Steven Levy has an interesting story on Newsweek entitled Geek War on Terror, which is about a new cypherpunkish approach to analyzing transactions from individuals in a anonymous manner. Very interesting. The technology isn’t new it just hasn’t really been applied in this way before. I am naturally sceptical about anything that allows big brother to check on us more, but the approach is interesting from a technical and moral standpoint.

Background

SRD the company behind the new technology has a background in amongst other things fraud prevention in Casinos.

Their 3 key technologies as I can work out are:

• ERIK which is what they call Identity Recognition Software
• NORA is their FOAF like technology or what they like to call “Who Knows Who”
• ANNA is their anonymous information sharing technology

While they appear to have customers in gaming and financial services their real target market now is Patriot act compliance. And I have to say that I like that they have at least thought about anonymity in this approach.

Who’s Who?

Entered data in CRM systems can often be very unreliable. It is not uncommon to have several different records for the same client. Often with minor spelling mistakes or different addresses.

ERIK attempts to create an unique ID for each client in a CRM system. The technology sounds like an advanced multidimensional form of SOUNDEX, obviously it is a bit more complicated. The multi dimensionality comes by it using more than just names. It adds various other identity information such as residence, age etc as well and somehow generates the Unique ID.

Who knows who

Besides knowing exactly who’s who the key application is to find out relations between people. Call it a fancy Friend of A Friend (FOAF) analyzer. A simple example would be if Bob and Carol lived at the same address, that would be a connection between the two. I am not sure to what extend they add relations. But the core patriot act application is of course to dig out friends of known terrorists. This sounds like it could be pretty effective, but also very scary.

To do this properly you need to aggregate data from as many sources as possible. This might be fine within a large organization, but it gets scary when you think about governments having access to all of our financial transactions etc.

Which is why they have invented…

ANNA: Anonymous Entity Resolution Technology

Anna is the cypherpunkish aspect of SRD’s technology chain. Essentially ANNA takes the ID generated from ERIK and creates a secure hash of it. In NeuClear we use the hash of the public key as the main identifier, this is very similar, except it is based on the persons real life persona.

The data from financial and other institutions can now be shared anonymously only identified by the fingerprint generated above. This would most likely be shared using NORA servers.

There would be private applications where this information could be shared via independent clearing houses running NORA. You could imagine equifax etc running this kind of business.

The patriot act application would have the government doing this. This they argue would mean that the government could anonymously match FOATs (Friend of a Terrorist) getting on planes, renting cars, opening bank accounts etc.

Conclusion

If this works it sounds like a beautiful technological solution that would protected peoples privacy while allowing intelligence agencies to do some serious fishing.

There in I think lies the problem. You can imagine any bunch of “vital” agencies such as the IRS and SEC wanting in on the act as well. You might end up as a FOASO (Friend of a Sex Offender) because you worked in the same office as someone who had was once convicted.

I dont trust government, and I dont trust that only legitimate use will be made of it. Just look how the IRS managed to get Tax Evasion added to the list of Money Laundering crimes and how they are using that to bully foreign governments under the guise of anti drug and or anti terrorist war fare.

Never the less the technology has interesting ideas and should be analyzed be real security and privacy experts like Bruce Schneier before it gets put into government use.