Facebook, APIs and cardmageddon

The wonderful people at Payments NZ invited me around the globe to their conference “The Point” in Auckland this year and flattered me by asking me to

    1. give a keynote talk on the topic of “Cardmageddon” (the day when cards are no longer more than half of non-cash payments) and

    2. be the prize in their raffle.

Naturally, I accepted both offers.

Getting The Point (yuk yuk)

 

It was a terrific event (you can download the presentations from the event here) and I thoroughly enjoyed both roles. I made a big deal about APIs and XS2A in my presentation because I wanted the audience to understand just what a range of organisations consumers are likely to give access to their bank accounts to. In particular, I said that I thought that retailers would be quick to take advantage of the possibilities here, but I also mentioned messaging and social networks. This latter case is one that I have discussed a couple of times before. Here’s where I came back to it a couple of years ago:

I can remember discussing with some clients at the time what sort of services they might be able to offer to Facebook or other social networks that were empowered through an Electronic Money Issuing (ELMI) license and Payments Institution (PI) licence.

From Facebook money is overdue | Consult Hyperion

In work for one of our clients around about the same, I firmly predicted that Facebook would do just this because the advantage of being able to instruct transfers without having the regulatory overhead of being a bank were so great. These were hardly Nostradamus-style prognostications, merely rather obvious interpolations of technology and regulatory trends. And, frankly, the cost of obtaining and maintaining these licences is so trivial to a Facebook or a Google or an Apple that it was a no-brainer to assume that they would apply. Well, guess what…

The Sunday Business Post reports that Facebook has received a licence from the Central Bank to operate a financial payments service, two years after applying for authorisation. A subsidiary of the social media giant can now act as a payments provider and electronic money issuer, as well as provide credit transfers and remittance services across the EU, as a result of the regulatory approval.

From Seen and Heard: Facebook secures payments services licence

Interesting phrasing. They can “provide credit transfers”. So the day when my teenage son’s dreams will at last come true are not far off. I’ll be able to send you a tenner in WhatsApp just as easily as I can send you my location and neither of us will need a bank account to do this. This means real, and real serious, competition coming into the payments space. This is great, because competition will drive new services for consumers. But it does make me wonder whether some more regulatory intervention is on the horizon.

To see why I think this, reflect on the Second Payment Services Directive (PSD2) — the home of the aforementioned XS2A — and why it is going to have a major impact on banks. This has been clear for some time and, indeed, I have been droning on about it for years. Let’s just recap on the principle for a moment. The point is that because banks occupy a privileged place in society they are required to provide some services that are for society’s good rather for their own good. XS2A is an example. In return for their privileges, banks have to deliver on certain responsibilities. So the regulator’s argument is that banks have to open up their APIs to 3rd parties in order to allow those third-parties to create new products and services that otherwise would not exist. The result of all of this is that society as a whole is better off.

Note that the banks themselves are not prevented from creating new products or services using these APIs either. I written before about the “Amazonisation of banking” and on a number of different engagements for financial services clients, my colleagues at Consult Hyperion have looked at the possibilities of opening up in this field. But back to The Point, where the very clear-thinking Victoria Richardson, General Manager Payments Direction at the Australian Payments and Clearing Association (APCA), set the meme of the event when she talked about banks having to shift their perspective from “API horror” to “API opportunity” and I genuinely think that, in the UK at least, some banks have started to do this.

Victoria from APCA

So now the dust has settled, the banks are opening up their APIs and are seeing new opportunities from accessing data. This is not because banks wanted to do this, but because they were given no choice. But if this argument applies to banks, that they are required to open up their APIs because they have a special responsibility to society, then why shouldn’t this principle also apply to Facebook? You may be aware that Facebook recently blocked an insurance company from having access to customers Facebook data, which the insurance company wanted to know in order to provide better quotes and special offers and so on.

Facebook will allow people to use their accounts to log in to the Admiral app, and for verification purposes, but will not allow the insurer to view users’ posts to work out discounts.

From Facebook blocks Admiral’s car insurance discount plan – BBC News

It seems to me that these issues are equivalent. On the one hand we are saying the banks cannot stop other regulated institutions from having access to customers accounts provided that they obtain the customers’ permission first and use strong authentication and so on and so forth, so why on the other hand shouldn’t the same should apply to Facebook. Why shouldn’t a regulated institution such as an insurance company obtain access to customers’ data provided those customers give consent for them to do so? If I want to give GEICO access to my LinkedIn account on the grounds that I think it will get me a better deal on car insurance, why shouldn’t I? If an insurer decides to up my life insurance premium because they see me in a hot dog-eating competition on Facebook why shouldn’t they? After all, the more information insurers have, the more accurately they can price the risks. And if I don’t want to pay a higher premium, then I should stop smoking, bungie-jumping and eating Scotch eggs before breakfast. This is, by the way, hardly a new idea.

Startup Lenddo has launched a ‘social network’ credit card in Colombia that will see applicants approved or declined based on their reputations on Facebook and Twitter.

[From Finextra: Lenddo delves into credit card applicants’ social media data]

You can see the obvious benefits for financial services organisations if they can have access to social media accounts, almost as great as the benefits that social media platforms will obtain from having access to bank accounts. Come to that, why shouldn’t all regulated institutions have access to LinkedIn or Twitter or whatever else given the informed consent of customers? These platforms are crucial to the way that  society functions nowadays so why should they not be required to be open platforms just as banks are? That would be a level playing field, wouldn’t it?

Fixing the “Twitter problem” isn’t that hard

There’s a problem with social media generally and Twitter in particular. The problem is abuse. 

I posted a screenshot of the email, and a few lines about how I would not be using Twitter until they figured out how to stop making incidents like this one (gross, but comparatively benign) a less constant component of my Twitter experience.

From Twitter Has Become a Park Filled With Bats — Following: How We Live Online

What can be done about it? A British example of this was in the press recently when the MP Jess Phillips reported hundreds of Twitter messages containing the depressingly usual sort of rape threats that are sent to women in the public sphere. Twitter said, essentially, tough.

“We reviewed the content and determined that it was not in violation of the Twitter rules.”

From By ignoring the thousands of rape threats sent to me, Twitter is colluding with my abusers

I don’t want to get into the free speech vs. hate speech debate but I will note that a variety of social media platforms have signed up to rules (in Europe) to try to cut down on hate speech.

Google, Facebook, Twitter and Microsoft have signed up to new EU rules on taking down illegal hate speech as lawmakers and internet giants try to cope with violent racist abuse and technically savvy terrorists online. The “code of conduct” will require companies to “review the majority” of flagged hate speech within 24 hours — and remove it, if necessary

From Web giants sign up to EU hate speech rules – FT.com

I couldn’t tell from the article what hate speech is, or what illegal hate speech is, but I imagine it is going to be pretty difficult to automate this. I mean we all know hate speech when we see it, but I don’t know if we’d be able to explain it to a computer and I don’t think it is realistic to expect Twitter or anyone else to have to sort through thousands, millions of boring, derivative and repellent messages in order to determine whether to ban of these pseudonyms (at which point they will simply log in under another pseudonym and continue). The solution is, as I set out a while back, is to give users the option to automatically block messages that do not come from an authenticated account. An authenticated account is an account that is pseudonymous but has been attested to by an acceptable third-party. By attested to, I mean that someone acceptable to the second party has attested that they know the real identity associated with the account.

What we need is a working identity infrastructure that allows for strongly-authenticated pseudonyms so that bullies can be blocked and revealed but public space can remain open for discussion and debate. Then you can default Facebook and Twitter and whatever to block unauthenticated pseudonyms

From We can contribute to childhood e-safety | Consult Hyperion

Here’s an example as to how this might work. I go to Twitter to create an account, @angrywhitemale or whatever. Twitter asks me if would like to authenticate my account. I say yes. Twitter asks me who will attest to my identity. I say Waitrose. Twitter says that Waitrose is not on its list of acceptable authenticators. I say Barclays. Twitter bounces me off to Barclays. At Barclays I use two-factor authentication to strongly authenticate myself and log in. Barclays then send a unique number back to Twitter. Twitter now know that Barclays knows who I am. The account is authenticated.

Jess Phillips has set her account to ignore all but authenticated accounts.

I tweet illegal hate speech to Jess Phillips. She passes it to the police. The police get the unique number from Twitter and go to Barclays with a warrant (all of these processes can be automated) and Barclays tell them that @angrywhitemale is actually Dave Birch and the police come round and arrest me.

Now, of course, I can delete the account @angrywhitemail and create a new identity @victimofsociety. But when I attempt to authenticate it, Barclays will notice that they had a warrant issued against my account and so will refuse to authenticate me until I get out of jail (or maybe never). So now I have to go and get another bank account in order to create another Twitter account in order to create another hate speech outrage in order to be arrested.

Most people in the public eye would, I’m sure, set their accounts to receive tweets from authenticated users only. Tweets from unauthenticated users to authenticated-only accounts would simply be discarded. The bullies could post away as much as they liked. Perhaps it is therapeutic for them

From Anonymity – privilege or right? | Consult Hyperion

Now, none of this infrastructure exists, of course. But suppose one group of authenticators — let’s say the banks, for example — came together to create it. It would generate immediate benefit for relatively little expenditure, since the Strong Customer Authentication (SCA) is already mandated (well, sort of, in the UK) and the kind of APIs that would be need to make this work are going to be in place shortly because of PSD2 (well, sort of, as PSD2 does not mandate any non-payments APIs). And while the infrastructure might become familiar to people because of social media, they might find many other places to use it. Dating web sites, for example. These are good example of meeting places that benefit from strongly-authenticated pseudonymity. When I interact with you on a dating website, I don’t need to know your real name, but I do need to know that you exist and are over 18, and these are both facts about me that are known by my bank.

Would Twitter or Ashley Madison or whoever be prepared to pay the bank 10p for every authentication? I think this might be a reasonable price to pay for maintaining civilised spaces where people come to meet and mingle (and look at advertisements).

Cybersecurity awareness month – sharing in a digital world

[Margaret Ford] Educator and certifier of info-security professionals (ISC)2has just published a report on the online activities of primary school children, as part of its Safe and Secure Online programme. According to the report (available to its members at www.isc2.org.uk), 18% of 9-11 year olds have met up in person with a stranger they have met online. More worryingly so, 50% of these went alone. The report was published as part of National Cyber Security Awareness Month, celebrating its tenth anniversary this year.

A significant number of children have admitted to lying about their age in order to access popular social media sites such as Facebook. Having spent some time recently discussing online safety with 10 year olds at a local primary school, I have found that many of the children “know someone” who has an account on Facebook, despite being the account holder being well below the official minimum age of 13.

Apart from propagating some kind of digital ‘green cross code’, it can be hard to know how to approach e-safety with this age group. Many outstrip their parents in technical knowledge, and are naturally intensely curious. One approach may be to help them to build their own strategies for dealing with potentially risky situations. Materials such as videos and games can be used to encourage the children to express their concerns and work together to find ways to protect themselves online.

As part of the EU-funded TREsPASS project, Consult Hyperion is involved in exploring these same issues of trust, sharing and risk exposure at organisational, national and international levels. In the TREsPASS context, this involves the development of modelling formalisms and identification of practical ways to share risk information, to provide as much value as possible to the recipients, without overexposure of the originating organisation.

At present, the sharing of risk information is far from uniform: bilateral arrangements between organisations, governed by NDA, appear to be the norm. Multilateral sharing has evolved in some industries, especially those which involve Critical National Infrastructure and those which are heavily regulated – telecoms is an example of this. Before any meaningful sharing of risk data can take place, a sound structure for sharing has to be in place.

A key element mentioned at a recent meeting of the EU NIS working groupon information exchange and incident co-ordination is the need for a common view of normality. In cyber security, as in many other fields, this can in fact be very subjective and vary by sector, size of organisation and organisational culture. Where one company might regard repeated attacks as ‘business as usual’, another might regard those same incidents as a reason to invoke crisis management.

In order to find common ground, it is helpful to start with a common vocabulary. The FAIR taxonomy adopted by The Open Group provides a valuable structure for describing the range of risk concepts. We presented with fellow TREsPASS partner BizzDesign this week at the Open Group Conference in London, showing how the ArchiMate Enterprise Architecture tool could be extended to support risk modelling with reference to a practical case study. As a socio-technical project, TREsPASS is investigating complex social and organisational environments together with technical elements of risk.

Interesting announcements at the Open Group event included the launch of the Open FAIR Certification for risk professionals, based around the newly published updates to the FAIR risk taxonomy and risk analysis standards.

Over the course of the project, TREsPASS will produce a range of tools to support risk modelling and visualisation at enterprise level. It will also develop a risk toolkit tailored specifically to the needs of SMEs, taking into account their unique requirements and essential role in the European economy. 

Keep an eye on this blog for further developments from TREsPASS as well as our involvement with this EU project. 

Social “hacks” are going to be replaced by computations across the social graph

[Dave Birch] At this year’s South-by-Southwest Interactive (SXSW) in Austin, Texas, I went along to a session called “Identity + 30“, which was run by Sam Lessin, Head of the Identity Product Group at Facebook. The idea of the discussion was, if I understood it properly, not to be “right” about what identity would actually be a generation from now, but to create a framework for discussing identity now. Sam is a pretty interesting guy, and he got me thinking right from the start of his session, which I mean as a serious compliment, because to be completely honest this was not true of all the sessions I went to.

The core of his argument was that when sharing is expensive, or when it makes an individual less well-off, then people don’t share. Society has to deal with this, trade being the root of our prosperity, so it develops trust networks to connect more trading partners and collect more information about those trading partners. Sam had a useful way of thinking about this, which was the idea of what he called “social hacks” to deal with the historical problem that the speed of bits and the speed of atoms are different (I might disagree with the shape of his pseudo-graph, but I think his points hold). These hacks (diplomas, badges, dress codes and banking) help us to get by, but they are by no means optimal.

However, we now have what Sam called the “superpower” of being able to instantly communicate with anyone else on Earth so we will no longer need those hacks. I may be paraphrasing incorrectly, but I think his way of looking at the existing business models around identity as being hacks in response to incomplete identity, credential and reputation information is a good way of framing some problems and a very helpful way of exploring the solutions that new technology can present. I strongly agreed with his big picture technology roadmap and have written before about about the “William Gibson World” where all of the technologies that will have any impact on corporate strategies to any foreseeable horizon already exist, something I always emphasise when we are working on client roadmaps. The trick is to look out of the corner of your eye and see where the technologies are being used for purposes that might disrupt business models, not to imagine new technologies. Given my predilection for using Dr. Who as my design authority, I also enjoyed Sam’s choice of common culture SF narratives to describe the future! His view is that the current generation is moving toward a “Borg system” not a “Hal system”, so new business opportunities are about the mass sharing of structured data.

Anyway, on to some of Sam’s key points, all of which were excellent:

  1. Information will centralise and cluster. (APIs are better than protocols.)
  2. We will share a lot more about ourselves. (Economics, not culture, will dictate this.)
  3. Everywhere will become local. (“I want to go where everyone knows my name” Cheers-style.)
  4. Only poor people will own things. Rich people will just rent whatever they want.
  5. Social capital will get ever more fungible, so (for example) going to Harvard will mean less than it does now, which means that it will be worth less than it is now. You can see exactly where this headed. Just look at the way we use LinkedIn right now. In the old world, I would use the social hack of finding out which university your degree came from as a sort of proxy for things I might want to know about you, but I no longer need to do that because I can go via LinkedIn and find out if you are smart, a hard worker, a team player or whatever. So there’s no premium for you learning, say, biochemistry at UCL rather than Swindon Polytechnic: so long as you know the biochemistry, my hiring decision will be tied to your social graph.
  6. The cost of using social capital for transactional purposes will fall below the cost of trust intermediaries such as notes and coins, so there will be no need for cash any more. In other words, identity is the new money.

(When Sam put up that last point I nearly cried, because earlier this year I was commissioned to write a book on exactly that topic! I thought I was the only genius that had realised that trade based on social graphs would eliminate physical means of exchange, so now I am crushed. Back to the drawing board, even though I hadn’t actually drawn very much so far.)

The argument here is, to my mind, unanswerable. Suppose I am wandering through Woking market and I want to buy a doughnut. I give the trader £1. The trader doesn’t have to trust me, he only needs to trust the £1, and the cost of failing to detect that my £1 is a counterfeit is quite small (despite the large number of fake £1 coins in circulation in the UK) compared to the cost of establishing my trustworthiness and creditworthiness. Other traders deal with this problem by paying banks and card schemes to manage the problem for them, but this costs them money. But now I imagine that I wander up to the trader to buy a hot dog and through his Google Glasses my face is outlined in green, which means that the system recognises me and that I have good credit. The trader winks at me, and a message pops up on my phone informing me that I am being charged £1. I press “OK” and we go about our day.

More than £4m worth of fake one pound coins have been seized by detectives.

[From Police Seize Record Haul Of Counterfeit Coins – Yahoo! News UK]

Until the invention of the mobile phone and its connection with the interweb tubes, I think it was reasonable to assume that for small transactions there was no way of using identity, credentials and reputation in small transactions, which is why it made sense to continue to use notes and coins to settle retail transactions. But now? The replacement of notes and coins in this way all hinges on the trader recognising me. Once this has been achieved, the issue of trust can be instantly resolved by computations across the social graph. If I understood correctly, this is why Sam said that “trust & trade” is the layer above the basic “recognition & memory”.

Money is technologically equivalent to a primitive version of memory.
Kocherlakota, N. “Money is Memory”. Journal of Economic Theory 81, p.232-251(1998).

Is it possible to imagine a trust and trade layer based on the social graph rather than third-party credentials? Yes. I remember that at the excellent Nixon McInnes “Social in the City” seminar last year, Will McInnes made a really important point right at the beginning of the day. “Who do we trust”, he said. “We trust people like ourselves.” Quite. And I also remember that in the discussion on trust at the Digital Agenda for Europe Assembly for 2012, I got into a mild argument with someone in the break, because I said that the idea of sticking web badges on sites (“this is a trusted European e-commerce merchant” badge, as an example) was ridiculous, and a strangely Victorian approach to vetting tradespeople. We need those badges as a pre-networked society substitute for actual information about trust. (Clearly, what Sam would label a “social hack”.) Once the social graph enables you to determine trust, they don’t make any sense. Look at it this way. Why would I care whether a hotel has the “British Tourist Board Seal of Approval” (I’ve no idea whether this exists – I just made it up) when I can go on Trip Advisor to see what everyone thinks about it? Or, more especially, I can go and see what my friends, my work colleagues and in general, people like me think about it?

I don’t know about Sam’s thought experiment of New Jersey suburbs becoming cool, but I thoroughly enjoyed his session and greatly appreciated his window into the kind of thinking that is going on in Facebook.

Incidentally, Sam referred in passing to “peak cash”, which I thought was such a nice idea that I have sworn to plagiarise it mercilessly. I’m working on a blog post around this for next week sometime.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Who’s calling?

[Dave Birch] An interesting e-mail arrived today (the contents and counterparties are not relevant to this post) but it made me think about “real names” again. I have to get together a talk for developers at the Microsoft Digital Wallet Foundry, and I thought this might be a good topic. So I went back to my notes to see if I could find a fun “case study” to focus thinking around convenience and security in ID. I came across this.

As Sheryl Sandberg said this week, when caller ID first came out, it was declared a violation of privacy.

[From Fear For Your Safety, Not Your Privacy | TechCrunch]

That’s because caller ID is a violation of privacy. Which is why you can turn it off. If I’m phoning British Gas customer service, I can leave caller ID on and benefit from the efficiency that having my Calling Line Identifier (CLI) connect to their CRM brings. But if I’m phoning the council to complain about the crack house next door, then I might decide to remain anonymous and turn it off. If I want to avoid the near-contininous stream of calls from ambulance-chasing lawyers about PPI, I might want to screen incoming calls by CLI (although this is a useless strategy against spammers because they use international “out of area” codes). Bear in mind, too, that spoofing caller ID is trivial, so it doesn’t deliver any actual security. If it wasn’t trivial to spoof it, there would be no need for legislation such as

The Truth in Caller ID Act of 2009, which was signed into law Dec. 22, 2010, prohibits caller ID spoofing for the purposes of defrauding or otherwise causing harm.

[From Caller ID and Spoofing | FCC.gov]

Thanks goodness there’s a law against such spoofing, because it means that no-one does it. No, wait… that’s not really true. No one does it except for criminals who are, for example, spoofing bank numbers to make phishing attacks or in more sinister enterprises such as getting people raided by SWAT teams by making bogus emergency calls that appear to come from the victim’s address (“SWATting”). So I call the police using your home phone number in the caller ID and tell them that someone has gone postal in the house, at which point heavily armed law enforcement officials storm your house and (hopefully, from my point of view, shoot you). This just happened to the well-know blogger Brian Krebs.

His office phone rang while he was vacuuming, but he ignored it. That, it turns out, was an unfortunate choice, given that the call came from law enforcement who were trying to verify what would turn out to be a spoofed emergency call showing Krebs’s number on caller ID.

[From Hackers launch DDoS attack on security blogger’s site, send SWAT team to his home | Naked SecurityNaked Security]

In other words, CLI is about convenience. It doesn’t deliver security. Worse still, it delivers “anti-security” because people believe it delivers security when it doesn’t. CLI did develop an acceptable privacy settlement – since you can turn it off – and people started to use it despite the lack of security. I can’t be bothered to look, but I’m sure page 697 of my phone company terms and conditions says that I’m not allowed to spoof CLI.

“The name you use should be your real name as it would be listed on your credit card,” Facebook says.

[From Facebook’s fake-name fight grows as users skirt the rules | The Verge]

Why? It’s of no help to anyone: anyone except marketers who are being sold the data, that is. My friends know that Leadbelly Gutbucket is me, and so they friend me and we use and enjoy Facebook together (as I do, in fact). But the corporations don’t know that this is me, unless I choose to tell them. I don’t believe that any name I see on Facebook is real. How would Facebook know? They didn’t do an Experian check on me when I created my account.

“Pretending to be anything or anyone is not allowed.”

[From Facebook’s fake-name fight grows as users skirt the rules | The Verge]

This is a completely different point. And Facebook are completely right about this: you shouldn’t be able pretend to be anyone else. Personation is obviously wrong. For example, did you see the Italian “Catch me if you can” story? It is a super tale of fake identity updated for the modern age.

A man who posed as an airline pilot and traveled in the cockpit of at least one plane was arrested in Turin Airport using forged identity cards and wearing a pilot’s uniform… The 32-year-old, whose real name was not released, allegedly created a fake identity as a Lufthansa pilot named “Andrea Sirlo,” complete with a Facebook page that included fake flight attendant friends… The national military police tracked down the suspect from photos on his Facebook profile, in which he is shown posing in uniform and sunglasses in front of airplanes.

[From Fake Italian pilot traveled in cockpit, police say | Reuters]

But if I create a Facebook account in the name of David Beckham and then IM a transfer request demanding a move to Swindon Town, is that really impersonation or just a joke? One more point. The real names fuss is not a Facebook phenomenon and I don’t mean to suggest it is. If you want a non-Facebook example you need look no further than our own legislature.

an embarrassing photograph emerged which showed him wearing the name-tag ‘Michael Green’ – an alter ego used by the MP when posing as a self-help guru – at an internet conference in the US in 2004.

[From Maybe it’s because I’m a Watforder: ‘Double life’ Tory chief can’t decide if he was born in London or Herts | Mail Online]

I’m not sure I’m against alter egos. What is the problem with having a “pen name” for the novel that you are writing? And how you can you “pose” as a self-help guru. Surely he was just practicing what he preaches. If I say that I’m a self-help guru, then I am. Now, you may want to see some credentials or learn about my reputation as a self-help guru, but in a world where you do not need my name as an (imperfect) proxy to those details, what does the name matter?

There are many points to be made from these stories, but the main ones I want to make are that the whole identity thing is more complicated than it seems and it needs new thinking and a new narrative and that reputations are more important than names and finding a way to securely manage credentials and reputation is the way forward for the new economy. To my mind, these are critical components of the new digital wallet, because virtual none of your day-to-day transactions depend on your name.

In the end, I decided it would be too boring to tread too much of the same pseudonymity ground as I did my last TEDx talk (which now has almost 173,000 views, I’m rather excited to report!) so I’ve gone for a more sweeping topic: “Identity is the New Money”. Look forward to seeing you at the Modern Jago in May!.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

The battle of the internet security experts

[Dave Birch] A very entertaining spat has broken out in ranks of the governing classes. Broadly speaking, it’s between the “Real Names Randi” Zuckerberg school and the people who know something about the issue school. The trouble started when noted internet security expert Andy Smith gave some sound advice to the nation.

Andy Smith, internet security chief at the Cabinet Office said real names and addresses could increase security concerns. He advised users to submit “fake” details as this was a “sensible thing to do”.

[From Whitehall official: ‘Give fake details to protect online identity’ – Public Service]

Andy is spot on, although possibly unaware that providing fake details is in direct violation of Facebook’s policy. His advice will indeed lead to less identity theft, and we don’t have to guess at that because (as I will discuss later) we have the data. Still,

Simon Milner, Facebook’s head of policy in the UK and Ireland, was not particularly happy at Smith’s comments. He apparently had a “vigorous chat” with the Cabinet Office official afterwards to persuade him to revise his view.

[From Top civil servant calls for Brits to fake online identity – Cabinet Office says it’s the only way to be safe | TechEye]

However vigorous Mr. Milner’s chat might have been, there are almost no circumstances where it is necessary to use real names and we only use them now because we lack a proper identity infrastructure. By and large, we use the real name as a proxy to the attributes that are actually needed to execute a transaction. Andy’s comments elicited an immediate and vituperative response from noted internet security expert Helen Goodman MP.

Ms Goodman, shadow culture minister, told BBC News: “This is the kind of behaviour that, in the end, promotes crime.

“It is exactly what we don’t want. We want more security online. It’s anonymity which facilitates cyber-bullying, the abuse of children.

“I was genuinely shocked that a public official could say such a thing.”

[From BBC News – Give social networks fake details, advises Whitehall web security official]

Ms. Goodman’s confused opinions on security and privacy — and the false dichotomy implicit in the security vs. privacy paradigm she draws on — are representative of the shallow thinking and lack of informed discussion in this area.

How Helen Goodman voted on key issues: Voted very strongly for introducing ID cards.

[From Helen Goodman MP, Bishop Auckland – TheyWorkForYou]

I wasn’t able to assess her background in online security and identity management from her online biography, but I’m sure her opinions must be founded on some knowledge of the field.

Helen… went to Somerville College, Oxford, where she read Politics, Philosophy and Economics. After leaving Oxford, Helen’s first job was as a researcher for Philip Whitehead MP. She became a civil servant at the Treasury in 1980 and rose to become Head of the Central Strategy Unit in 1995… From 2002 until entering Parliament, she was Chief Executive of the National Association of Toy and Leisure Libraries.

[From Biography » Helen Goodman MP – Working hard for all in Bishop Auckland]

In an age where government seems more and more to be about sentiment and sensitivity rather than evidence and knowledge, I suppose her comments are unsurprising. I’m not for one moment suggesting that Ms. Goodman’s concerns are not wholly real and heart felt. I’m sure they are.

Mrs Goodman, MP for Bishop Auckland, in the North-East of England, said she had been contacted by constituents who have been the victims of cyber-bullying on major social networking sites by people hiding behind fake names.

[From BBC News – Give social networks fake details, advises Whitehall web security official]

I don’t doubt that this is true. But so what? People bully under their real names too, and it doesn’t make any difference. If they have broken the law, they can easily be traced, since the interweb tubes will lead the plod directly to them. Or, indeed, directly to the plod.

A man arrested over claims that he tormented a mother with abusive online messages is a serving police officer.

[From Police Officer Arrested Over Internet Troll Abuse Of Woman, Nicola Brookes]

I’m not picking on Ms. Goodman here, just using her to illustrate a point. After all, her fellow old Oxfordian and noted internet security expert The Honourable Edward Vaizey MP agrees with her that the Cabinet Office’s advice is incorrect, leaving us none the wiser as to the government’s actual policy on this (hint: it doesn’t have one).

Culture minister [The Honourable Edward] Vaizey said he had not seen Mr Smith’s remarks but told the BBC that he “wouldn’t encourage people to put false identities on the internet”.

[From BBC News – Give social networks fake details, advises Whitehall web security official]

The Honourable Edward’s plan to make it easier to track down people through interweb tubes may not be driven by commercial interests, but it certainly aligns with them.

Randi [Zuckerberg] and I share a passion to end cyber bullying and protect kids online. However, our approaches to online safety differ greatly.

Randi Zuckerberg wants to end online anonymity.

[From Facebook’s Randi Zuckerberg Wants to End Online Anonymity: Free Speech or Real Names?]

Look, I’m not here to shill for Andy Smith. Andy and I have disagreed about things before, and while I make not comment on whether he is an Epic F***ing Secure Hero or not, he certainly is an internet security expert. His comments were informed and relevant and exposed the lack of policy integrity. I don’t know why politicians don’t take the time to think this through. They always reach for the same knee-jerk response: some sort of internet passport or driving licence so that you can tell who is posting abuse about government minister on The Daily Telegraph web site (hint: me).

if there was an Internet Driving License that you had to use to log in to web sites, that would almost certainly make the situation far worse, since these website would now know exactly who you are, and this information would then be freely obtained by perverts, the secret police, News International or whoever else wants to pry. Why is this better than anonymity (which doesn’t exist anyway – look what happened to the not-Anonymous-at-all hackers).

[From Let’s not panic about online identity]

Since I wrote this, incidentally, some pretty convincing evidence has come to light to support my view. South Korea has rescinded its “real names” law.

In 2007, South Korea temporarily mandated that all websites with over 100,000 viewers require real names, but scrapped it after it was found to be ineffective at cleaning up abusive and malicious comments (the policy reduced unwanted comments by an estimated .09%).

[From Surprisingly Good Evidence That Real Name Policies Fail To Improve Comments | TechCrunch]

In fact the results of the “real names” law were predictably perverse. Identity theft went up, because real identities were stolen from the thousands of web sites that now had to ask for them and store them. And since people became used to be asked for their real identity, it was easier for dodgy web sites to get them to hand them over!

if you make people smear their “real” identities all over the internet because of such a policy, thus delivering the “over–identification” noted above, then that will make identity theft worse.

[From Real names, real problems]

I fully expect The Honourable Edward Vaizey MP to begin drafting another law shortly. After all, if we are not allowed to mask our real  identities online, why should we be allowed to mask them offline either? In a country covered by CCTV cameras, it seems perverse that people should be allowed to, for example, wear masks of celebrities (or, indeed, anyone else) in public places. The steady advance of automated face recognition technology means an inevitable identity Chernobyl.

Any science fiction film that doesn’t show everyone wearing burkhas in public will look as dated as Soylent Green.

[From Never mind real names, what about real faces]

Look. I don’t mean to suggest that Ed and Helen are idiots. That’s clearly not true. But what I am suggesting is that we need a better-informed public discussion and debate to determine public policy and the balancing of interests between competing pressures needs to be made explicit. How should we determine whether Mumsnet or the EFF are right? In back rooms or in public consultation (by which I mean consultation in public, not with the public – I don’t really care what they think since they are almost completely uninformed).

We (the public) have no idea what we want. We want anonymity for Syrian dissidents but not for pedophiles. We want anonymity for hospital nurses blowing the whistle on incompetent surgeons but not for looters. We want anonymity for celebrities in some circumstances but not others. Most of all, and most paradoxically, we want the authorities to spy on other people but not on us.

[From We don’t know whether we want real names or not]

So what I want to know from the Honourable Edward Vaizey, Helen Goodman MP and the Cabinet Office is this: what is the policy, and what is the strategy to implement it? And if you’re short of an idea or two about a vision for online identity in the 21st century, why not put your feet up, get a cup of tea, and cop a load of this. The security vs. privacy balance is only for people who haven’t put any intellectual effort into this serious, important and urgent area of public policy. Joanna Geary sums up the situation very nicely in her “Comment is Free” piece today.

A Whitehall adviser has been slammed for telling people to make up data. But less anonymity doesn’t equal more security

[From Being wary of handing over personal details to websites isn’t ‘outrageous’ | Joanna Geary | Comment is free | guardian.co.uk]

Hear, as they say in Parliament, hear.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

Social banking

[Dave Birch] I was reading about “social media lessons from banking insiders” in a report published by the noted Swiss co-operative KPMG International. The report asks the question (on page 2) “Will customers really want to be ‘friends’ with their bankers?”. Now, as everyone already knows, the answer to this is no. I cannot imagine any circumstances under which I would to earn “thank you points” on Facebook from my bank in return for the amount of money I have on deposit with them. I would much prefer them to fire the social media gurus and consultants behind this sort of idea and give me another 0.5% on my savings account instead. And further integration inside the Facebook framework doesn’t seem to have much to offer either.

In my opinion, banks that are enabling or attempting to enable transactions via a Facebook app are barking up the wrong tree. I’ve seen nothing to suggest that customers want this or would even use this. In fact, I’ve seen evidence of the contrary.

[From Celent Banking Blog » Are Bank Facebook Apps the Future of Digital Banking?]

That’s not to say, of course, that Facebook is irrelevant to banks. For one thing, as I’ve bored on about at length before, if there were a transactional element to social media integration then banks might have some really good products and services to offer in that space.

I don’t want to be friends with my bank—after all, I’m a typical consumer so I hate banks—but I do want to be friends with my bank account.

[From Friends and relations]

But that’s by the by. KPMG make a very interesting point on page 16, where they note that the lack of security infrastructure means that banks in any case have no way of knowing whether social media data comes from real customers, competitors, corporate saboteurs, mischievous hackers, agents of foreign powers or dogbots. This, it seems to me, opens up an interesting and immediate route for exploring the bank/Facebook boundary to find value. I was thinking that while the bank doesn’t know if you are a person or a dogbot e-mailing them or tweeting about them, and they can’tt use CAPTCHAs or similar to find out, they might be able to find out if you are human if they began exploring your social graph. Which leads on to the obvious further thought that using customers’ social graphs as an adjunct to conventional credit references and other cardboard-era identity management might deliver some interesting results.

He submits his information to the online-only PotterBank.com, but halfway through the application process, the website asks for his Facebook login. Then his Twitter. Then LinkedIn… A new wave of startups is working on algorithms gathering data for banks from the web of associations on the internet known as “the social graph,” in which people are “nodes” connected to each other by “edges.”

[From As Banks Start Nosing Around Facebook and Twitter, the Wrong Friends Might Just Sink Your Credit | Betabeat — News, gossip and intel from Silicon Alley 2.0.]

Suppose that this works. Then it has security benefits because the social graph ought to prove much more difficult to forge that a photocopy of a gas bill — the gold standard for authentication in the UK — and, some people suspect, it may have additional benefits because the social graph could be more accurate than a conventional credit reference agency when it comes to deciding whether you want someone as a customer or not.

Brett King, CEO of Movenbank, has a radical idea: a “credit score” built — at least in part — on consumers’ social media activity. Sound crazy? Maybe, but the idea has attracted the attention of big league investors who just pumped $2.41 million into King’s startup.

[From Is The World Ready For Social Media Credit Scores? | The Financial Brand: Marketing Insights for Banks & Credit Unions]

Brett is on to something. Whether his “CRED” score and algorithm is correct or not I couldn’t say, but the core of the idea — that if your Facebook friends are bank robbers, you might well be more likely to turn out to be a bank robber — seems wholly plausible. The social graph might be a better predictor of future activity (and future financial services requirements) than past credit scores. The social graph can tell things about you — like you’re going on holiday or getting married or moving to Hong Kong — that an intelligent and customer-centric organisation can act on in a supportive win-win framework. In Christophe Langlois‘ “A practical guide to social media in financial services” he talks about “Know Your Followers” (KYF) as the social media equivalent of “Know Your Customer” (KYC) in compliance. Obviously, KYF isn’t yet a legal requirement, but you get the idea. If organisations develop tools, algorithms and techniques for exploring the social graph then they might find that social media identity, or some kind of social media-based financial services identity, is far better than traditional KYC, credit agencies and old utility bills and predicting which customers they do or do not want.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

 

Real names, real problems

[Dave Birch] There is an assumption, which is reasonably well-founded I think, that many social media companies want to develop “Real Names” policies of one form or another not to prevent trolling or to protect the kiddies in one way or another, but to help with the commercialisation of their services and the monetization of the identities that they hold. Whereas the identity “Dave Birch of Consult Hyperion” may be worth something to commercial organisations (debt collectors, payday loan sharks and so forth)  — according to real names thinking — the identity “Leadbelly Gutbucket, mightiest of the Dwarven heroes of Ravenscrag Pass” may not. Hence the drive to find out who people really are.

Real Names is slithering into the whole fabric of the company’s offerings, whether specific sites benefit from what will often be “over-identification” or not.

[From IdentityBlog – Digital Identity, Privacy, and the Internet’s Missing Identity Layer]

One of the smokescreen reasons for wanting real names is trolling. I might think that it is my right as an Englishman to post abuse about the Chancellor of the Exchequer on The Telegraph web site, but others think that if I were forced to use my real name to log in then I would be more polite. I say smokescreen, because we don’t even have to guess whether a rigorously-enforced real names policy will make any difference to civility in online discourse, because we already know it won’t. What’s more, we know something else too: if you make people smear their “real” identities all over the internet because of such a policy, thus delivering the “over–identification” noted above, then that will make identity theft worse.

Korean sites were also inundated by hackers, presumably after valuable identities.

[From Surprisingly Good Evidence That Real Name Policies Fail To Improve Comments | TechCrunch]

The Korean case study shows clearly that a real names policy does not reduce trolling because the morons who troll are, well morons. Someone who posts racist abuse on Twitter, such as the noted association footballer Mr. Rio Ferdinand, really ought to understand that other people will read it and take offence since Twitter is a public communications channel (it’s not confined to football: look at the athletes sent home from the Olympics for sending racist tweets). What’s more, the real names policy does more harm than good, because it provides even more sources for the bad guys to obtain the real names that they need to commit other crimes. I read in the minutes of the recent Eurim meeting on the European Commission’s proposal for a regulation on electronic identification and trust services for electronic transactions in the internal market that

Identity fraud is the top enabler for all aspects of crime in Europe, and a major contributor to the Euro-crisis. The level of fraud in Europe last year was estimated at €500 billion, with an estimated €2 trillion for 2011-12. Europol have announced that unless this is addressed, they will be unable to contain crime.

I absolutely guarantee that a misplaced real names policy will make this worse. If you collect real names, things will always end up going wrong. You simply cannot assume that any information you give to organisations will remain private, no matter how well-intentioned.

Witnesses who complained about anti-social behaviour on a crime-hit estate were given police protection after a council error led to their personal details handed to troublemakers… Police are now patrolling a housing estate around the clock to protect the residents involved.

[From Council handed names of residents who complained about anti-social behaviour to trouble-makers – Telegraph]

Oh dear. Doesn’t sound like “real names” are working out too well in that case. Especially since there was no reason for the council to obtain the “real names” of the complainants. This is a case where “real attributes” are the key. The council needed to know that the complainants were council tenants living in a particular area. If we had an identity infrastructure befitting a modern economy (we don’t) then the tenants would have been able to submit their complaint by smartphone and have the text followed by a blinded cryptographic token attesting to their status but from which it would be mathematically infeasible to determine their identity. So no matter what the berks at the council do, the identities reman secret.

One thing that might really help the real names nutters, by the way, is making it easier to spot what are actually real names. If I create a Facebook profile as Theogenes de Montford, for example, how do you know whether that’s a real name or not? It would help if there were a relatively short list of real names, so I suggest that Facebook puts some lobbying money into Sweden.

Activists are lobbying for parents to be able to choose any name for their children (there are currently just 170 legally recognized unisex names in Sweden).

[From Hen: Sweden’s new gender neutral pronoun causes controversy. – Slate Magazine]

This seems like an odd story until you realise that in Sweden can you only choose a legally-approved name for your child. Sensible policies for a better interweb: Facebook should make a list of allowable real names and make you choose a combination of them. That way, any disloyal subject of Her Majesty trying to post abuse about the Chancellor of the Exchequer using a made up name could be instantly spotted and blocked.

P.S. In case you’re interested, Theogenes de Montford is indeed a real name.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

 

Friendly fire

[Dave Birch] Some time ago, in the early days of Twitter, I happened to be involved in some work concerning a financial institution’s social media strategy. I was rather rude about the idea of setting up a Facebook page, because I couldn’t see the point, but it was nothing to do with me or any of the other technical persons. I was reminded of this episode this morning, when I read about another organisation’s Facebook-related travails.

It wasn’t long before Barclays’ Facebook page devolved into a minefield of jokes lambasting the company, which only served to highlight the socioeconomic rift between the banking institution and its customers.

[From Epic Fail: Barclays’ Facebook Debacle Highlighted the Chasm Between the Bank and Its Customers]

Well, given current circumstances this is hardly unexpected. As a naturally curious person, I thought I’d go and look at a few bank Facebook pages to see what sort of things they did. But I gave up almost immediately, since I realised that I’d have no way of knowing which of them might be real or not. Here’s what I got when I searched for Lloyds, for example. Real? Who knows. It’s certainly boring enough to have come from a bank, but that’s not much of a clue. Still, given Facebook’s noted “real names” policy, it probably is true and I’m sure it’s safe, just like the NatWest page that I found. I went to the Barclays Online Banking Facebook page and I couldn’t even work out what it was. This Barclays’ page looks quite plausible, but as a security-concious consumer I wasn’t sure whether to click on anything or not. Perhaps the British Bankers’ Association has some list of the real Facebook pages. I’ll check.

In the meantime, I expect that if I call NatWest they can point me to the their public key certificate that I can use to check the digital signature on the Facebook page so that… no, just joking. But all of this begs a more general question. What was the Facebook page for? What could customers do? Open accounts? Send money? Pay bills? No. As is generally true of Facebook pages for financial institutions, it was all about communications. There’d be no point a bank e-mailing my kids since they never read e-mail, so I suppose if you could persuade them to “friend” your bank you might be able get the odd status update into their field of vision.

At the Credit Suisse Research Institute 2012 meeting, experts discussed the benefits of social media over traditional communication tools, as well as the constraints – the most significant of which regards the current regulatory environment.

[From Credit Suisse – Banking on Social Media]

In fact, all of this potentially interesting discussion was actually about marketing. I’m no expert on marketing or social media, but I would imagine that the key to social media strategy is interaction and the whole web 2.0 thang about user-generated content and such like. For any organisation to just use a Facebook page to broadcast marketing messages seems like a missed opportunity for a richer connection with customers. If this is the right line of thinking, then the strategy ought to consider what customers might actually want to do in that context. For banks, I suspect that what they want to do is transact. What about the benefits of social media over traditional transaction tools? As I’ve said before (many times)

I’m naturally more interested in social media for transactions: social commerce.

[From Friends and relations]

I’ve bored some of our clients about this enough over the last couple of years, and I won’t rehearse the arguments here, but I will say that I think there’s evidence that the social commerce approach for financial institutions is sound. Customers want to do banking in their context and given that their context is increasingly within social media, it makes sense to move banking there.

Facebook announced that it is testing an online-banking service with Australia’s Commonwealth Bank expected to debut this year. The new system lets people make payments to other Facebook users, and will become a test of how well Facebook can handle the deep-science realities of financial privacy and security.

[From Facebook Announces Online-Banking Test – Forbes]

If Facebook do crack the privacy and security side of things, then they will become the route to banking for a great many consumers, frankly, and I don’t know whether financial organisations of all kinds have yet developed an effective strategy to deal with social media gatekeepers other than to pay them. Perhaps if their products and services could develop a direct relationship with the customer using social media channels (rather than simply provide those products and services inside the social media context) then they can become valued by customers.

I don’t want to be friends with my bank—after all, I’m a typical consumer so I hate banks—but I do want to be friends with my bank account.

[From Friends and relations]

My Barclays mobile banking app works really well and I can’t imagine any circumstance under which I’d bother going to their Facebook page, even if I could work out which one it is, but I might be tempted to venture outside the app if for richer social media interaction. At the moment Barclays interaction with me is basically limited to alerts by text message, which is fine, but does waste their money as well as limiting the amount of information. I’d rather have richer data sent through Twitter or as Facebook updates or whatever. Why can’t I have every transaction on any of my accounts sent through to me? 

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.