[Dave Birch] Never mind a National Strategy for Trusted Identities in Cyberspace (NSTIC), what about Trusted Identities in General? It’s far too easy in the US (and the UK) to take over someone else’s identity.

Prosecutors say Berkowitz stole the identities of dead people and federal prisoners to file for tax refunds in 28 states… Prosecutors say the scam was worth about $54 million.

[From Marvin Berkowitz Pleads Guilty In Tax Fraud Ring]

This sort of straightforward identity crime is profitable in the UK as well, although in a characteristically smaller way.

A Bristol woman has been jailed for using a complex web of 15 different identities and companies to defraud the Revenue out of £118,000.

48-year-old Alison Reynolds was jailed for seven years yesterday for VAT fraud and police offences. Reynolds was found guilty of four charges of cheating the Public Revenue, one charge of using a false identity document and several forgery offences.

[From Woman with 15 IDs gets 7 years for multiple VAT fraud • The Register]

Seven years? For stealing a paltry £118,000? She should have gone into investment banking. But the point is, of course, that she had 15 different identities which, given that there is no identity infrastructure in this country is not particularly surprising.

The Lib-Con government promised to do away with New Labour’s plans to introduce ID cards, yet its proposed new Identity Assurance Scheme (IAS) shows that the intrusive, bureaucratic impulse that gave birth to the ID-card scheme still lingers. Unless privacy is put at the heart of future government data initiatives, we could well end up with a scheme akin to ID cards introduced through the backdoor.

[From Is this just ‘ID cards without the cards’? | Patrick Hayes | spiked]

Well, this is a bit harsh on the Lib-Con coalition. Although it seems to me correct to say that they had no workable policy on ID (other than than the knee-jerk against the ID card), it’s not correct to imply that the IAS is the same thing. It isn’t. It is a structure whereby the private sector provide the identification and authentication services and the government uses them, much like the American NSTIC.

This “new” approach is not in fact entirely new. The UK government tried something similar during the late 1990s, working closely with third-party ID providers such as Royal Mail, Barclays, NatWest and the British Chamber of Commerce. Citizens and businesses could use such third-party IDs to authenticate themselves to online government services… So what went wrong? The lack of a sustainable commercial model led the third-party ID providers to exit from the market.

[From Back to the future with government ID plans – 6/23/2011 – Computer Weekly]

As I remember it, this failure on the commercial front had a lot to do with liability models and this is where things went wrong before, and show no signs of going right this time. What the identity providers want is an indemnity from government if they follow certain procedures: for example…

  • You come to my bank and open an account in the name of Christiano Ronaldo using a Portugese passport (that I have no means of verifying) and a recent gas bill. I take photocopies of these and file them away somewhere.
  • It subsequently transpires that you are actually Carlos Tevez.
  • Now, suppose you use your Christiano Ronaldo identity to do some money laundering. The bank would say that they are not liable, because they followed the correct KYC/AML/CTF procedures. This seems reasonable to me.

The bank is in the clear because they followed the rules, even though the rules were pointless. Of course, none of this actually helps fight against crime, money laundering and so on, as occurred to me the other day. I was due to take an early flight to the US and hadn’t had time to pick up some US$ for the dreary occasions where I can’t use cards like a civilised traveller. We happened to be passing a Post Office on the way home: they offer no-commission foreign exchange so I thought I’d run in and get some. Post Offices closed at 5.30pm on the grounds that that’s when people who work all day might want to use them, and I was running in at 5.15pm. I asked for $200 and waved my chip and PIN debit card. A transaction that I thought might take 90 seconds then began to drag. The clerk asked me for ID, which I didn’t have. My wife had her (US) passport in her bag, so she handed that over. Why, I’ve no idea, since the clerk had no way of verifying it. He then set about laboriously copying the passport details. I asked what the point was, and he told it was to do with money laundering.

Ludicrous. And even more ludicrous is the fact that I had a paid with cash, the result of a recent drug deal or bribe, then they would NOT have had to do the time-wasting utterly pointless AML form-filling. How bizarre is that? Incentivising criminals to not use a KYC’d payment instrument (the debit card) but instead persuading them where possible to work in untraceable cash. Madness.

Back the point, though. If the government were to create a liability structure for ID, just as they have for KYC/AML/CTF that says “look if you follow the rules and use our procedures than you are not liable – no matter how pointless and ineffective these rules might be” then that ought to fix the problem well enough to start a value network. It’s this that will help the “UKSTIC” to get going, because the business case around cutting down on KYC/AML/CTF is so strong.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers


2 comments

  1. Liability for ID doesn’t make much sense anyway. It’s how the ID is relied on that determines the potential damages – and that’s generally out of the control of the provider.

    Maybe it would make more sense to re-introduce liability for money laundering in much the same way as we do for receiving stolen goods. Banks can stop worrying about making £50 over-the-counter transactions, and not be let off the hook if someone washes £60k to Belarus through a basic bank account with impeccable paperwork.

  2. Dave;
    Great blog- last para says it all…BUT Guys, we don’t need UK Government to waste OUR money creating a “liability structure of ID” any more (heaven forbid) than we need Brussels, Tripoli or even Uncle Sam to do this- it has already been done by the most highly regulated piece of the Private Sector- namely the banks, and it is use-able applicable in over 170 (yes 170) countriesworldwide, and is firmly based upon prevailing AML/KYC/FATF requiremenrt- and by the way is already used in support of Critical National Infrastructure (namely the BACS ACH) right here today. No need atall for HMG to reinvent the wheel- they should use the darn thing…!

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: