Age old problem

The simple and prosaic case of age verification has always been a litmus test for digital identity infrastructure and it’s taken on new dimensions because of social networking. We need some clear thinking to see through fog of moral panic, made worse by the turbocharging impact of the mobile phone, because it is such an individual and personal device. The spectre of legions of perverts luring children via their mobile phones is, indeed, disturbing. If only there were some way to know whether your new social networking friend is actually a child of your age and not an adult masquerading as such.

A mobile phone application which claims to identify adults posing as children is to be released. The team behind Child Defence says the app can analyse language to generate an age profile, identifying potential paedophiles.

[From BBC News – Researchers launch mobile device ‘to spot paedophiles’]

Of course, it ought to work the other way round as well. One of my son’s friends told me that members of his World of Warcraft Guild (all 13- and 14-year olds) enjoy pretending to be “grown ups” online (by pretending to have jobs and wives). But this seems an odd way to move forward, as well as something that will surely be gamed by determined perverts.

Why on Earth can’t we just do this properly, at the infrastructural level. If we had a half-decent digital identity infrastructure, there would be no need for this sort of thing. Look, here’s a simple of example of this, in Japan. If you want to use social networks via your mobile phone then it is the operator who verifies your age to the social network service (SNS) provider. Since the operator has the billing relationship, this makes sense.

KDDI announces age verification service for mobile SNS platforms; Gree, Mixi and MobaGa to start at the end of Jan

[From Mobile SNS Age Verification Service by Wireless Watch Japan]

Note that this has no implications for privacy. The operator could require you to come to one of their outlets and prove that you are, say, 18. Then they set a flag for service providers to tell them that you are over 18. It doesn’t tell them your age, or your name or where you are. Just that you are over 18. Note that this system hasn’t been invented for social networking: it is already used to prove age at vending machines (you can’t buy cigarettes or sake or whatever unless your phone says that you are old enough). It ought to be simple enough to do the same thing but using proper technology. Suppose that your Facebook page came with a red border if you have not provided proof of age? Then you could provide that proof of age and have your border changed to blue for under 18 or green for over 18 – then make the rule that anyone with a red border is only allowed to connect to people with green borders.

You see what I mean. Have something that is understandable at the user level and implement it using certificates, digital signatures and keys in tamper-resistant storage (in, for example, mobile phones). There would be no need to try and explain to people how PKI actually works (which killed it in the mass consumer market last time), just show them how to log in to things using their phones. There’s a waiting mass market for this sort of thing if you can be clear to consumers that it will protect their privacy and that market is adult services: porn and gambling, primarily, either of which should generate a decent income stream for the successful service provider.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Competition, not regulation, should be the focus

The cases of debit interchange in the US and cross-border interchange in Europe will, in the longer-term, serve to illustrate a general point: price controls don’t work, a fact well-known since the days of Diocletian:

Despite the fact that the death penalty applied to violations of the price controls, they were a total failure. Lactantius, a contemporary of Diocletian’s, tells us that much blood was shed over “small and cheap items” and that goods disappeared from sale. Yet, “the rise in price got much worse.” Finally, “after many had met their deaths, sheer necessity led to the repeal of the law.”

[From How Excessive Government Killed Ancient Rome]

OK, so the Durbin amendment probably wont lead to rioting in the streets, but it’s still price control, and it will have unfortunate consequences (not for me, since I never use a debit in the US anyway). There’s a good article in the January issue of Digital Transactions by Lauri Giesen examining the US card market. She’s specifically looking at the strategy of retailers with respect to cards. Having won lower debit card fees, retailers are going to go after the credit card business. Trixi Wexler, a spokeperson for the Washington DC-based Electronic Payments Coalition, says that retailers didn’t spend $10 million in lobbying “just to walk away with lower debit card fees”. I’m sure that’s true, but even if it isn’t, that $10 million represents pretty good value for money, since it will result in considerable savings for retailers.

The big retailers and other merchants — who are the real winners — claim they are going to help consumers from their end by passing their savings on in the form of lower prices… But those claims are spurious at best. In countries where these types of interchange rules have been adopted, like Australia, consumers have seen no benefit.

[From Bill Cheney: New Interchange Rules for Debit Cards: A Perceived ‘Win’ Is Really a Loss]

Retailers in the UK make the same claim.

The BRC claim that if charges for every payment method were as low as they are for cash, its members could pass on £480 million in cost savings to their customers.

[From Retailers concerned over ‘unjustified’ fees]

Yes, I’m sure they *could*, but they won’t. The evidence from Australia shows that the retailers managed to persuade the regulator to cap bank fees (for no real economic reason) and then simply kept the loot. That’s exactly what I’d do if I was them: it’s called “regulatory capture” by economists, because market participants are using regulation rather than competition to obtain a larger share of market rent. This all left me wondering, once again, what exactly the lobbyees (is that a word?) think that they are achieving by transferring this share of market rent from banks to retailers. Why, for example, are retailers more deserving of 0.1% of my supermarket purchase than banks? It’s not even as if it’s all retailers anyway.

Cooper said 80% of the projected debit card interchange revenues banks stand to lose will go to 1% of merchants.

[From Untitled]

This, to me, looks less and less like Durbin striking a blow for the little guy and more and more like regulatory capture by some of America’s biggest businesses, the culmination of a well-managed campaign.

Retailers have begged Congress for years, in vain, to limit the fees they must pay to banks when customers swipe credit or debit cards.

[From Debit Fee Cut Is Rare Loss for Largest U.S. Banks – NYTimes.com]

I imagine consumers have begged Congress for years, in vain, to limit the fees they must pay to retailers for food or to gas stations for fuel, so what’s the difference? Why has Congress intervened in order to transfer wealth from one group within society (consumers) to another group (retailers)? The answer, of course, is lobbying.

But retailers mounted an unusually effective yearlong campaign to frame the issue as a chance for Congress to help small business. A leading trade group for chain retailers worked with small-business groups to make sure that every time a senator held a town hall meeting back home, a local business owner showed up to ask about card fees.

[From Debit Fee Cut Is Rare Loss for Largest U.S. Banks – NYTimes.com]

Lobbying on behalf of banks is a bit of a lost cause at the moment, so you can’t blame the retailers for striking while the iron is hot, but if Congress wants to reduce the fees paid by retailers for payments, then it should create a regulatory environment that allows new entrants to come in and provide (non-bank, if necessary) solutions to the marketplace. Are they going to do this? (It’s not a rhetorical question – I genuinely don’t know, and look forward to hearing from some of our US readers to tell me.)

In short, then, if banks had gone up the hill asking regulators to cap the price of food, on the perfectly reasonable grounds that employee salaries are a big part of their costs and that employees spend a lot of their money on food, they would have got short shrift. But given the general hatred of banks, retailers spotted a good opportunity to transfer some of their costs away.

MasterCard said… This provision stands to benefit some of the largest retailers in the world and will harm not only consumers, but also community banks, credit unions, and government benefits administrators. Currently, merchants pay their fair share of debit acceptance; in the future, consumers will be responsible for bearing this cost.

[From Consumers to Pay More for Merchants’ Debit Card Benefits | MasterCard®]

I don’t want to be accused of being MasterCard shill [full disclosure: my employer Consult Hyperion has provided paid professional services to MasterCard within the last year] but there is a valid point here: what’s best for society is to have payment systems that have the lowest total social cost. Speaking in very general terms, this means debit cards (and in particular, PIN debit). So if that’s best for society, how should society apportion the costs? Unless we think we can do better than the market, then we should leave the market alone. Since neither I, nor retailers, nor banks, nor regulators know what the interchange fee should be, they should focus on competition to set them at the right level.

There’s another point that the Digital Transactions article makes that I found interesting. Trixi says that the money from card fees goes to pay for innovation and that without the income, issuers will stop innovating. This may be correct, although innovation is more about non-banks than banks and it is not only Durbin that is hampering payment innovation.

Rich started his address with the assertion that the “Payments system is under attack,” from a regulatory barrage – the CARD ACT, NSF/OD regulation, forthcoming rulings under the Durbin Amendment and the newly formed Consumer Financial Protection Bureau (CFPB) all are paralyzing innovation in the financial services sector. At the same time, innovations from outside the financial services industry are happening at an incredible pace.

[From Payment System Under Attack? Solutions Found in Georgia! – pymnts.com]

I think that in the US case it also means that the retail payments business will slide down the priority list. The lost income from debit interchange, which should have been reduced by competition (ie, the regulators should have told the big retailers “if you don’t like cards, don’t take them” or “if you think you can do it cheaper, go right ahead”) rather than by regulation, will be replaced by fee income from consumers and the marketing, management and retention of checking accounts will surely become more of a priority than debit card activation.

If retailers think that payment systems are too expensive, then why don’t they start one? Or why don’t they invest in payment startups? Starbucks seems to have done quite well by running its own prepaid card scheme and its own mobile payment service, and has been exploiting the benefits of integrated mobile so successfully that it has now decided to go for an immediate national roll-out with barcodes, switching to NFC when the handsets are out there.

However, Starbucks Corp., one of the few stores with a mobile payments program in place, says these transactions are little different from other card purchases, and the real benefit to the merchant comes when people use its app to reload their accounts while waiting in line instead of at the register.

[From Upside For Mobile Payments Comes Before The Payment – PaymentsSource Article]

Perhaps it will be the innovative retailers, working in partnership with technology companies, who will make the breakthroughs while the biggest retailers still find it more cost-effective to spend the money on lobbying.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

The technology of money

The idea of the talk is to reflect on the impact of technology on the various functions of money: that is, as a unit of account, mechanism for exchange, store of value and means of deferred payment. We tend to jumble these functions together, but if we want to understand how money might develop in the future, we need to pull them apart and then look at what technology might do to each of them. I’ll therefore look at how the evolution technology has changed these in the past, leading to the evolution of money.

For the purposes of the talk, I will having another go at categorising money technologies, this time by dividing the evolution of the technology of money into four eras:

Money 1.0 was atoms: grain, gold, stone discs, wampun, whatever. Guildford had a mint making silver pennies (the only coin of the day) by the time Edward the Martyr (975-979) so I like to think that at Consult Hyperion we are part of a tradition of new money technology by the River Wey!

Money 2.0 was atoms about atoms. From the tally sticks of Norman England to the private “tokens” (ie, coins worth more than their base metal content), these items were convenient than the commodities they represented.

Money 3.0 was bits about atoms: that is, fiat currency banknotes, electronic transfers and accounts. Once these bits could move faster than a galloping horse, our relationship with money changed.

Our current era, Money 4.0, can be dated in retrospect to 1971 when Richard Nixon finally ended the gold standard and Visa introduced the Base 1 network for authenticating card payments based on the magnetic stripe. Money 4.0 is bits about bits, but we still apply the wrong mental model, and imagine it to be bits about atoms.

So what does this mean for the future? Well, we can look at three distinct sources of pressure for change:

The first of all there are the technology pressures. These are actually the easiest to understand, at least in the short to medium term. All of the technologies that will impact the world of money, payments and banking over the next generation already exist, it’s just a question of looking around the world to see which of them will have disruptive impact. We don’t need to look much beyond the mobile phone to understand the key platform, since the mobile phone (or, I suppose, more properly, the device formerly known as the mobile phone) will be the most disruptive technology across many sectors. The addition of the short range, zero configuration, medium-speed wireless Near Field Communication (NFC) interface to the mobile handset changes the handset from being the very edge of the network to a pivot between local and global environments that it can integrate in a secure uncontrolled way. A credit card replaces cash if you want to pay a shop, the mobile phone replaces cash if you want to get paid.

Next there are the business pressures. It’s interesting to reflect within the UK, cash accounts for less than 3% of the “money” in use but still accounts for nearly 2/3 of retail transactions by volume, which makes for cost, cost, cost. And when it comes to the dynamic new channels for online business, we’ve got by shoehorning the cards and so forth into the new technology, but we haven’t yet seen the new money for the Internet emerge: perhaps Facebook Credits will take over! Over the coming generation, the payment business and the banking business will become more distinct and as a result more dynamic and efficient payment businesses will find new ways to replace cash. Cheque clearing is scheduled to end in the UK in 2018, so Internet and mobile phone-based alternatives will need to be operational fairly soon.

Finally and most importantly, there are the social pressures. Right now, the retail payments sector is a deadweight of around half a percent of GDP (in Europe). This is largely due to the continuing high use of cash and cheques rather than more efficient electronic alternatives. Clearly, replacing cash would reduce this total social cost and make the economy more efficient but this by itself won’t be enough to trigger action. However, there are growing pressures for governments to reduce the use of cash because it is used to facilitate crime and tax evasion more than because it is inefficient. In if we just focus on Europe we can see that these pressures take different forms in different regions. There are streets in Amsterdam but no longer take cash because the city council has subsidised the retailers electronic terminals in order to reduce crime and lower the costs for smaller retailers. In Sweden, a broad alliance of retail and banking trade unions wants to see the use of cash reduced in order to protect their staff. Post-crunch, these pressures will grow as governments and citizens alike demand action. And since no-one other than tax evaders or drug dealers actually wants the stuff, perhaps change will be quicker than many people think.

I’ll be reflecting on these issues, and more, in my talk and looking forward to being put on the spot in an informed question and answer session afterwards.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Real-time serendipity

Naturally, given my obsessions, I was struck by a subset of the Real-Time Club discussions about identities on the web at their evening with Aleks Krotoski. In particular, I was struck by the discussion about multiple identities on the web, because it connects with some work we (Consult Hyperion) have been doing for the European Commission. One point that was common to a number of the discussions was the extent to which identity is needed for, or integral to, online transactions. Generally speaking, I think many people mistake the need for some knowledge about a counterparty with the need to know who they are, a misunderstanding that actually makes identity fraud worse because it leads to identities being shared more widely than they need be. There was a thread to the discussion about children using the web, as there always is in such discussions, and this led me to conclude that proving that you are over (or under) 18 online might well be the acid test of a useful identity infrastructure: if your kids can’t easily figure out a way to get round it, then it will be good enough for e-government, e-business and the like.

I think the conversation might have explored more about privacy vs. anonymity, because many transactions require the former but not the latter. But then there should be privacy rather than anonymity for a lot of things, and there should be anonymity for some things (even if this means friction in a free society, as demonstrated by the Wikileaks storm). I can see that this debate is going to be difficult to organise in the public space, simply because people don’t think about those topics in a rich enough way: they think common sense is a useful guide which, when it comes to online identity, it isn’t.

On a different subject, a key element of the evening’s discussion was whether the use of social media, and the directions of social media technology, lead to more or less serendipity. (Incidentally, did you know that the word “serendipity” was invented by Horace Walpole in 1754?) Any discussion about social media naturally revolves around Facebook.

Facebook is better understood, not as a country, but as a refugee camp for people who feel today’s lack of identity-forging social experience.

[From Facebook: the heart in a heartless world | spiked]

I don’t agree, but I can see the perspective. But I don’t see my kids fleeing into Facebook, I see them using Facebook to multiply and enrich their interpersonal interactions. Do they meet new people on Facebook? Yes, they do. Is that true for all kids, of all educational abilities, of all socio-economic classes, I don’t know (and I didn’t find out during the evening, because everyone who was discussing the issue seemed to have children at expensive private schools, so they didn’t seem like a statistically-representative cross-section of the nation).

Personally, I would come down on the side of serendipity. Because of social media I know more people than I did before, but I’ve also physically met more people than I knew before: social media means that I am connected with people who a geographically and socially more dispersed. I suppose you might argue that its left me less connected with the people who live across the street from me, but then I don’t have very much in common with them.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Why bother with the new $100 bill?

The US is soon to release a new $100 bill. But why? What do they do with $100 bills? They're not, as you might imagine, needed to support commerce and trade.

In 2001 the Federal Reserve estimated that 90 percent of the $100 bills ordered by the Federal Reserve (which accounts for the overwhelming majority of C-notes ordered nationwide) were paid out to foreign banks

[From Hundred-dollar bills are for criminals and sociopaths. Why do we still print them? – By Timothy Noah – Slate Magazine]

Around two-thirds of all of the US dollars in "circulation" are not in the US at all and are unlikely to be repatriated. This represents a tremendous interest-free loan from the rest of the world to Uncle Sam. But is this income sufficient to outweigh the negative effects of cash?

So why do we keep printing $100 bills? As with any valuable export, we worry that if the C-note ceased to be available to foreign criminals and dictators, another paper currency would take its place. The leading candidate would be the 500 euro note,

[From Hundred-dollar bills are for criminals and sociopaths. Why do we still print them? – By Timothy Noah – Slate Magazine]

Well, that's true, and the conspiracy theory that the European Central Bank (ECB) only had the 500 euro note printed in order to replace the $100 bill in the stashes of drug dealers and tax evaders is widely recirculated. But that's a reason to scrap 500 euro notes, not to print more $100 bills, especially when the $100 bills have to be completely re-designed anyway.

But the biggest upgrade is a blue "3D Security Ribbon"… The strip contains a series of images of bells and digits; tip the note, and the images come into 3D relief. "It only takes a few seconds to check the new $100 note and know it's real," says Larry R. Felix, Director of the Treasury's Bureau of Engraving and Printing.

[From US Treasury: New 100 dollar bill needs 3D tech – CSMonitor.com]

Sounds exciting. But why bother? Why not just forget about the $100 (and, for that matter, the $50 bill)? After all, high-denomination notes have been withdrawn before, and for much the same reason. We have to weigh up the overall impact on society and try to make the right decision, and sometimes that decision might mean a radical change.

In 1969, the Treasury stopped issuing $500, $1,000, $5,000 and $10,000 bills specifically to impede crime syndicates — the only entities that were still using such large bills after the introduction of electronic money transfers.

[From Turn In Your Bin Ladens – NYTimes.com]

And before I get deluged with e-mails calling me a New World Order stooge intent on introducing the Mark of the Beast across the USA, let me merely point out that if the public were to desire anonymity for payments (they don't, by the way) then it's possible to create anonymous electronic money: this is an implementation choice, not any sort of technological constraint. Of course, the fact that the US government stops producing high-denomination notes doesn't necessarily mean that they will disappear…

Malaysian police have arrested a Lebanese man allegedly carrying fake currency with a face value of $66 million after he tipped a hotel staff with a $500 note, an official said Friday.

The largest U.S. note currently in wide circulation is a $100 bill. But police found bundles of $1 million, $100,000 and $500 notes in the man's hotel room in Kuala Lumpur on Sunday, said Izany Abdul Ghany, head of the city's commercial crime unit.

[From $500 Tip Leads Police to $66 Million in Fake Bills – ABC News]

If only all counterfeiters were that good!

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

The US administration is creating a new sector of the economy: the identity business

Last year I said that I thought that the US National Strategy for Trusted Identities in Cyberspace (NSTIC) was heading in the right direction. I'm very much in favour of the private sector providing multiple identities into a framework that it used by the public sector and vice versa. I'm in favour of choice: if I choose to use my Barclays identity to access the DVLA or my DWP identity to access O2 it shouldn't matter to the effective and efficient use of online transactions. There was one area where I felt it could have presented a slightly different vision, and that's in the use of pseudonyms, which I think should be the norm rather than the exception.

People should consider it normal to get a virtual identity from their bank or their mobile phone operator in a pseudonymous name so that they can browse, transact and comment without revealing anything about themselves other than the facts relevant to a transaction.

[From Digital Identity: USTIC]

James Van Dyke, when discussing NSTIC (which seems have become known unofficially as "Obama's Internet Identity System") warned about

Apocalyptic fear-mongers. Yes I’m ending with the crazies here, but hear me out. The extreme cable networks and televangelists will surely jump on this as the digital incarnation of the Mark of either the Beast or “(gasp!) Obama liberals. Historians will recall that social security numbers were supposed to be an apocalyptic conspiracy.

[From Obama’s Internet Identity System: Could This Change Everything? – Javelin Strategy & Research Blog]

I don't think the danger is the crazies — although I feel a little sheepish writing this a couple of days after a crazy did, in fact, murder several people and seriously injure a congresswoman — but the journalists, politicians, commentators and observers who don't really understand the rather complex topic of digital identity. Or, as "Identity Woman" Kailya Hamlin (who some of you may remember from the first European Internet Identity Workshop that Consult Hyperion sponsored with our friends from Innopay and Mydex back in October) said about NSTIC:

I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative

[From National! Identity! Cyberspace!: Why we shouldn't freak out about NSTIC. | Fast Company]

She's bang on with this. Here's a couple of typical examples from the blogosphere:

CNET reported on January 7, 2011 that Obama has signed authority over to U.S. Commerce Department to create new privacy laws that require American citizens to hold an Internet ID card.

[From Internet Anonymity: Obama Pushes for an American Internet ID]

And

President Obama has signaled that he will give the United States Commerce Department the authority over a proposed national cybersecurity measure that would involve giving each American a unique online identity

[From Obama administration moves forward with unique internet ID for all Americans, Commerce Department to head system up — Engadget]

As far as I can see, NSTIC being managed by the Commerce Department has nothing to do with "privacy laws" and the idea that it will require Americans to have an "Internet ID" is a journalistic invention. The actual situation is that NSTIC is to go from being an idea to an actual system:

The Obama administration plans to announce today plans for an Internet identity system that will limit fraud and streamline online transactions, leading to a surge in Web commerce, officials said. While the White House has spearheaded development of the framework for secure online identities, the system led by the U.S. Commerce Department will be voluntary and maintained by private companies,

[From Internet Identity System Said Readied by Obama Administration – BusinessWeek]

What this means is not that Americans will get an "Internet Driver's License" but that they will be able to log in to their bank, the Veteran's Administration, the DMV and their favourite blogs using a variety of IDs provided by their bank, their mobile phone operators and others.

[White House Cybersecurity Coordinator] Howard Schmidt stressed today that anonymity and pseudonymity will remain possible on the Internet. "I don't have to get a credential, if I don't want to," he said.

[From Obama to hand Commerce Dept. authority over cybersecurity ID | Privacy Inc. – CNET News]

As long as it's a matter of choice, I really don't see a problem with this. The idea of NSTIC is that it is the infrastructure that is standardised, and this is good. We need standards for credentials and such like so that I can use my Woking Council ID to log in central government services and my Barclays Bank ID so that I can log in to do my taxes online: but I might pay Barclays for an additional ID that has some key credentials (IS_A_PERSON, IS_OVER_18, IS_NOT_BANKRUPT, that sort of thing) but does not reveal my identity. This sort of Joe Bloggs (or, for our cousins over the water, John Doe) identity would be more than adequate for the vast majority of web browsing and if other people want to wander the highways and byways of the interweb with a Manchester United, Prince or BBC ID, then it's up to them. Let a thousand flowers bloom, as they say (well, as Chairman Mao said).

If the crazies want to be concerned about a single ID mark of the e-beast infocalypse, they're perfectly entitled to, but I don't understand why they are convinced it will come from the government in general or Obama in particular – there are half-a-billion people out there (including me) who have already handed over their personal information to a single unaccountable entity.

Facebook Login lets any website on the planet use its identity infrastructure—and underlying security safeguards. It's easy to implement Facebook Login, simply by adding few lines of code to a web server. Once that change is made, the site's users will see a "Connect with Facebook" button. If they're already logged into Facebook (having recently visited the site), they can just click on it and they're in. If they haven't logged in recently, they are prompted for their Facebook user name and password.

[From Facebook Wants to Supply Your Internet Driver's License – Technology Review]

Now, at the moment Facebook Connect just uses a password, so it's no more secure than banks or government agencies, but it could move to a 2FA implementation implementation in the future. Widespread 2FA access to online services really should have become a business for banks or mobile operators already (think how long Identrus has been around) but it just hasn't happened: I can't use my Barclays PINSentry to log on to Barclaycard, let alone the government or an insurance company. But suppose my Facebook login required access to my mobile phone so it was much more secure: you know the sort of thing, enter e-mail address, wait for code to arrive on mobile phone, enter code (a proper UICC-based digital signature solution would be much better, but that's another topic). Then I could use Facebook Connect for serious business. This would have an interesting side-effect: Facebook would know where I go on the web, which seems to me to be much more like the mark of the e-beast.

An interesting side benefit for website operators is that Facebook Login provides the site with users' real names (in most cases) and optionally a variety of other information, such as the users' "friends" and "likes."

[From Facebook Wants to Supply Your Internet Driver's License – Technology Review]

Which is, of course, why I don't use it. On the other hand, if Facebook decided to use cryptography to secure and protect this sort of information, they could at a stroke create a desirable internet passport: by "blinding" the passport to prevent service providers from tracking the identity across web sites Facebook could significantly improve both convenience and privacy for the average users.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Who needs cash?

[Dave Birch] Cash has some unpleasant side-effects and these really ought to be factored into the big picture when it comes to examining the transition to digital money.

In terms of public safety and national security, the sooner the world moves to a digital cashless economy, the better.

[From Turn In Your Bin Ladens – NYTimes.com]

Most of the cash “in circulation” (I use the quotes because it is not, of course, actually in circulation at all but being hoarded in various places) is used only for criminal purposes: tax evasion, money laundering, drug dealing and so forth.

Somali pirates are reported to have received a total of $12.3m (£7.6m) in ransom money to release two ships. They are believed to have been paid a record $9.5m (£5.8m) for Samho Dream, a South Korean oil tanker, and nearly $2.8m (£1.7m) for the Golden Blessing, a Singaporean flagged ship.

“We are now counting our cash,” a pirate who gave his name as Hussein told Reuters news agency.

[From BBC News – Somali pirates receive record ransom for ships’ release]

Once again, these miscreants aren’t looking for prepaid mobile phones, gift cards or PayPal accounts: they are after cash, and I’ll lay a pound to a penny that they didn’t want Yuan or Roubles or Kenyan Shillings and an M-PESA account in a false name: they wanted dollars, and in $100 bills. The cash was dropped from a helicopter on to the ship. Now, I’ve heard some people — including some people from banks — say that this is fair enough, because the seigniorage on the cash represents a tax on criminal activity and it’s better to collect this stealth tax from the bad guys that impose more taxation on honest, hard-pressed taxpayers. But I have two objections to this line of thinking:

  1. First of all, it is not at all clear to me that the state should live off of criminal earnings. If something is legal and taxed, fine. But if it’s illegal, it’s illegal.
  2. Secondly, the revenues that accrue to the central bank from this enterprise are small compared to the revenues denied to other parts of government. So in the central bank books, life looks good. But over at the treasury, there’s a black hole where the revenues from honest enterprise should be.

Perhaps the non-central bank parts of government might look to the central bank to use some of seigniorage revenues to subsidise the introduction of electronic payments to parts of the economy dominated by cash. But what kind of electronic payments? I suppose the government could start developing its own form of e-cash, but I’m not sure that’s the best way forward. Maybe there’s another way. Perhaps we need a new form of e-cash (that we haven’t seen yet) for the new economy because we are trapped using money developed in a previous age for the commerce of the next. In his excellent book “The Birmingham Button Makers“, Professor George Selgin explains how the British economy faced that same problem during the industrial revolution.

Today, the big problem of small change is no longer such a big problem, although shortages of wanted coin continue to occur sporadically around the world (e.g. here and here) as well as surpluses of unwanted coin. Nevertheless, the basic problems of private coinage were trust and credibility. Modern issuers of digital cash face the same problems and thus Selgin’s history is a valuable reminder about the scope and potential of alternative monetary institutions.

[From Marginal Revolution: Good Money]

Indeed, and apart from a general interest in the history of money, this is precisely why I found George’s work so interesting. Could we see a similar trajectory in the post-industrial economy? This would suggest that private operators might step in to the market to fill the void and then when the competition had run its course and the “best” coinage had been established, then the government would step in and provide it as a public good. Perhaps the Bank of England should run its own version of PayPal and the government should insist that everyone has an account if they want to receive state payments of any kind: welfare, pensions, wages and so on! Once all of money is digital, as opposed to the current 96.3% (in the UK), who knows where that will take us.

As money becomes completely digitized, infinitely transferable, and friction-free, it will again revolutionize how we think about our economy.

[From The Future of Money: It’s Flexible, Frictionless and (Almost) Free | Magazine]

I think this is true. You’ll have a chance to kick around these kinds of ideas if you come along to the 14th annual Consult Hyperion Digital Money Forum in London on 2nd/3rd March 2011, where George Selgin will be along in person to give a keynote talk.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Facebook and things

Facebook itself has been playing with this kind of thing – personal location – for a while. We’re all familiar with the various “check in” services, but the internet of things is something much more.

All attendees of the f8 developer conference are receiving special RFID tags that enable them to check-in to various locations throughout the conference venue. The service lets you tag yourself in photos, become a fan of various Facebook Pages, and share activity to your Facebook profile. While it’s still a concept service, it’s interesting to see some of the things that Facebook developers are currently testing

[From Facebook Tests Location Through RFID AT f8]

Is this just the same as messing about with FourSquare or Facebook Places? I think not. Bernhard Warner, editor of Social Media Influencer puts it very nicely.

Location-based services take either a lot of time — you have to manually check in everywhere you go — or take a lot of liberties — you open up your personal information to businesses.

If RFID checks you in and out automatically, then the web will certainly “take a lot of liberties” (although this may well be what people want). But this is just about the location of people. What will happen when the location of things becomes part of the natural order?

I happened to be chairing a panel at IIR’s M2M Business Exchange event in London recently, and I have to say that I was surprised by the range of organisations that came along. I’d assumed that it would be mainly hardware guys and telcos, but the sessions that they had on smart metering, remote healthcare, retail and so forth were actually discussing some quite diverse applications. Naturally, I was on the lookout for things that might make a business for our customers, so I was focused on the applications that demand more security, such as payments.

ETSI, the telecoms standards body, has been working on what they call SES, which stands for “Service Enablement Services” to form a standard layer between the internet of things and the value-added services to sit above them. Joachim Koss, the TC M2M Vice Chairman said that the standard would include security “tools”, which obviously I would like to see as including fully-functional digital money and digital identity elements because this connects to my somewhat simplistic definition: smart pipe = dumb pipe + digital identity + digital money.

I think this is the right approach, provided that the SES layer contains rich enough services to provide for a proper spectrum of identity types (that is, it does not require the full disclosure of “real identity” or allow uncontrolled anonymity). Another advantage that I can see is that if mobile operators were to get their act together, they might be able to use the SES in combination with a secure token (in the UICC) to make a business from it: for example, I might want to choose an option on my phone which means that my location is visible to anyone on LinkedIn provided they work for Consult Hyperion, and then temporarily extend this to a client for a month in connection with a project, but allow my wife to see it via Facebook at all times, that sort of thing. It would be another example of a value-added service that could, when built in to the infrastructure of other more sophisticated value-added services, generate much more income than raw data.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Where will Wikileaks take us?

[Dave Birch] Oh no! According to tonight's news reports, the UK is bracing itself for cyberattack from the "hackers" supporting Julian Assange and Wikileaks. Apparently vital government services are at risk from the group called "Anonymous" launching distributed denial-of-service (DDOS) attacks. A bit like this guy, from the group "Not Anonymous At All":

A 17-year-old from Manchester has been arrested by the Metropolitan Police's e-crime unit (PCeU) on suspicion of being behind a denial of service attack against the online game Call of Duty.

[From Call of Duty DDoS attack police arrest teen • The Register]

He was, of course, traced from his IP address. I thought it was funny, in a way, that journalists and politicians refer to the LOIC kids as "hackers" when they are anything but. What's more, as I said when Charles Arthur was kind enough to invite me on to The Guardian's Technology Podcast, they have chosen a particularly funny way to join the Anonymous group of internet vigilantes: software that isn't anonymous in the least and that delivers their IP addresses to their intended victims, thus making it easy for them to be traced and arrested. This is, in fact, precisely what has happened.

A 16-year-old boy was arrested in the Netherlands in connection with a series of cyber attacks on Visa, MasterCard

[From Dutch teen arrested over cyber attacks on Visa, MasterCard]

My personal views about Wikileaks and the "Cable Gate" DDOS attacks are irrelevant. (I will say this: that if you don't like MasterCard then cancel your card and leave mine out of it). But they will certainly have an impact on thinking and the calls for "something to be done" mean change. Since there's no way to stop people from copying data (as the music industry has discovered), that's probably not a fruitful line of thinking. So what will happen?

What technology may lead to are "red" and "blue" internets. (Note that "blue and red" are here allusions to the military labelling of secure and insecure networks, they are nothing to do with blue and red pills in The Matrix.) Essentially, there will be secure and insecure internets both running over the same IP networks.

On the red, open, internet people and organisations will exchange encrypted data across an untrusted network. Some people may choose not to connect to the red internet at all and only crazy people (and organisations) will send unencrypted data to unauthenticated counterparties.

On the blue, closed, internet you will need to authenticate yourself before you are allowed to access anything and a digital identity infrastructure will deliver privacy (and in some cases anonymity) through cryptography, not through data protection registrars or privacy ombudsmen. In order to connect to the government, or Facebook, or Amazon, you will have to use the blue internet: they simply won't be connected to the red internet any more. At home, I will probably set my internet connection to blue only.

Now, some of you may be concerned that, as The Daily Telegraph told us, the Chinese government have a master key that can decrypt everything on the Internet, in which case the entire Internet will be — very literally indeed — red forever.

While sensitive data such as emails are generally encrypted before being transmitted, the Chinese government holds a copy of an encryption master key which could be used to break into redirected traffic.

[From China 'hijacks' 15 per cent of world's internet traffic – Telegraph]

But look on the bright side: since the Chinese have "a copy" of this mythical master key, someone else must have the original, and they will be able to read all of the Chinese government's e-mail and put that on Wikileaks too.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Red army

[Dave Birch] Oh no! According to tonight’s news reports, the UK is bracing itself for cyberattack from the “hackers” supporting Julian Assange and Wikileaks. Apparently vital government services are at risk from the group called “Anonymous” launching distributed denial-of-service (DDOS) attacks. A bit like this guy, from the group “Not Anonymous At All”:

A 17-year-old from Manchester has been arrested by the Metropolitan Police’s e-crime unit (PCeU) on suspicion of being behind a denial of service attack against the online game Call of Duty.

[From Call of Duty DDoS attack police arrest teen • The Register]

He was, of course, traced from his IP address. I thought it was funny, in a way, that journalists and politicians refer to the LOIC kids as “hackers” when they are anything but. What’s more, as I said when Charles Arthur was kind enough to invite me on to The Guardian’s Technology Podcast, they have chosen a particularly funny way to join the Anonymous group of internet vigilantes: software that isn’t anonymous in the least and that delivers their IP addresses to their intended victims, thus making it easy for them to be traced and arrested. This is, in fact, precisely what has happened.

A 16-year-old boy was arrested in the Netherlands in connection with a series of cyber attacks on Visa, MasterCard

[From Dutch teen arrested over cyber attacks on Visa, MasterCard]

My personal views about Wikileaks and the “Cable Gate” DDOS attacks are irrelevant. (I will say this: that if you don’t like MasterCard then cancel your card and leave mine out of it). But they will certainly have an impact on thinking and the calls for “something to be done” mean change. Since there’s no way to stop people from copying data (as the music industry has discovered), that’s probably not a fruitful line of thinking. So what will happen?

What technology may lead to are “red” and “blue” internets. (Note that “blue and red” are here allusions to the military labelling of secure and insecure networks, they are nothing to do with blue and red pills in The Matrix.) Essentially, there will be secure and insecure internets both running over the same IP networks.

On the red, open, internet people and organisations will exchange encrypted data across an untrusted network. Some people may choose not to connect to the red internet at all and only crazy people (and organisations) will send unencrypted data to unauthenticated counterparties.

On the blue, closed, internet you will need to authenticate yourself before you are allowed to access anything and a digital identity infrastructure will deliver privacy (and in some cases anonymity) through cryptography, not through data protection registrars or privacy ombudsmen. In order to connect to the government, or Facebook, or Amazon, you will have to use the blue internet: they simply won’t be connected to the red internet any more. At home, I will probably set my internet connection to blue only.

Now, some of you may be concerned that, as The Daily Telegraph told us, the Chinese government have a master key that can decrypt everything on the Internet, in which case the entire Internet will be — very literally indeed — red forever.

While sensitive data such as emails are generally encrypted before being transmitted, the Chinese government holds a copy of an encryption master key which could be used to break into redirected traffic.

[From China ‘hijacks’ 15 per cent of world’s internet traffic – Telegraph]

But look on the bright side: since the Chinese have “a copy” of this mythical master key, someone else must have the original, and they will be able to read all of the Chinese government’s e-mail and put that on Wikileaks too.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]