DanArmak

Comments

Deliberately Vague Language is Bullshit

Bullshit is what comes out of the mouth of someone who values persuasion over truth. [...] The people with a need to obscure the truth are those with a political or social agenda.

Almost all humans, in almost all contexts, value persuasion over truth and have a social agenda. Condemning all human behavior that is not truth-seeking is condemning almost all human behavior. This is a strong (normative? prescriptive? judgmental?) claim that should be motivated, but you seem to take it for given.

Persuasion is a natural and desirable behavior in a social, cooperative species that is also competitive on the individual level. The main alternative to persuasion is force, and in most cases I'm glad people use persuasion rather than force. Truth-seeking would also fare worse in a more violent world, because truth has some persuasion value but little violence-value.

Truth is instrumentally useful to persuasion inasfar as people are able to identify truth and inclined to prefer it. I'm all for increasing these two characteristics and otherwise "raising the sanity waterline". But that is very far from a blanket condemnation of "valuing persuasion over truth".

Zvi's Law of No Evidence

If someone says there is "no evidence" of something then it is because they are trying to pass off "nobody looked for Bigfoot and nobody found him" as "explorers looked for Bigfoot and nobody found him".

A "no evidence" argument doesn't have to be made in bad faith. It's claiming that we've looked into the people who said they saw Bigfoot (as opposed to looking for Bigfoot itself), and concluded those claims have no good evidence behind them. And so, without evidence, we should rule out Bigfoot, because the prior for Bigfoot is very low. We would need positive evidence to raise the Bigfoot hypothesis to the level of conscious consideration, and we claim there is no such evidence.

Yes, a claim of "no evidence" is - in this context - a social attack on the people who were talking about the subject (and so implicitly claiming "yes evidence"). In the highly politicized context Zvi is discussing, almost all factual arguments are disguised social attacks; rhetorics, meant to persuade people, with facts and logic being instrumental but not the goal.

And so we can justly ignore the whole discussion because we think it's not about facts and arguments and real "evidence" and it never was. But if we want to engage with the discussion using our own arguments and evidence (or to pretend to do so for our own social goals), then we should acknowledge that a valid factual claim is being made here, which we can evaluate without dismissing it as purely rhetorical manipulation ("passing off argument A as argument B").

Zvi wrote,

No evidence should be fully up there with “government denial” or “I didn’t do it, no one saw me do it, there’s no way they can prove anything.” If there was indeed no evidence, there’d be no need to claim there was no evidence, and this is usually a move to categorize the evidence as illegitimate and irrelevant because it doesn’t fit today’s preferred form of scientism.

I disagree with this. If people claim Bigfoot exists, and I think they have no evidence for that claim, then yes I will say there is no evidence. The mere fact that people claim A is not in itself evidence for A, because people are not pure truth-seekers, and if I acknowledge any claim as itself constituting evidence, they will proceed to claim lots of things without evidence behind them. I don't need to "categorize the evidence as illegitimate and irrelevant", I should be able to say plainly that there is no evidence to begin with. It's not because "it doesn't fit today's preferred form of scientism", it's because seeing a vague outline in a snow-storm really truly isn't evidence for Bigfoot.

When people we don't like claim things that are clearly wrong, we may want to dismiss their arguments are rhetorically invalid or malicious or made in bad faith. To claim that the form of such arguments necessarily indicates they are being made in bad faith. But that is engaging on their terms - analyzing why they're making the arguments, instead of analyzing the arguments themselves (simulacra levels!). These two discussions are both necessary but they should be kept apart. On the object level, we should be able to keep saying - the arguments are not "wrongly shaped", they are just factually wrong.

Covid 4/1: Vaccine Passports

We're talking past one another, trying to solve different problems. I'm a software engineer by profession and I understand how public-key cryptography works. I also assumed you were not a software engineer because your comment didn't make sense for the problem as I understand it.

The QR code contains a cryptographically signed attestion that "DanArmak" is vaccinated. Not "whoever displays this code is vaccinated".

That works fine, and is the system used in Israel and proposed in some EU countries. But it's not what I understand Zvi to be arguing for. Zvi wants a system which doesn't let verifiers identify the person in front of them, only learn that they're vaccinated. He clarifies this in this comment.

If the QR proves "DanArmak is vaccinated", then I also need to prove I'm DanArmak. E.g. by displaying a state ID. This lets verifiers track me, simply because they learn who I am and businesses regularly sell or share data on customers / visitors. The application verifying the QR codes can make this even easier - most businesses install the same verifier application, and it uploads info about the people whose IDs it verifies. IIUC, the US doesn't have any privacy laws that would forbid private entities from such collading, tracking, and selling such data, even without disclosure.

Covid 4/1: Vaccine Passports

we have proof by example

What's the example you're thinking of? I'm sorry if you mentioned it before and I missed it.

We need something harder to fake than a Fake ID, where the QR code doesn't reveal who you are, so you can't be tracked beyond the existing ability to track cell phones.

If I understand correctly, you don't want the QR code to prove that "John Doe, ID #123456789, is vaccinated" and then have the verifier ask to see a separate, pre-existing ID that shows you're John Doe. Which is how the actual and proposed vaccination passports in Israel and some of the EU work. (Hence I don't know what example you're thinking of.)

Instead you want the QR code to prove that "the bearer of this code is vaccinated". That implies the code must be secret and not trivially shareable between many different people. But copying images and taking screenshots is trivial. So the code must not be a single permanent QR per person, but generated by the application: either frequently replaced (like OTP) or on-demand (challenge-response protocol).

This could work if installing or activating the app required approval from a central database / service. This approach has difficulties I noted before, including proving to the app you're you, and multiple activations. And it still lets the app owner track you, since the app stays active.

What approach are you thinking of?

Bureaucracy is a world of magic

Both things are true. An attacker can find poorly protected keys that are easier to steal (although key protection may weakly correlate with key value). And a defender can invest to make their own key much harder to steal.

Covid 4/1: Vaccine Passports

the vaccination doesn't expire, so the code doesn't need to

If a person receives a static, permanent QR code, then some QRs will leak (or be deliberately leaked) and will be used en masse. And some QRs will be given out to friends and family.

With permanent codes, the application presenting the QR can't prove it's the genuine application, so people could just as easily show an image.

That also lets everyone share QR codes easily (i.e. without being tech savvy or investing effort) - just use your phone's screenshot function while the real app is open. And whoever verifies the QR code can also reproduce it.

This is the lowest possible level of security. Saying that such an un-trustworthy system creates net positive value for society requires some serious proof, which I haven't seen.

Including photos in the QR is possible; a B&W photo would fit. If you want to include more data, you can put a copy of the photo online (so that the verifier can pull the exact file) and sign its hash and URL as part of the QR token. Or use NFC to transmit the (signed) photo. Or use several QRs displayed in succession. QR bandwidth is surprisingly high. However, using photos raises other questions, such as what about all the people the government doesn't have official or up-to-date photos of (and see also my other top level reply).

Covid 4/1: Vaccine Passports

A QR code can be placed upon a piece of paper, and those without a phone can carry the piece of paper, the same way we can carry the vaccination card now except with a less trivial duplication/fraud problem. It’s not a meaningful objection.

You seem to assume a user would print out a QR code from e.g. a website at home and then carry it around. It would need to be valid for at least a day, and to be re-usable for multiple verifications. This could make it harder to build a secure system with the same guarantees as you might get from very short lived tokens (OTP style). I don't think you should dismiss this out of hand.

It also rules out a challenge/response system between the verifier and the app, which might be useful for some designs.

Covid 4/1: Vaccine Passports

There are plenty of privacy experts out there that can design a version of the system where you can’t be tracked. The system can see if you’re vaccinated, but it can’t tell who ‘you’ are while doing so, except to verify that the claim is legitimate.

I'm not a privacy expert. It's not obvious to me how to design such a system. Can someone explain or link to a proposal? The 'obvious' way would be to give people tokens when vaccinating them, but it's too late for that.

Also, do you mean "can't be tracked by the system itself, including the app you've installed on your phone which provides QR codes", or "can't be tracked by everyone you show the QR codes to, even if they cooperate" (because they all get QR-verifying software from the same vendor, which phones home)?

ETA: you write both "I expect crypto people to have good answers to these problems" and "my assumption is it also probably won’t be that difficult to fake the passport". This is contradictory. My comment responds to the first claim.

(Rewrote to better present the same argument, and removed some weaker arguments)

I don't see how to accomplish the first (stronger) version. Since people weren't given un-forgeable tokens when they were vaccinated, you need them to install an app and tell it who they are. Which lets the app track them; you'd need to trust the government, the software sub-contractor who actually wrote it, their software supply chain, and the server it talks to.

Suppose you do trust the app, or you only want to achieve the weaker kind of security, where the verifiers (who see your QR tokens) can't identify or track you. That still leaves some issues:

  1. How does the app know you're vaccinated? Does the government already have a database / list of vaccinated people? Did people get magical pieces of paper when they were vaccinated? Based on your past posts about the distribution process, I would expect this info to be incomplete, inaccurate, and probably not yet centralized. And if it did exist, privacy advocates would probably be concerned about that.

    If vetting people who install the app is taken seriously, there will probably be a lot of false negatives, which will justly upset people and get media attention. And any attempt to redress this will make it easier for un-vaccinated people to register.

  2. How do you prove to the passport app that you're you? If the system knows "John Doe" is vaccinated, what stops people from telling their phone they are John Doe? Maybe they need details like when and where John was vaccinated, but this is likely to leak for a bunch of people. On a smaller scale, vaccinated people can register on their unvaccinated friends' and loved ones' phones, to let them go places. Or just loan them their phones for a bit.

    The system could show the verifier a photo of the real John Doe (but does the government have everyone's photos?) That would mostly solve the problem, although using a single / 'reference' photo for each person would let verifiers link data and look that person up without resorting to image recognition or image search. (I'm assuming here verifiers can surreptitiously take a photo of you, but that it would be less convenient / useful than a 'reference' one.)

    The system could enforce a reasonable limit of phones (installations) per person. That might enable griefing, if I can register in your name and prevent you from registering yourself. This might be an acceptable tradeoff. It would still let people register for 1-2 'extras'.

Bureaucracy is a world of magic

That's true. But a well-protected key is much, much harder to steal than it is to fake an ID. (We were not discussing stealing IDs.)

Bureaucracy is a world of magic

I think we had different intuitions because we considered different user populations; a kind of "typical skill fallacy" on my part.

It might be, as you say, easier to steal an average blockchain user's private key than to successfully fake their government ID. I don't think I know what the average blockchain user's security is like, and whether it's much better than the average computer user's security, which is very poor. (Although that statement once again bakes in some assumptions about the attacker...)

Rather, I was imagining myself, and others who like me have some relevant experience. (I've spent a few years helping manage a private X.509 CA and associated hardware and software in a pretty paranoid environment, so perhaps my expectations are set high!) I believe that if I wanted to strongly protect a private key, because I had a lot of value invested in it, I'd be able to make it much more secure than my government ID.

The key point is that a blockchain user can invest in security proportionally to the value being guarded. Whereas IDs provide a similar level of security to everyone; one person's ID probably isn't orders of magnitude harder to fake than another's. Unless they're e.g. very famous, or very unlikely to be found where you are or doing the things you're doing with their ID, in which case verifiers might not believe you even if you look like the photo on the ID. (Although social engineering can work wonders.)

I wasn't talking about any blockchain use in particular, and I don't have a strong, thought-out defense of any particular use tied to real-world entities like real estate; I haven't investigated the subject enough. I know my way around key management; what you do with the key afterwards is your business :-)

Load More