Subject: notary digital?
From: nick@npdoty.name
Date: 7/05/2014 09:42:00 PM To: Amanda, Andrew, Brendan, DKM, JCP, Rachel, Sam, Seb, Z Bcc: http://bcc.npdoty.name/

Recently I had the honor of swearing, and having notarized, an affidavit of bona fide marriage for a good friend as part of an immigration application. Speaking with another friend who had done the same for a friend of hers, she remarked that it was such a basic and important thing to do, that even if she did nothing else this year it would have been an accomplishment. And the formal, official process of notarization was interesting enough itself that I spent some time looking into how to become one.

Notary Public

Becoming a notary is a strange process. By its nature, it's an extremely regulated field: state law specifies exactly what a notary must do, what training they must have, what level of verification is needed for different notarized documents, exactly how much a notary may charge for each service, how the notary may advertise itself, etc. That is, you become a notary public, not just a notary. Presumably this is in part because other legal and commercial processes depend on notarization of certain kinds.

Given all those regulations, if the notary errs or forgets when conducting her duties, the law provides penalties. Forgot to thumbprint someone when you notarized their affidavit? That's $2500. Forgot to inform the Secretary of State when you moved to a new apartment? $500. Screw up the process for identifying an individual in a way that screws up someone else's business? They can sue you for damages. In short, if you're a notary, you need to buy notary errors and omissions insurance, at least $50 for four years. Also, the State wants to be sure that you can pay if you become a rogue notary who violates all these rules. As a result, as soon as you become a notary you're required to execute a bond of $15,000 with your county. In short, you pay a certified bond organization maybe $50 for the bond; if the State thinks you screwed up, they get the money directly from the bondsman and then the bondsman comes and gets the money from you.

Notary Digital?

But mostly I'm curious about this just because I've been thinking about the idea of a digital notary. (This is not to be confused with completing notary public activities with webcam verification instead of in-person, which appears to be illegal in most states, and not what I'm offering.)

That is, it seems like there are some operations we do in our digital, electronic lives these days that could benefit from some in-person verification. Those operations might otherwise just be cumbersome or awkward, but if we have an existing structure — of people who advertise themselves as carefully completing these verification operations in person — maybe that would actually work well, even with our online personas. These thoughts are, charmingly I hope, inchoate and I would appreciate your thoughts about them.

Backup / Escrow

Some really important digital files you want to backup in a secure, offline way, where you're guaranteed to be able to get them back. (Say: Bitcoin wallets; financial records; passwords, certificate revocations, private keys.) You meet with the digital notary; she confirms who you are, who can have access to the files, whether you want them encrypted in a way that she can't access them, how and when to get them back to you (offline-only, online with certain verifications, etc.). You pay her a fee then and a fee at the time if you ever need to retrieve them.

Alternatives: online "cold storage" services; university IT escrow services (not sure if this is common, but Chicago provides it for faculty and staff); bank safety deposit boxes with USB keys in them; online backup you really hope is secure.

Verification and Certification

You can go to a digital notary to get some digital confirmation that you are who you say you are online. The digital notary can give you a certificate to use that has your legal name and her signature (complete with precise verification steps) that you can use to sign electronic documents or sign/encrypt email. Sure, anyone can sign your OpenPGP key and confirm your identity, but the notary can help you set it up and give you a trusted verification (based on her well-known reputation and connection to the Web of Trust and other notaries).

And, traditional to the notary, she can sign a jurat. That is, you can swear an affidavit of some statement and she can verify that it was really you saying exactly what you said, but do so in a way that can be automatically and remotely verified.

Alternatives: key-signing parties; certificate authorities (some do this for free, others require a fee, or require a fee if it's not just personal use); creating your own key and participating in the Web of Trust in order to establish some reputation.

Execution

While we hope to see an increase in the thanatosensitivity (oh man, I've been waiting for an excuse to use that term again; here are all my bookmarks related to the topic) of online services — like Google's Inactive Account Manager — after we die, it's likely that our online accounts will become defunct and difficult for our next-of-kin to access. It would be useful to give someone instructions for what we want done with our accounts and data after death; that person will likely have to securely maintain passwords and keys and be able to verify, offline, our identities. Pay your digital notary a fee and she can execute certain actions (deleting some data, revealing some passwords to whichever family members you chose, disabling social media accounts) after your death, after verifying it using not just inactivity, but also confirmation with government or family.

Alternatives: a lawyer who understands technology well enough to execute these digital terms of your will just as they do your regular will and testament. (Does anyone know the current state of the art for lawyers who know how to handle these things?)

Education

And actually what might be most valuable about digital notary services is that she can explain to you these digital verifications work. That is, not only can a digital notary provide digital execution with in-person verification, she can provide the basic capability, explain how it works and then conduct it. Another advantage of in-person meetings, you can seek individualized counsel, not just formalistic execution of tasks.

It would be nice if information technology had a profession with a fiduciary responsibility to its clients; the implications of digital work are increasingly important to us but remain hard for non-experts to understand, much less control. Just as we expect with our doctors and our lawyers, we should be able to ask technological experts for advice and services that are in our own best, and varied, interests. Related, it would be useful if the law reflected that relationship and provided liability but also confidentiality, for such transactions. That latter part will take a little while (the law is slow to change, as we know), but a description of the profession and some common ethical guidelines of its own could help.

A Shingle?

As an experiment, I offer you all and our friends the services described above — escrow of files/keys; authentication, encryption and certification of messages; execution of a digital will and testament — at a nominal $2 fee per service.

Sincerely yours,

Nick

P.S. Did you know that payment of fees is one factor used to determine that a privileged client-attorney relationship has been established?



The Knight News Challenge applications are in and I find them a particularly exciting batch this year, perhaps because of a burst of activity spurred on by a handful of surveillance revelations you might have heard about. I read through all 660: below are my list of promising applications from friends and colleagues. I’m sure there are many more awesome ones, including some I already “applauded”, but I thought a starter list would still be useful. Go applaud these and add comments to help them improve.

Which are your favorites that I’ve missed? I’m keeping a running list here: https://pinboard.in/u:npdoty/t:newschallenge

Encrypt all the things

Mailpile - secure e-mail for the masses!

Making secure email (using the OpenPGP standard) easier by developing an awesome native email client where encryption is built-in. They already have an alpha running that you might have seen on Kickstarter.

Encryption Usability Prize

Peter Eckersley, just over the Bay at EFF, wants to develop criteria for an annual prize for usable encryption software. (Noticing a theme to these encryption projects yet?) Notes SOUPS (CMU’s conference on usable security, happening this summer at Facebook) as a venue for discussion.

LEAP Encryption Access Project: Tools for Creating an Open, Federated and Secure Internet

LEAP (leap.se) is a project for developing a set of encryption tools, including proxies, email (with automatic key discovery) and chat, in an effort to make encryption the default for a set of at-risk users. (My colleague Harry Halpin at W3C works with them, and it all sounds very powerful.)

TextSecure: Simple Private Communication For Everyone

TextSecure is likely the most promising protocol and software project for easy-to-use widely adopted asynchronous encrypted messaging. (Android users should be using the new TextSecure already, fyi; it basically replaces your SMS app but allows for easy encryption.) Moxie (formerly of Twitter) is pretty awesome and it’s an impressive team.

Standards

Speaking of encryption, there are two proposals for standards work directly related to encryption and security.

Advancing DANE (DNS-Based Authentication of Named Entities) to Secure the Internet’s Transport Layer

This one may sound a little deep in the weeds, but DANE is a standard which promises end-to-end transport security on the Internet via DNSSEC, without relying on the brittle Certificate Authority system. Yay IETF!

Improved Privacy and Security through Web Standards

My colleagues at W3C are working on WebCrypto — a set of APIs for crypto to be implemented in the browser so that all your favorite Web applications can start implementing encryption without all making the same mistakes. Also, and this is of particular interest to me, while we’ve started to do privacy reviews of W3C specs in general via the Privacy Interest Group, this proposal suggests dedicated staff to provide privacy/security expertise to all those standards groups out there from the very beginning of their work.

Open Annotations for the Web

Hypothes.is (with lots of I School connections!) has been contributing to standards for Web annotations, so that we can all share the highlights and underlines and comments we make on web pages; they’re proposing to hire a developer to work with W3C on those standards.

Open Notice & Consent Receipts

A large handful of us I School alumni have been working in some way or another on the idea of privacy icons or standardized privacy notices. Mary Hodder proposes funding that project, to work on these notices and a “consent receipt” so you’ll know what terms you’ve accepted once you do.

Documenting practices, good and bad

Usable Security Guides for Strengthening the Internet

Joe Hall, CDT chief technologist and I School alumnus extraordinaire, has an awesome proposal for writing guides for usable security. Because it doesn’t matter how good the technology is if you don’t learn how to use it.

Transparency Reporting for Beginners: A Starter Kit and Best Practices Guide for Internet Companies, and a Readers’ Guide for Consumers, Journalists, & Advocates

Kevin Bankston (formerly CDT, formerly formerly EFF) suggests a set of best practices for transparency reports, the new hot thing in response to surveillance, but lacking standards and guidelines.

The positive projects in here naturally seem easier to build and less-likely to attract controversy, but these evaluative projects might also be important for encouraging improvement:

Ranking Digital Rights: Holding tech companies accountable on freedom of expression and privacy

@rmack on annual ranking of companies on their free expression and privacy practices.

Exposing Privacy and Security Practices: An online resource for evaluation and advocacy

CDT’s Justin Brookman on evaluating data collection and practices, particularly for news and entertainment sites.

IndieWeb and Self-Hosting

IndieWeb Fellowships for the Independent and Open Web

I’ve been following and participating in this #indieweb thing for a while now. While occasionally quixotic, I think the trend of building working interoperable tools that rely as little as possible on large centralized services is one worth applauding. This proposal from @caseorganic suggests “fellowships” to fund the indie people building these tools.

Idno: a collective storytelling platform that supports the diversity of the web

And @benwerd (werd.io) is one of these people building easy-to-use software for your own blog, not controlled by anyone else. Idno is sweet software and Ben and Erin are really cool.

Mail-in-a-Box

Even if you had your own domain name, would you still forward all your email through GMail or Hotmail or some free webmail service with practices you might not understand or appreciate? This project is for “a one-click, easy-to-deploy SMTP server: a mail server in a box.”

Superuser: Internet homeownership for anyone

Eric Mill (@konlone) has been working on a related project, to make it end-user easy to install self-hosted tools (like Mail-in-a-box, or personal blog software, or IFTTT) on a machine you control, so that it’s not reserved for those of us who naturally take to system administration. (Also, Eric is super cool.)