Accountability and Privacy

Own Your PrivacyThe only condition and requirement StartCom puts forward to potential subscribers of free digital certificates and other services the StartCom Certification Authority provides, is that the subscriber must disclose his private details. This means, the name and address of residence (home address) must be provided during registration for a StartSSL account.

Obviously many try to circumvent this requirement by providing fake data or the address of the employer or similar. We at the StartCom CA on the other hand, try to detect such attempts and refuse to provide our services when we are convinced that the details submitted are incorrect or not those of the subscriber.

The first item of our FAQ page lists an explanation in small print for this condition:

Since StartCom must enforce adherence of the StartCom Certification Policies by all subscribers, the subscriber must provide his/her personal information.

Basically it’s about the ability to enforce and govern the StartCom CA Policy which has a section called “Subscriber Obligations“. Without knowing who the subscriber is, the subscriber obligations can’t be enforced, hence the terms and conditions call for disclosure. There is a certain accountability involved when enrolling for digital certificates.

Most new subscribers understand this requirement and conform to our condition, others do so after being rejected the first time. A minority opts not to use our services at all. As it happened, a colleague of mine ran into the detection system and was subsequently refused an account because he provided incomplete and incorrect details during registration. Of course he was quite upset and since he knew who is responsible for this, he sent me an email. During the evolving exchange of messages he wrote:

I have the right to be anonymous or pseudonymous at my choosing. My name is irrelevant for a SSL server certificate which is not used for business. Where should I go if I want to SSL-protect my own server, but not tell the whole world who I am?

Now here we have a conflict between accountability and privacy - while each position is valid in its own right. Certainly a provider like StartCom is free to choose under which conditions and terms a service is provided, where accountability is an important part of the relationship between subscribers and the certification authority - while a subscriber wants to guard his own privacy.

How do we achieve accountability and also protect ones privacy? Wes Kussmaul claims on the front cover of his book “Own Your Privacy” that Privacy and Security are not Antithetical. In this book, Wes tries to explain how we can guard our privacy without compromising accountability. Understandably the Internet - which is just like a big highway - doesn’t give much comfort to disclose who we are, right?! Nobody puts a sticker on his car with his name, address, social security and phone number for everybody to see. We do have license plates though…

Read “Own Your Privacy” to understand how privacy and security can co-exist as Wes envisions. It’s an interesting read for anybody using computers and the Internet! It’s an attempt to solve the problem of unauthenticated, unreliable identities without compromising on privacy - something usually granted in real life, but utterly broken on the Internet.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Other Posts
Enjoy your fruits apple
SSL with Firefox 3

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

Be the first to leave a comment!