[Dave Birch] It’s all very well people like me going on about keys, certificates and zero-knowledge proofs but what are the problems that an identity infrastructure has to solve down at the coal face, so to speak. Here’s an example from a newspaper I happened to be reading (The Daily Telegraph “Money” section, 13th March 2010). I won’t repeat the entire story, which concerns an elderly, partially-disabled woman who had UKP500 stolen from her bank account at Santander. The bank discovered the fraud, to their credit, and asked the women to come to the branch so that they could sort things out. However, they demanded that she product either a valid passport, a valid driving licence with a picture on it or a birth certificate. She (along with countless other people) had none of these. Despite the fact that she had had an account with them for many, many years, the process derailed The charity Age Concern, quoted in the article, noted the expense of obtaining new passports for people who have no intention of travelling anywhere and also noted that elderly people are sometimes asked to produce utility bills (to get a mobile phone contract, say) that they do not have because they live in care homes or with relatives and that there is a further serious problem where they ask family members to deal with financial services, government and other organisations on their behalf. If you can’t prove who you are to the bank where you have had an account for decades, how on earth is your daughter supposed to deal with the bank on your behalf?

One practical suggestion might be for Age Concern to operate a service to provide fake passports to its members. It could do this at low cost, and since fake British passports do not have to be particularly high quality to suffice (the bank just photocopies them anyway), this could provide a simple and cost-effective means to help their members.

Dubai airport is not just a two bit arrival and departure lounge for a small Arab country. It is a veritable cross roads for global airline traffic – one of the 10 most important international hubs in the world. Yet its passport scanning machines failed to recognise that all 11 passports were not just fakes but quite awful fakes.

[From Snowblog – What the Dubai murder says about airport security]

I doubt the elderly lady’s local bank branch has “passport scanning machines” of any description, so my suggestion is entirely practical. On the other hand, if we decide to opt for legal solutions, what should we do? If we are going to have a shot at improving the identity infrastructure to the benefit of society, then it has to work in these cases, which are hardly rare or extreme. This simple, practical case should serve as a benchmark: how can an older person use whatever system is proposed in order to ring up a bank and get something done with their own money.

In this light, how does the banking industry manage identity in the future… Would you have predicted 15 years ago that we’d still be using IDs and Passwords today? Will we still be using them 15 years from now?

[From Predicting the Future of Identity | Future Banking Blog]

Actually fifteen years ago I did predict, more than once, that we wouldn’t be using passwords by now. I thought then, and I still think now, that passwords aren’t really security of any kind. Never mind elderly people trying to remember passwords on the phone, I can’t remember passwords on the phone. I was speaking one of my card providers recently, having called to query a declined transaction, and was genuinely shocked to be asked for my password. I had no memory of having set a password on this account at any time in the past, so had to go through the whole set-up all over again. (Which was pretty annoying, but not as annoying as being asked for my card number yet again, ten seconds after I had punched all sixteen digits into the keypad!!).

As I sat down to write the rest of this post, the combination of prosaic, archaic and potentially catastrophic palaver that is the process of opening an account in modern Britain was once again raising blood pressure in our household. Having got annoyed with the poor customer service from one of our credit card issuers, I cancelled the card (a card, incidentally, that I spend around £3,000 per month on, since I travel a lot for business) and appealed to the twitterverse for suggestions as to alternatives. A testament to my middle class status, the most popular suggestion was the John Lewis Partnership Card that delivers shopping vouchers for Waitrose and John Lewis, so I went off to their web site and immediately applied. Hurrah! It said something like “congratulations, you’re accepted”. My happiness was short lived, as it soon became apparent that they weren’t going to send me a card at all, but a form to fill out and sign. Whatever. When it turned up I signed it, my wife signed it and I sent it back, then went away on business.

My wife phoned me after a few days wondering where her new card was. When I got back, I discovered that my card had arrived but hers had not. So I gallantly gave her mine (one of the great advantages of PIN cards over signature or biometric cards), and started going through the rest of the backlog of mail. Eventually I came across a letter to me explaining that John Lewis could not send my wife her card without further proof of identity because of know-your-customer and anti-money laundering regulations. My wife has only lived in the UK since 1986 and has only had a Barclays account for 20 years, so you can see why they might be suspicious. She follows a pattern well-known to FATF investigators of international organised crime: live at the same address for the last 15 years, use your Barclaycard to buy food at the same Waitrose every week and work for Surrey County Council, presumably a known hot-bed for narco-terrorism.

In order to prove her identity, and therefore get her card, she had to (in hommage to the founding of the John Lewis partnership in 1929) post them her council tax bill and last month’s bank statement. International terrorists would find these completely impossible to forge <sarcasm=”on”> as they contain advanced anti-counterfeiting watermarks, holograms and embossing </sarcasm=”off”>. Of course, this being 2010, you might have thought that my wife would merely have to log in to John Lewis using her Barclays’ dongle and Barclays would federate her identity (which they must have already established to the satisfaction of financial regulators) but I’m afraid even these rudimentary steps toward an identity infrastructure have yet to be taken.

In summary: everyone’s time and money continues to be wasted and we are no closer to having an identity infrastructure for the 21st century than we were at the dawn of the web.

Talking about building an identity infrastructure, Consult Hyperion has joined forces with Identrust to sponsor a Digital Identity Forum track at this year’s European e-Identity Management conference in London on 9th-10th June 2010. The track will be called “Identity is the new money” and will focus on the potential co-operation between the banking, business and government sectors to actually do something about making peoples lives easier, safer and simpler through digital identity. John Bullard of Identrust will be chairing a number of speakers and then after tea I will be chairing a couple of expert panels looking at different aspects of the problem and potential solutions. I hope that we’ll be swapping and sharing practical ideas for products, services and new businesses: please come and join us on LInkedIn to learn more about the event in general and the Digital Identity Forum track in particular.

In an action of magnificent generosity, our good friends at EEMA have not only offered an incredible 20% discount to readers of this blog (register using this link) but they have also given me a delegate pass for the event — worth an astounding SEVEN HUNDRED AND TWENTY BRITISH POUNDS plus VAT — to give away on this blog as a competition prize. So if you are going to be in London on those dates and you’d like to come along to hear some of the leaders in the field discussing the evolution of identity management at the intersection of banking, government and the individual, all you have to do to win the complimentary pass is to be the first person to reply to this post with the name of the person who said “The chief principle of a well-regulated police state is this: That each person shall be at all times and places… recognised as this or that particular person” way back in 1796.

In the traditional fashion, this competition is open to all except for employees of Consult Hyperion and members of my immediate family, is void where prohibited and contains 99% less fat than other blogs. The prize must be claimed within three months. Oh, and no-one can win more than one of the Digital Identity Blog prizes per calendar year.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

4 comments

Leave a Reply to Trevor E Hilder Cancel reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: