible appliances if they believe that teen-age hackers in Hong Kong can make their toilet flush every time a taxi driver in Cairo blows his horn, or that the microphone of the telephone in their house might be wired, by nosy neighbours, to the input jack of a tape recorder in theirs. Clearly, Unicard V mediated links between the cockpit displays and controls of an airliner and its engines and control surfaces will not supplant existing fly by wire or fly by light protocols until the certifying bodies determine them to be more reliable than the systems they're replacing. The Unicard Consortium, aware of the challenge before it, has adopted a conservative schedule for the design, validation, pilot test, and market introduction of Universal Unicard V, and has involved in the effort, from the outset, government and industry representatives so that concerns relating to public safety, privacy, human rights, law enforcement, and national security can be incorporated into the final design specification.
It is a tribute to the vision of the original designers of Unicard that they chose a 512 bit unique identity for each card. In light of historical problems with Internet address space, telephone number assignment, and other name space congestion problems, Unicard's designers opted for an unbounded future. The universe is believed to contain approximately 1080 protons; an address space of 266 bits permits assigning every proton in the universe a unique Unicard. Since no known physical principle would permit encoding such a large amount of information without using many more protons, an address of that size should be more than adequate for all time. Opting for the immensely larger 512 bit identity (10154 unique addresses) permits "wasting" address space in the interest of decentralised issuance of subspaces within the overall address space and the incorporation of robust redundancy in identities to guard against errors. Indicative of the humility of the Unicard designers in the face of eternity is their decision to reserve the 2511 bit to indicate, if one, that the following identity is 1024 bits.
Even though Unicard is not a revolutionary change, but rather the integration of already-existing instruments into one small card, some see Unicard as an unprecedented assault upon their civil liberties and right to privacy. In reality, Unicard is neutral in this regard. All of the legal guarantees of privacy which existed before Unicard are unchanged. Communication security and the right to confidentiality of health and other personal information are, if anything, enhanced by Unicard. Since all communications, in whatever form, sent to and from a Unicard holder are encrypted in an unbreakable form, law-abiding citizens are guaranteed their data remain private, as only a due-process determination of probable cause, as in investigation of terrorists, drug dealers, money launderers, or tax evaders, can cause release of escrowed keys to law enforcement agencies.
The personal location tracking aspects of Unicard, both inherent through the collection of financial transaction data and, more recently, by collection of legally protected personal tracking data by ScannerPosts and position ping reports from Unicard-compatible PDAs, have often been cited as a novel and particularly intrusive form of invasion of privacy due to Unicard. Yet no legal tradition of any human culture, from the Code of Hammurabi to the present day, asserts a right to privacy of movement. To the contrary, courts have granted wide latitude in obtaining evidence of the movements of individuals when relevant to a legal proceeding. The United States Supreme Court decided in 2003 in Carlyle vs. O'Ryan that Unicard's ability to track, whether in real time or after the fact, the movement of individuals, did not infringe the First Amendment guarantee of "right of the people peaceably to assemble". The Chief Justice, writing for the majority, concluded "The right to privacy does not confer a right to anonymity in public actions. This technology, given the due process constraints upon disclosure it embodies, infringes no constitutionally guaranteed right and provides admissible evidence of movement relevant to conspiracy and other civil and criminal cases."
Unicard's individual location traces, embargoed against release except by due process, provide law enforcement the tools it needs to put an end to random violence, drug dealing, foreign terrorism, and other crimes against lawful citizens without compromising the rights of law abiding citizens [5,7].
Other positioning systems are still in the experimental or early development phase. Certainly a multitude of local transponders can provide very high resolution location, but cheaper solutions such as LEO satellite constellations are as yet unproven.
Unicard is possible, if not today, in the very near future. Technological feasibility does not imply inevitability--were that the case we would be launching weekly Saturn V flights to Mars, flying from New York to London in two hours in Mach 3 aircraft, and halting global warming by building thousands of plutonium fast breeder reactors. But when social trends are already evolving in a given direction, for example the loss of individual privacy through increasingly fine-grained surveillance of behaviour, technological developments which remove barriers which previously constrained this drift are distinctly worrying.
Attempts to limit the development of technologies, especially those which, wisely applied, have self-evident value to a broad base of people, are usually futile. What is needed, and now, is foresight and a careful analysis of the evolving relationship between developed societies and their citizens. If informed citizens exercise their sovereign right to choose the kind of world they wish to live in, then use their collective power to guide the development and application of technology, there is no reason to fear the future.
If subjects of mighty governments abdicate their responsibility at this turning point in history, the era of privacy and individual freedom may be coming to an end.
U N I C A R D
Liberation Through Security
© Copyright 1998 -- The Unicard Consortium
This document may be freely redistributed in unmodified form, including this statement. Excerpts of any length may be quoted under the doctrine of fair use, as long as identified as such and the source cited.