A Working Treatise on Non-Repudiation: Guaranteeing (Un)Fraud , Security, Privacy, Compliance, AML / KYC, and Identity and Information Theory
At the crux of these 5–6 gigantic, enormous burgeoning and multi-vendor-sponsored multi-billion dollar fields lays Identity and Information Theory.
Here, I’ll break it down:
There are only 2 possible things that can happen to Information:
- It can be declared.
- It can be delivered.
Think about that, let that soak in.
Realize, perhaps now that… Information requires someone to create it… to conjure it into being, into existence and reality, from one’s mind uttered out loud or scribbled onto a physical or digital record… to say it, to own it e.g. to be declared.
Find that sunken place. Realize (possibly) now again that Information… can be sent, and should be sent, as some kind of string of data bits or a Message M, from one party (A or Alice) to another (B or Bobby).
And the word “happen” is chosen for a reason and makes sense to me… Information is alive… and information is dynamic… and hence, it physically degrades over time and across distance but may either gain or lose its value (utility), and it takes time to create and to disseminate (communicate) (it), respectively…
So why is this some kind of noteworthy discovery or supposition?
What does this have to do with fraud, security, compliance, etc.?
Why does it make sense?
Why should we believe it or (even) try to understand it?
Allow me to cheat… allow me to skip past some of the foundational sound model building and jump straight into a practical real-world example:
All of the above fields are related to cyber security. And Security’s primary (if not only) job is to ensure that Data (let me please use the word Information of the Shannon type, not the Risk Management or business type of information) is utilized with 100% fidelity and assurance according to the way (set of rules) that the Information (Model / System) was designed, intended, engineered, and willfully chosen to have. Keep in mind here that Cyber / Security has a dependency on System Engineering… the Data / Information is always stored, processed, and transmitted by some type of (holistic) (end-to-end)(networked) system.
Well then, let’s simply create a cyber security model (to apply to a system) based on our context above, Information in Internet Transactions.
We know that only 2 things can happen to Information — it can be created (and optionally owned / authored), and it can be delivered (transmitted).
So… let’s ensure that the System or Model we build guarantees the fidelity and assurance of Information Ownership, and Information Transmission, respectfully aligned and intentionally designed to provide a 100% level of confidence that neither the Owner of the Information, nor the Transmission of Information can ever be compromised.
What does compromised mean?
Compromised means anything less than 100%.
Alternatively, allow me to create a brand new concept to encapsulate the reverse situation, the opposite of compromisation: the guarantee that an Information System can never be compromised:
A Non-Repudiation System
For starters, I don’t believe this concept as I will precisely define it (so a system incorporating this concept can be designed, built, measured, and easily replicated across environments and systems), exists anywhere in the literature of information theory, cyber security, cybernetics, computer science, networking, systems, engineering, or complexity.
I believe this treatise and concept of a Non-Repudiation System is novel. And I should patent it, but I know less about that kind of stuff, and more about knowledge and truth (and common sense), so here goes:
A Non-Repudiation System is a system that guarantees non-repudiation.
Non-Repudiation is defined as the inability for an Entity to deny its (True) Identity and the inability for an Entity to deny having sent a Message M to another party.
If an Internet System can be designed to be a Non-Repudiation System, then that system will be impossible to compromise, breach, thrwart, defraud, deny, challenge, break, deter, modify, or stress (out).
A Non-repudiation system is immutable with regards to guaranteeing the Ownership of Information and the Transmission of Information.
To guarantee Ownership of Information, we must guarantee Identities are True.
To guarantee True Identities, we must guarantee that an Entity who claims an Identity is actually with 100% certainty the same Entity who originally Registered and Created the Identity.
And we pause here… because… some of you may have skipped and already realized the Truth… the real “holy grail” of why this Treatise is important, and should be treated as foundational.
If we can actually design and build a system that guarantees that Claimed Identities are always 100% true, then we’re done… we’ve solved the data security problem as long as the binding between Information and Identity can never be broken.
If I create a piece of data, like this here Treatise on Non-Repudiation, and my (claimed) Identity can (and will always) be 100% authenticated to be true and correct, then no one can ever steal my idea or my rights of true ownership or authorship to the contents and the knowledge above herein.
However, Medium provides a certain level of Authentication, perhaps Two-Factor Authentication (2FA). And given 2FA, we can make an arguable claim that Stolen Identities are 99.5% impossible to occur…
This 99.5% is a made-up number, but it can be easily calculated, and more importantly, used in a chain / stack / series of authentication methods and factors used in a multi-factor authentication process. In short, the non-repudiation of a Internet-based system will be limited by the computational (time) resources required to break or subvert cryptographic schemes and related architectural, logical flaws in (human) reasoning and processing… however… if Messages (Information) are guaranteed to have a rightful and indisputable, undeniable Owner… then no matter where that Information lives… there is accountability… a hacker would no longer or ever again be able to send a malicious packet via the network… because the packet would be cryptographically binded (signed / encrypted) to an Identity (public / private keypair), guaranteeing accountability and ownership no matter where that data lives.
So then.. is non-repudiation just 100% Identity Authenticated?
But it’s impossible to achieve… non-repudiation (NR) is a probabilistic concept based towards reaching the ideal state or nirvana of perfect security, integrity, availability, confidentiality, reliability, and/or trustworthiness of data or information and the system that uses that same data… but we can build such a system, ON THE INTERNET or ON A NEW INTERNET, if our system guarantees or implements the following 8 requirements:
- Authentication of Identities (incl. the Entity Creation and Registration of an Identity)
- Usage and Management of Digital Signatures (Private Keys!)
- Delivery of a Message M between an Originator O and a Recipient R.
Nothing else matters. No other system needs to be designed or ever explored to solve the data security, anonymity, privacy, and transactional-fidelity (atomic, etc.) problem.
We want both anonymity and non-repudiation (guarantee that an Identity created and/or transmitted Information) — but we cannot have this at the same time. We must choose one. We must build one system for each used case:
Non-Repudiation (Identity) System
Oh and one more thing.
An NR system does not allow recourse. There is no appeal process. There is no grievance or complaint. If a system can never be compromised, then it is always True.
Let’s build NR systems.
We will lose our humanity and our innate human sense of appeal, forgiveness, making mistakes, healing and amendments. We will rather become cold and steely, strict and correct like good automatons, happily transacting with each other knowing one thing: Truth is Guaranteed.
p.p.s. the opposite of a NR system is actually… the Internet as it is today. A networked system providing anonymous access.
Signing off. 12/30/2021 12:26AM ET
Draft never published: