For Safer Internet Day, I thought I’d bring a Mediterranean theme. As a classicist, I frequently switch between ancient and modern, applying time-tested principles to emerging technologies. Plato had it right on data protection: the price of not participating in public life is to be ruled by less able men.
At Consult Hyperion we frequently discuss the implications of financial crime migrating online. You’re less likely to be mugged at the cashpoint but the online environment is of course open to a wider range of attackers, often well hidden, and operating in diverse geographies. Personally, I have little patience with those who cite the ‘Four Horsemen of the Information Apocalypse’: terrorists, drug dealers, kidnappers and child pornographers. It is, therefore, particularly refreshing to see a genuinely practical approach to child protection being promoted by TrustElevate, drawing on opinions expressed by young people themselves.
Today marks the 10th anniversary of Safer Internet Day in the UK. Each year Industry, Educators, Regulators, Health & Social Care workers and Parents rally to raise awareness and put into action, plans to tackle findings from significant research on the topic of trust and safety on the internet. This year one of the research pieces talks of the challenge ‘An Internet Young People Can Trust’. As a mum of two school age children, I am sat here wondering if the internet will ever be safe … for them or me.
If I think about life BC (before COVID), my eldest used social media for broadcast communications to her friends. She was guided on the appropriateness of certain apps and our acid test on the content she was posting, was always ‘would you go up to a stranger in the street and give him your name, age, location and a photo of you in a bikini’ … her reaction was always ‘err, no’. My youngest had never been online apart from BBC Bitesize for homework assignments. We’re not online gamers so have never had constant nagging to go online. Additionally, you have to remember the internet (and mobile internet) has been significant in my work world since 1990 so I have a heightened understanding of the pitfalls and have seen many fall foul of their online reputation, tarnishing their in-person reputation.
The wonderful people at Payments NZ invited me around the globe to their conference “The Point” in Auckland this year and flattered me by asking me to
give a keynote talk on the topic of “Cardmageddon” (the day when cards are no longer more than half of non-cash payments) and
be the prize in their raffle.
Naturally, I accepted both offers.
It was a terrific event (you can download the presentations from the event here) and I thoroughly enjoyed both roles. I made a big deal about APIs and XS2A in my presentation because I wanted the audience to understand just what a range of organisations consumers are likely to give access to their bank accounts to. In particular, I said that I thought that retailers would be quick to take advantage of the possibilities here, but I also mentioned messaging and social networks. This latter case is one that I have discussed a couple of times before. Here’s where I came back to it a couple of years ago:
I can remember discussing with some clients at the time what sort of services they might be able to offer to Facebook or other social networks that were empowered through an Electronic Money Issuing (ELMI) license and Payments Institution (PI) licence.
In work for one of our clients around about the same, I firmly predicted that Facebook would do just this because the advantage of being able to instruct transfers without having the regulatory overhead of being a bank were so great. These were hardly Nostradamus-style prognostications, merely rather obvious interpolations of technology and regulatory trends. And, frankly, the cost of obtaining and maintaining these licences is so trivial to a Facebook or a Google or an Apple that it was a no-brainer to assume that they would apply. Well, guess what…
The Sunday Business Post reports that Facebook has received a licence from the Central Bank to operate a financial payments service, two years after applying for authorisation. A subsidiary of the social media giant can now act as a payments provider and electronic money issuer, as well as provide credit transfers and remittance services across the EU, as a result of the regulatory approval.
From Seen and Heard: Facebook secures payments services licence
Interesting phrasing. They can “provide credit transfers”. So the day when my teenage son’s dreams will at last come true are not far off. I’ll be able to send you a tenner in WhatsApp just as easily as I can send you my location and neither of us will need a bank account to do this. This means real, and real serious, competition coming into the payments space. This is great, because competition will drive new services for consumers. But it does make me wonder whether some more regulatory intervention is on the horizon.
To see why I think this, reflect on the Second Payment Services Directive (PSD2) — the home of the aforementioned XS2A — and why it is going to have a major impact on banks. This has been clear for some time and, indeed, I have been droning on about it for years. Let’s just recap on the principle for a moment. The point is that because banks occupy a privileged place in society they are required to provide some services that are for society’s good rather for their own good. XS2A is an example. In return for their privileges, banks have to deliver on certain responsibilities. So the regulator’s argument is that banks have to open up their APIs to 3rd parties in order to allow those third-parties to create new products and services that otherwise would not exist. The result of all of this is that society as a whole is better off.
Note that the banks themselves are not prevented from creating new products or services using these APIs either. I written before about the “Amazonisation of banking” and on a number of different engagements for financial services clients, my colleagues at Consult Hyperion have looked at the possibilities of opening up in this field. But back to The Point, where the very clear-thinking Victoria Richardson, General Manager Payments Direction at the Australian Payments and Clearing Association (APCA), set the meme of the event when she talked about banks having to shift their perspective from “API horror” to “API opportunity” and I genuinely think that, in the UK at least, some banks have started to do this.
So now the dust has settled, the banks are opening up their APIs and are seeing new opportunities from accessing data. This is not because banks wanted to do this, but because they were given no choice. But if this argument applies to banks, that they are required to open up their APIs because they have a special responsibility to society, then why shouldn’t this principle also apply to Facebook? You may be aware that Facebook recently blocked an insurance company from having access to customers Facebook data, which the insurance company wanted to know in order to provide better quotes and special offers and so on.
Facebook will allow people to use their accounts to log in to the Admiral app, and for verification purposes, but will not allow the insurer to view users’ posts to work out discounts.
From Facebook blocks Admiral’s car insurance discount plan – BBC News
It seems to me that these issues are equivalent. On the one hand we are saying the banks cannot stop other regulated institutions from having access to customers accounts provided that they obtain the customers’ permission first and use strong authentication and so on and so forth, so why on the other hand shouldn’t the same should apply to Facebook. Why shouldn’t a regulated institution such as an insurance company obtain access to customers’ data provided those customers give consent for them to do so? If I want to give GEICO access to my LinkedIn account on the grounds that I think it will get me a better deal on car insurance, why shouldn’t I? If an insurer decides to up my life insurance premium because they see me in a hot dog-eating competition on Facebook why shouldn’t they? After all, the more information insurers have, the more accurately they can price the risks. And if I don’t want to pay a higher premium, then I should stop smoking, bungie-jumping and eating Scotch eggs before breakfast. This is, by the way, hardly a new idea.
Startup Lenddo has launched a ‘social network’ credit card in Colombia that will see applicants approved or declined based on their reputations on Facebook and Twitter.
[From Finextra: Lenddo delves into credit card applicants’ social media data]
You can see the obvious benefits for financial services organisations if they can have access to social media accounts, almost as great as the benefits that social media platforms will obtain from having access to bank accounts. Come to that, why shouldn’t all regulated institutions have access to LinkedIn or Twitter or whatever else given the informed consent of customers? These platforms are crucial to the way that society functions nowadays so why should they not be required to be open platforms just as banks are? That would be a level playing field, wouldn’t it?
There’s a problem with social media generally and Twitter in particular. The problem is abuse.
I posted a screenshot of the email, and a few lines about how I would not be using Twitter until they figured out how to stop making incidents like this one (gross, but comparatively benign) a less constant component of my Twitter experience.
From Twitter Has Become a Park Filled With Bats — Following: How We Live Online
What can be done about it? A British example of this was in the press recently when the MP Jess Phillips reported hundreds of Twitter messages containing the depressingly usual sort of rape threats that are sent to women in the public sphere. Twitter said, essentially, tough.
“We reviewed the content and determined that it was not in violation of the Twitter rules.”
From By ignoring the thousands of rape threats sent to me, Twitter is colluding with my abusers
I don’t want to get into the free speech vs. hate speech debate but I will note that a variety of social media platforms have signed up to rules (in Europe) to try to cut down on hate speech.
Google, Facebook, Twitter and Microsoft have signed up to new EU rules on taking down illegal hate speech as lawmakers and internet giants try to cope with violent racist abuse and technically savvy terrorists online. The “code of conduct” will require companies to “review the majority” of flagged hate speech within 24 hours — and remove it, if necessary
I couldn’t tell from the article what hate speech is, or what illegal hate speech is, but I imagine it is going to be pretty difficult to automate this. I mean we all know hate speech when we see it, but I don’t know if we’d be able to explain it to a computer and I don’t think it is realistic to expect Twitter or anyone else to have to sort through thousands, millions of boring, derivative and repellent messages in order to determine whether to ban of these pseudonyms (at which point they will simply log in under another pseudonym and continue). The solution is, as I set out a while back, is to give users the option to automatically block messages that do not come from an authenticated account. An authenticated account is an account that is pseudonymous but has been attested to by an acceptable third-party. By attested to, I mean that someone acceptable to the second party has attested that they know the real identity associated with the account.
What we need is a working identity infrastructure that allows for strongly-authenticated pseudonyms so that bullies can be blocked and revealed but public space can remain open for discussion and debate. Then you can default Facebook and Twitter and whatever to block unauthenticated pseudonyms
From We can contribute to childhood e-safety | Consult Hyperion
Here’s an example as to how this might work. I go to Twitter to create an account, @angrywhitemale or whatever. Twitter asks me if would like to authenticate my account. I say yes. Twitter asks me who will attest to my identity. I say Waitrose. Twitter says that Waitrose is not on its list of acceptable authenticators. I say Barclays. Twitter bounces me off to Barclays. At Barclays I use two-factor authentication to strongly authenticate myself and log in. Barclays then send a unique number back to Twitter. Twitter now know that Barclays knows who I am. The account is authenticated.
Jess Phillips has set her account to ignore all but authenticated accounts.
I tweet illegal hate speech to Jess Phillips. She passes it to the police. The police get the unique number from Twitter and go to Barclays with a warrant (all of these processes can be automated) and Barclays tell them that @angrywhitemale is actually Dave Birch and the police come round and arrest me.
Now, of course, I can delete the account @angrywhitemail and create a new identity @victimofsociety. But when I attempt to authenticate it, Barclays will notice that they had a warrant issued against my account and so will refuse to authenticate me until I get out of jail (or maybe never). So now I have to go and get another bank account in order to create another Twitter account in order to create another hate speech outrage in order to be arrested.
Most people in the public eye would, I’m sure, set their accounts to receive tweets from authenticated users only. Tweets from unauthenticated users to authenticated-only accounts would simply be discarded. The bullies could post away as much as they liked. Perhaps it is therapeutic for them
Now, none of this infrastructure exists, of course. But suppose one group of authenticators — let’s say the banks, for example — came together to create it. It would generate immediate benefit for relatively little expenditure, since the Strong Customer Authentication (SCA) is already mandated (well, sort of, in the UK) and the kind of APIs that would be need to make this work are going to be in place shortly because of PSD2 (well, sort of, as PSD2 does not mandate any non-payments APIs). And while the infrastructure might become familiar to people because of social media, they might find many other places to use it. Dating web sites, for example. These are good example of meeting places that benefit from strongly-authenticated pseudonymity. When I interact with you on a dating website, I don’t need to know your real name, but I do need to know that you exist and are over 18, and these are both facts about me that are known by my bank.
Would Twitter or Ashley Madison or whoever be prepared to pay the bank 10p for every authentication? I think this might be a reasonable price to pay for maintaining civilised spaces where people come to meet and mingle (and look at advertisements).
One way to help people obtain financial capital is by helping them to build up social capital.
[Margaret Ford] Educator and certifier of info-security professionals (ISC)2has just published a report on the online activities of primary school children, as part of its Safe and Secure Online programme. According to the report (available to its members at www.isc2.org.uk), 18% of 9-11 year olds have met up in person with a stranger they have met online. More worryingly so, 50% of these went alone. The report was published as part of National Cyber Security Awareness Month, celebrating its tenth anniversary this year.
A significant number of children have admitted to lying about their age in order to access popular social media sites such as Facebook. Having spent some time recently discussing online safety with 10 year olds at a local primary school, I have found that many of the children “know someone” who has an account on Facebook, despite being the account holder being well below the official minimum age of 13.
Apart from propagating some kind of digital ‘green cross code’, it can be hard to know how to approach e-safety with this age group. Many outstrip their parents in technical knowledge, and are naturally intensely curious. One approach may be to help them to build their own strategies for dealing with potentially risky situations. Materials such as videos and games can be used to encourage the children to express their concerns and work together to find ways to protect themselves online.
As part of the EU-funded TREsPASS project, Consult Hyperion is involved in exploring these same issues of trust, sharing and risk exposure at organisational, national and international levels. In the TREsPASS context, this involves the development of modelling formalisms and identification of practical ways to share risk information, to provide as much value as possible to the recipients, without overexposure of the originating organisation.
At present, the sharing of risk information is far from uniform: bilateral arrangements between organisations, governed by NDA, appear to be the norm. Multilateral sharing has evolved in some industries, especially those which involve Critical National Infrastructure and those which are heavily regulated – telecoms is an example of this. Before any meaningful sharing of risk data can take place, a sound structure for sharing has to be in place.
A key element mentioned at a recent meeting of the EU NIS working groupon information exchange and incident co-ordination is the need for a common view of normality. In cyber security, as in many other fields, this can in fact be very subjective and vary by sector, size of organisation and organisational culture. Where one company might regard repeated attacks as ‘business as usual’, another might regard those same incidents as a reason to invoke crisis management.
In order to find common ground, it is helpful to start with a common vocabulary. The FAIR taxonomy adopted by The Open Group provides a valuable structure for describing the range of risk concepts. We presented with fellow TREsPASS partner BizzDesign this week at the Open Group Conference in London, showing how the ArchiMate Enterprise Architecture tool could be extended to support risk modelling with reference to a practical case study. As a socio-technical project, TREsPASS is investigating complex social and organisational environments together with technical elements of risk.
Interesting announcements at the Open Group event included the launch of the Open FAIR Certification for risk professionals, based around the newly published updates to the FAIR risk taxonomy and risk analysis standards.
Over the course of the project, TREsPASS will produce a range of tools to support risk modelling and visualisation at enterprise level. It will also develop a risk toolkit tailored specifically to the needs of SMEs, taking into account their unique requirements and essential role in the European economy.
Keep an eye on this blog for further developments from TREsPASS as well as our involvement with this EU project.
[Dave Birch] At this year’s South-by-Southwest Interactive (SXSW) in Austin, Texas, I went along to a session called “Identity + 30“, which was run by Sam Lessin, Head of the Identity Product Group at Facebook. The idea of the discussion was, if I understood it properly, not to be “right” about what identity would actually be a generation from now, but to create a framework for discussing identity now. Sam is a pretty interesting guy, and he got me thinking right from the start of his session, which I mean as a serious compliment, because to be completely honest this was not true of all the sessions I went to.
The core of his argument was that when sharing is expensive, or when it makes an individual less well-off, then people don’t share. Society has to deal with this, trade being the root of our prosperity, so it develops trust networks to connect more trading partners and collect more information about those trading partners. Sam had a useful way of thinking about this, which was the idea of what he called “social hacks” to deal with the historical problem that the speed of bits and the speed of atoms are different (I might disagree with the shape of his pseudo-graph, but I think his points hold). These hacks (diplomas, badges, dress codes and banking) help us to get by, but they are by no means optimal.
However, we now have what Sam called the “superpower” of being able to instantly communicate with anyone else on Earth so we will no longer need those hacks. I may be paraphrasing incorrectly, but I think his way of looking at the existing business models around identity as being hacks in response to incomplete identity, credential and reputation information is a good way of framing some problems and a very helpful way of exploring the solutions that new technology can present. I strongly agreed with his big picture technology roadmap and have written before about about the “William Gibson World” where all of the technologies that will have any impact on corporate strategies to any foreseeable horizon already exist, something I always emphasise when we are working on client roadmaps. The trick is to look out of the corner of your eye and see where the technologies are being used for purposes that might disrupt business models, not to imagine new technologies. Given my predilection for using Dr. Who as my design authority, I also enjoyed Sam’s choice of common culture SF narratives to describe the future! His view is that the current generation is moving toward a “Borg system” not a “Hal system”, so new business opportunities are about the mass sharing of structured data.
Anyway, on to some of Sam’s key points, all of which were excellent:
(When Sam put up that last point I nearly cried, because earlier this year I was commissioned to write a book on exactly that topic! I thought I was the only genius that had realised that trade based on social graphs would eliminate physical means of exchange, so now I am crushed. Back to the drawing board, even though I hadn’t actually drawn very much so far.)
The argument here is, to my mind, unanswerable. Suppose I am wandering through Woking market and I want to buy a doughnut. I give the trader £1. The trader doesn’t have to trust me, he only needs to trust the £1, and the cost of failing to detect that my £1 is a counterfeit is quite small (despite the large number of fake £1 coins in circulation in the UK) compared to the cost of establishing my trustworthiness and creditworthiness. Other traders deal with this problem by paying banks and card schemes to manage the problem for them, but this costs them money. But now I imagine that I wander up to the trader to buy a hot dog and through his Google Glasses my face is outlined in green, which means that the system recognises me and that I have good credit. The trader winks at me, and a message pops up on my phone informing me that I am being charged £1. I press “OK” and we go about our day.
More than £4m worth of fake one pound coins have been seized by detectives.
[From Police Seize Record Haul Of Counterfeit Coins – Yahoo! News UK]
Until the invention of the mobile phone and its connection with the interweb tubes, I think it was reasonable to assume that for small transactions there was no way of using identity, credentials and reputation in small transactions, which is why it made sense to continue to use notes and coins to settle retail transactions. But now? The replacement of notes and coins in this way all hinges on the trader recognising me. Once this has been achieved, the issue of trust can be instantly resolved by computations across the social graph. If I understood correctly, this is why Sam said that “trust & trade” is the layer above the basic “recognition & memory”.
Money is technologically equivalent to a primitive version of memory.
Kocherlakota, N. “Money is Memory”. Journal of Economic Theory 81, p.232-251(1998).
Is it possible to imagine a trust and trade layer based on the social graph rather than third-party credentials? Yes. I remember that at the excellent Nixon McInnes “Social in the City” seminar last year, Will McInnes made a really important point right at the beginning of the day. “Who do we trust”, he said. “We trust people like ourselves.” Quite. And I also remember that in the discussion on trust at the Digital Agenda for Europe Assembly for 2012, I got into a mild argument with someone in the break, because I said that the idea of sticking web badges on sites (“this is a trusted European e-commerce merchant” badge, as an example) was ridiculous, and a strangely Victorian approach to vetting tradespeople. We need those badges as a pre-networked society substitute for actual information about trust. (Clearly, what Sam would label a “social hack”.) Once the social graph enables you to determine trust, they don’t make any sense. Look at it this way. Why would I care whether a hotel has the “British Tourist Board Seal of Approval” (I’ve no idea whether this exists – I just made it up) when I can go on Trip Advisor to see what everyone thinks about it? Or, more especially, I can go and see what my friends, my work colleagues and in general, people like me think about it?
I don’t know about Sam’s thought experiment of New Jersey suburbs becoming cool, but I thoroughly enjoyed his session and greatly appreciated his window into the kind of thinking that is going on in Facebook.
Incidentally, Sam referred in passing to “peak cash”, which I thought was such a nice idea that I have sworn to plagiarise it mercilessly. I’m working on a blog post around this for next week sometime.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
[Dave Birch] An interesting e-mail arrived today (the contents and counterparties are not relevant to this post) but it made me think about “real names” again. I have to get together a talk for developers at the Microsoft Digital Wallet Foundry, and I thought this might be a good topic. So I went back to my notes to see if I could find a fun “case study” to focus thinking around convenience and security in ID. I came across this.
As Sheryl Sandberg said this week, when caller ID first came out, it was declared a violation of privacy.
That’s because caller ID is a violation of privacy. Which is why you can turn it off. If I’m phoning British Gas customer service, I can leave caller ID on and benefit from the efficiency that having my Calling Line Identifier (CLI) connect to their CRM brings. But if I’m phoning the council to complain about the crack house next door, then I might decide to remain anonymous and turn it off. If I want to avoid the near-contininous stream of calls from ambulance-chasing lawyers about PPI, I might want to screen incoming calls by CLI (although this is a useless strategy against spammers because they use international “out of area” codes). Bear in mind, too, that spoofing caller ID is trivial, so it doesn’t deliver any actual security. If it wasn’t trivial to spoof it, there would be no need for legislation such as
The Truth in Caller ID Act of 2009, which was signed into law Dec. 22, 2010, prohibits caller ID spoofing for the purposes of defrauding or otherwise causing harm.
Thanks goodness there’s a law against such spoofing, because it means that no-one does it. No, wait… that’s not really true. No one does it except for criminals who are, for example, spoofing bank numbers to make phishing attacks or in more sinister enterprises such as getting people raided by SWAT teams by making bogus emergency calls that appear to come from the victim’s address (“SWATting”). So I call the police using your home phone number in the caller ID and tell them that someone has gone postal in the house, at which point heavily armed law enforcement officials storm your house and (hopefully, from my point of view, shoot you). This just happened to the well-know blogger Brian Krebs.
His office phone rang while he was vacuuming, but he ignored it. That, it turns out, was an unfortunate choice, given that the call came from law enforcement who were trying to verify what would turn out to be a spoofed emergency call showing Krebs’s number on caller ID.
In other words, CLI is about convenience. It doesn’t deliver security. Worse still, it delivers “anti-security” because people believe it delivers security when it doesn’t. CLI did develop an acceptable privacy settlement – since you can turn it off – and people started to use it despite the lack of security. I can’t be bothered to look, but I’m sure page 697 of my phone company terms and conditions says that I’m not allowed to spoof CLI.
“The name you use should be your real name as it would be listed on your credit card,” Facebook says.
[From Facebook’s fake-name fight grows as users skirt the rules | The Verge]
Why? It’s of no help to anyone: anyone except marketers who are being sold the data, that is. My friends know that Leadbelly Gutbucket is me, and so they friend me and we use and enjoy Facebook together (as I do, in fact). But the corporations don’t know that this is me, unless I choose to tell them. I don’t believe that any name I see on Facebook is real. How would Facebook know? They didn’t do an Experian check on me when I created my account.
“Pretending to be anything or anyone is not allowed.”
[From Facebook’s fake-name fight grows as users skirt the rules | The Verge]
This is a completely different point. And Facebook are completely right about this: you shouldn’t be able pretend to be anyone else. Personation is obviously wrong. For example, did you see the Italian “Catch me if you can” story? It is a super tale of fake identity updated for the modern age.
A man who posed as an airline pilot and traveled in the cockpit of at least one plane was arrested in Turin Airport using forged identity cards and wearing a pilot’s uniform… The 32-year-old, whose real name was not released, allegedly created a fake identity as a Lufthansa pilot named “Andrea Sirlo,” complete with a Facebook page that included fake flight attendant friends… The national military police tracked down the suspect from photos on his Facebook profile, in which he is shown posing in uniform and sunglasses in front of airplanes.
[From Fake Italian pilot traveled in cockpit, police say | Reuters]
But if I create a Facebook account in the name of David Beckham and then IM a transfer request demanding a move to Swindon Town, is that really impersonation or just a joke? One more point. The real names fuss is not a Facebook phenomenon and I don’t mean to suggest it is. If you want a non-Facebook example you need look no further than our own legislature.
an embarrassing photograph emerged which showed him wearing the name-tag ‘Michael Green’ – an alter ego used by the MP when posing as a self-help guru – at an internet conference in the US in 2004.
I’m not sure I’m against alter egos. What is the problem with having a “pen name” for the novel that you are writing? And how you can you “pose” as a self-help guru. Surely he was just practicing what he preaches. If I say that I’m a self-help guru, then I am. Now, you may want to see some credentials or learn about my reputation as a self-help guru, but in a world where you do not need my name as an (imperfect) proxy to those details, what does the name matter?
There are many points to be made from these stories, but the main ones I want to make are that the whole identity thing is more complicated than it seems and it needs new thinking and a new narrative and that reputations are more important than names and finding a way to securely manage credentials and reputation is the way forward for the new economy. To my mind, these are critical components of the new digital wallet, because virtual none of your day-to-day transactions depend on your name.
In the end, I decided it would be too boring to tread too much of the same pseudonymity ground as I did my last TEDx talk (which now has almost 173,000 views, I’m rather excited to report!) so I’ve gone for a more sweeping topic: “Identity is the New Money”. Look forward to seeing you at the Modern Jago in May!.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
Subscribe to our newsletter
