Security and Privacy Cerf's Up

Validating Factual Personal Information

What properties would be useful to realize in a system
intended to keep personal information, where it is needed, up to date?

Google Vice President and Chief Internet Evangelist Vinton G. Cerf

We are called upon, frequently, to validate personal information: name, address, phone number, birth date, national identification number, birthplace, employment, educational record, and more. Often this demand is made online. Browsers can capture some of this information and automatically fill it in. It is not a new idea to try to automate this. Moreover, as facts change (for example, a new address, new phone number, new employment), we might find it useful to automatically propagate this information to places where earlier versions have been registered. How is the registry to know whether the information is accurate? How can there be control over the release of this information? I have been wondering what properties would be useful to realize in a system intended to keep personal information, where it is needed, up to date. What follows is only partly digested and reader reactions would be appreciated.

First, let us suppose all this information can be structured as name:value pairs and that the names are widely standardized as to their meaning. One could imagine a business which records this data and validates it according to accepted (and maybe legislated) practices and releases it only on authorization by the party submitting it in the first place. Since this business is to be trusted to validate and disgorge information only on authorization, one might imagine that such a company would have to be certified somehow and pass rigorous tests of its ability to control access to and the release of such personal information. One would imagine the possibility of widely accepted safety and security standards analogous to generally accepted accounting practices (GAAP).

One could imagine that the initial cache of personal data might have to be submitted in person as is sometimes required when establishing bank and securities accounts, driver’s licenses, passports, or corporate identification badges. In any case, there would have to be criteria for vetting the information so that the attestation of its accuracy is accepted as valid by relying parties.

The registrant would bring verifiable data to the registrar, who would validate and record the information. At this time, the registrant would generate or be given a public/private key pair. The public key would be shared with the registry. A relying party needing valid personal information (for example, age, birthdate, birthplace, current residence, email address, and phone number) would request it from the registry. The registry issues a request to the registrant to authorize release of the data, which includes identifying the party making the request. The registrant should receive sufficient information to validate the relying party and its intended use of the data. The registrant can then authorize— for example, by digital signature— the release of the data by the registry to the relying party.

Another use of such a system is for the registrant to send updated information to the registry. Relying parties might, by practice, automatically query the registry whenever personal information is needed so that updates propagate when a request is made. The relying parties might make periodic queries to keep their information up to date or they might keep no substantive information but, rather, request it when needed. It is obvious that the data transfers should be encrypted for privacy and digitally signed by the registry to assure data integrity. Registrants could individually permit automatic responses to queries by specific relying parties, or they might insist on authorizing the release of access every time a request is made.

Updates to the registered data could be validated both by digital signature of the registrant as well as through vetting of the new data by the validating registry. There might be different levels of validation available, not unlike real-estate title searches and various certificate authorization practices. The business model for such a system might include subscription fee payments by the registrants and transaction fee payments by parties requesting valid personal data.

It will not surprise me to find that such services already exist. I will be interested to learn from readers what they think about this idea and perhaps what risk factors should be considered.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More