What a cunning stunt

[Dave Birch] I am, very literally, green with envy. I count myself as a reasonably good speaker, and I try to use narrative and historical examples to explain key principles. But nothing beats a good demo, and I saw an excellent one today, one that I wish I'd thought of!

At the Intellect conference on Identity & Information in London today, Edgar Whitely from the LSE gave a terrific presentation. He was pointing out that the principle of data minimisation in identity systems is important, but he did it in a particularly arresting way.

Here's what he did.

He showed this recent newspaper photograph of the British Home Secretary, Alan Johnson, showing off his new ID card and holding it up to the camera. This version comes from The Guardian….

Alan Johnson reveals the design of the British national identity card

Alan Johnson reveals the design of the British national identity card. Photograph: Stefan Rousseau/PA

As you can see in the picture, for reasons that will be not fully explained in a moment, the UK ID card has the holder's full name, date of birth and place of birth on it. These three data points are sufficient to uniquely identify the overwhelming majority of the population. So Edgar went to the Identity & Passport Service birth certificate ordering service and put in the details from the Home Secretary's card. He then paid his £10 and… with a suitably theatrical flourish, Edgar produced the copy of the Home Secretary's birth certificate that he had been sent in the post. Note that Edgar hadn't done anything wrong. As James Hall, the head of IPS who was on the same panel, pointed out, in the UK anyone can order a copy of anyone's birth certificate. He said that if you are a celebrity then hundreds of people will order copies of your birth certificate every year, which had never occurred to me. I'm sure James is right, but it does seem a little odd that people who want to commit identity theft will simply have to look at their mark's ID card to get started.

Edgar hadn't used the birth certificate to open a bank account or get a driving licence or anything, he was just making the point that if we don't adopt the right principles (eg, data minimisation) for identity systems, then we run the risk of making identity theft worse. It was a great presentation and a super stunt. Well done.

Anyone familiar with my deranged rantings about psychic ID (ie, virtually nobody) will be familiar with the general point: a characteristic of a 21st-century ID scheme is that it should only give up information necessary to enable a transactions, nothing more or less. So, if you are authorised to ask my ID card whether I am over 18 or not, that's all it should tell you. Not my name, not my address, not my age or date of birth. Just whether I am over 18 or not and that's it.

The current ID card scheme does not have this key characteristic, not for any functional reason but because the ID card and passport were jumbled up for a political purpose — the purpose being, as far as I know, to make it harder for an incoming administration to scrap the scheme — that constrains the design and implementation. Since the government wants the ID card to be used as a travel document within in the EU, it has to have certain human-readable information on it. That's why it gives away the key data points that make it tempting for criminals to kick-start their identity theft antics.

What is a “suitable” ID for banking?

[Dave Birch] There was a really interesting letter in The Daily Telegraph "Money" section (2nd October). I can't find it online to link to, so I hope they don't mind me quoting a couple of chunks here. The letter comes from someone who tried to open a bank account with HSBC, but who didn't have a current passport or driving licence.

When I explained this at a branch, it was suggested that I ask the police station for proof of identity. The police officers said they had never heard of such a thing unless I had a criminal record.

[From The Daily Telegraph "Jessica Investigates", 2nd October 2009]

That can't be right: you can only have a bank account at HSBC if you have a criminal record? The disappointed would-be bank account holder went back to their branch to ask for alternatives.

The counter person showed me a list of possible documents, but, as I am not a pensioner, nor in receipt of benefits, the only item on the list she could suggest I try was to get a letter from HMRC. I duly went to the local tax office, where the assistant said she wished banks would stop sending people there… they would not waste public money providing such letters for banks.

[From The Daily Telegraph "Jessica Investigates", 2nd October 2009]

The letter goes on to list the documents that the wannabe-HSBCer had presented, and had had rejected by the bank: an out-of-date passport, a birth certificate, a current payslip from an employer (the local council, for whom the person had worked for more than two decades), a work ID card (complete with microchip), utility bills, statements from another bank, house deeds and a voting card. Any one of these would have got you a job with the bank, but not, it seems, an account. Identity is broken, and the Conservative plan to scrap the national ID card scheme is a bad as the government's plan to keep it. What this country needs is a working national identity infrastructure.

The ten minute version

[Dave Birch] A diversion. I filled in a questionnaire about digital identity (for reasons not germane to this post) so I thought it might be mildly interesting to post my answers and see if they attract any comment.

  • Who are you? (Name, job role and organisation)
  • Dave Birch, Director, Consult Hyperion
  • What does the term ‘digital identity’ mean to you?
  • It's the bridge between virtual identities that exist only inside computers and things in the real world.
  • s your digital identity ‘you’? Why? You may also want to comment on whether your ‘digital identity’ is an individual understanding or composed of group, community and organisational identities?
  • My digital identity isn't me, although it may be created by me. In general use, I imagine that people will have a small number of digital identities, just as they have 3 or 4 credit and debit cards, but each of these may support a large number of virtual identities. These virtual identities will, by and large, embody relationships.
  • What skills and competencies do we need to manage our digital identity?
  • We need to implement the "front end" in familiar ways while hiding the OpenID, PKI and all the rest of it. It should be a simple of matter of "who do you want to be today" and choosing from a menu on your mobile phone screen. I do not believe that the average person has either the competenices or, frankly, the inclination to manage their identities (and privacy) properly, so we (ie, responsible professionals) need to construct and infrastructure that will do it for them.
  • What do you see as the current issue/s of concern surrounding digital identity
  • The tension between the unlimited possibilities of technology and the limited vision of politicians, regulators, designers. Since virtual identities do not behave as mere electronic simulations of "real" identities, but can in fact do far more, we need people with vision who can understand what technology can deliver.
  • What do you see as future issue/s of concern in the area of digital identity?
  • Managing multiple digital identities in ways that make sense, so that there's a narrative around identity and privacy that can underpin future social, commercial and government relationships.
  • Which tools and services do you use to manage your digital identity? For example do you separate personal and professional identities?
  • I do separate personal and professional identities. I have different e-mail addresses, different blogs and now different OpenIDs. Sometimes I even comment on things anonymously. Personally, I think this is a natural way to work — my kids do it implicitly when they IM me, e-mail their grandma and Facebook their friends.

i expect my responses were a little different from most people, partly because I spend a lot of time thinking about this sort of thing but also partly because I have quite a strong model of the relationship between real and virtual identities and I locate digital identity there.

Touch and gone

[Dave Birch] I ran a workshop on mobile proximity security day, and one of the things we touched on in the group is the EU’s publication of their recommendations on the “identity of stuff” last week. They’ve published a 14-point action plan.

The European Commission has announced plans for Europe to play a leading part in developing and managing interconnected networks formed from everyday objects with radio frequency identity (RFID) tags embedded in them – the so-called “internet of things”.

[From EU lays out plans for the “internet of things” – V3.co.uk – formerly vnunet.com]

These are real issues, and although I’m not making any comment on the value or otherwise of the specific recommendations, there’s no doubt that the subject deserves more attention. There’s an “identity of things” problem that came up (again) in a meeting I was in last week that I think is worth sharing. It comes from the world of NFC, where the problem revolves around contactless stickers, tags, posters and that kind of thing. It’s the same problem that we looked at before, and it’s worth reviewing because there’s been no industry progress toward a solution.

A little background. The NFC Forum have announced their “N mark” which is a standard symbol to be applied to adverts, magazines, posters and such like. The idea is to show consumers (none of whom have ever even heard of NFC, let alone seen an NFC phone) where they can “tap” their phones to get some kind of service.

The NFC Forum has developed the “N-Mark” trademark so that consumers can easily identify where their NFC-enabled devices can be used. It is a stylized “N” and indicates the spot where an NFC-enabled device can read an NFC tag to establish the connection.

[From NFC Forum : N-Mark]

If you haven’t seen it, it looks like this. A simple ecosystem in the offing: you put the N-mark on things, consumers come along and touch them with other things.

What’s the use case?

[Dave Birch] Suppose you did have a virtual identity that did something for you that was so useful that would actually pay for it. What kind of thing should it do? At the Forum Oxford Future Technologies seminar I heard Mark Curtis of Flirtomatic say something along the lines of "we would happily use mobile operator age verification services if they worked". This struck me as a very simple, prosaic example. Just as in the physical world there are a couple of age verification schemes where teenagers can buy cards that show them to be over 18, perhaps the online equivalent would be the place to begin.

Now that people like Facebook are getting on board with OpenID, perhaps one idea might be to a create an OpenID source that supplies IDs with a single credential IS_OVER_18 and two-factor authentication. This would be, effectively, one of Bob's LLPs. Where would you use this? Well, one of the long standing mass market problem area is social networking. There have been attempt to deal with this piecemeal.

Mobile social networking service Funky Sexy Cool is offering identity verification to all its members at no additional cost, says Tim O’Connor, CEO of the New York-based company. But members have to choose to go through the process. Funky Sexy Cool enables members to find other like-minded individuals in the same geographic area to hang out with. For example, a member can send out a message to his friends saying he’ll be at a certain club or bar… Funky Sexy Cool is using ID verification technology from IDology Inc., Atlanta. IDology searches public databases to confirm an identity [and] charges about 37 cents per ID verification.

[From Social networking sites have little to no identity verification : CR80 News]

Now teenagers would, naturally, want to obtain the 2FA "device" of an older sibling or friend in order to gain access to sites, but it's not like using fake ID to buy a beer, because they'd end up logged in not as themselves but their sibling, friend etc which isn't much use in social networking.

Virtual identities and LLPs

[Dave Birch] Over the Burton Group, Bob Blakely has been developing a line of thinking around a particular kind of virtual identity that he has called the Limited Liability Persona, or LLP and he recently posted some ideas for more specific characteristics of such a thing that I think deserve reflection. Bob's thinking is that since the invention of the limited liability company as a distinct legal entity the economy has grown and benefited, so there might be economic advantages to recognising some form of virtual identity as a distinct legal entity.

Well, since LLPs don't really exist yet, it's hard to be too specific. But in principle an LLP is a legal entity with a name:

  1. Created by an action of a court.
  2. Owned by one or more individuals.
  3. With its own resources distinct from those of its owners.
  4. In which owners can invest new resources.
  5. With its own "identity attributes" distinct from those of its owners.
  6. Whose actions are legally distinct from those of the owners (though the owners may be held accountable for those actions.
  7. Whose resources may be transferred to its owners.
  8. Which can be sold by the owners to new owners.
  9. Whose existence can be terminated by its owners.
[From Burton Group Identity Blog: The Limited Liability Persona]

This is very close to the idea of the virtual identity bound to a digital identity that we have discussed here before but with much firmer purpose. In Europe, as is many other jurisdictions, the relevant digital signature legislation already exists so that legally-binding digital signatures can be used and by inference legally-valid digital identities created. It's easy to see how Bob's ideas can be implemented except for the transfers part. If an LLP is a virtual identity that is, in essence, a public key certificate then it cannot be transferred. It must be deleted and a new virtual identity created: so let's say there is a virtual identity "Chair of Manchester City Fan Club" that it my public key signed by Manchester City Fan Club's private key. Then, when a new Chair is elected then my certificate has to be revoked and a new certificate created (ie, the new Chair's public key signed by Manchester City Fan Club's private key). So the particular attribute "Chair of Manchester City Fan Club" ends up bound to a new digital identity (key pair).

How do these ideas make it through to implementation?

[Dave Birch] In the US, there is something called the Enhanced Drivers Licence (EDL) which is used not primarily as a means to demonstrate someone's entitlement to drive a motor vehicle but as a proxy identity card.

The Smart Card Alliance says it recommends an immediate review of the decision to use EPC Gen 2 RFID technology in US travel documents. “The Alliance is prepared to endorse the correct use of any technology that provides adequate protection of privacy and identity information. However, as the US Passport Card and EDL programmes were being defined, the Smart Card Alliance went on record advising against using an insecure EPC Gen 2 RFID solution that puts the privacy and security of US citizens’ personal information at risk.”

[From Security Document World – Biometrics, Passports, ID Cards and Visas]

Who cares? After all, what does it matter if a fraudster gets hold of your driving licence details. All they can look up is whether you have a licence or not, right?

Still, victims-rights and privacy advocates remain concerned about one important Real ID requirement, which dictates that state DMVs interlink their databases and make all their drivers' records and identity documents available. The final rule says that both an individual's "full legal name" and "true address" must be stored in the DMV database, regardless of what's displayed on the card and encoded on its bar code. It also requires that motor vehicle departments scan and store "source documents," such as birth certificates, to verify a driver's license applicant's identity.

[From Real ID worries domestic violence groups | Tech news blog – CNET News.com]

Hhhmmmm. There may be some interacting unexpected consequences around the collision between identity and entitlement here. This is what happens when you jumble together entirely different concepts under the banner of "common sense".

The China syndrome

[Dave Birch] A couple of days ago and I again mentioned the government's "break the glass" plan for a national identity scheme. In other words, what is the emergency plan to be followed should the integrity of the system itself fail. The point about the "break the glass" plan is a serious one. While I have no evidence that the government has such a plan, I'm sure they must do. If hackers, mafia extortionists or opposition MPs get into the database then someone has to be able to press a button to sound the alarm, to raise the drawbridge to other government systems and to initiate the meltdown process of re-issuing keys (or whatever else needs to be done).

What kind of meltdown might require the government to break the glass? Well, just for amusement purposes (since it could never happen, because the Home Security said that the ID card system will use "military" security) let's suppose that a disgruntled member of staff steals the entire biographical database. Let's say a fifty million individual records (5 x 10^7). Each individual record comprises 50 data items — actually in the UK Identity Cards Bill it was slightly more than 50 — so that's 5 x 10^1. Let's say each data item is 1KB. They're not, but whatever. So now we have a database of 5 x 5 x 10 x 10^7 or 25 x 10^8 or a couple of terabytes. That's it, a couple of a terabytes. I can buy a 2TB USB hard drive on Amazon right now for a couple of hundred quid and by the time the database is up and running, it will be fifty quid. So I can store the entire database for next to nothing, chuck it in my car and zoom off with it.

When they come in in the morning and notice it missing, there needs to be a big red button on the wall that they can smash the glass and press. Ah, you might say, it seems unlikely that a vetted civil servant will deliberately and flagrantly break the data protection act or whatever. Well I imagine that's what they thought in Chile, before a civil servant started publishing their national identity register on the Internet. We shouldn't let this kind of thing stop us from building a better identity infrastructure, but we should use it to help us build a better one, by which I mean one that depends on open peer review for its security.

Privacy invasion by design

[Dave Birch] I've been reading the excellent report on Privacy by Design that was published by the Information Commissioner's Office in December. As I'm sure many of you will know, the report was written by Forum friend Toby Stevens of EPG. As therefore might be expected, it is a thorough piece of work that makes practical recommendations. As I was reading through it, I began to wonder to what extent the implicit assumptions about what is "good" or "bad" (the report is not that simplistic, by the way) are purely cultural and therefore to what extent the idea of some kind of identity infrastructure that can deliver appropriate privacy, identity, credential, reputation and other structures on an international, web-wide basis is really plausible.

Is there a business in ID or not?

[Dave Birch] I spent the day at the seminar on the business use of ID cards at the EEMA/Digital Identity Forum seminar sponsored by Consult Hyperion at the British Computer Society. The presentations are available from the EEMA web site so there's no need to go through all of them here, but I just wanted to make a couple of points that came out of the day. The event was kicked off by the Parliamentary Under-Secretary for Identity, Meg Hiller. Meg gave an overview of where the UK national identity card scheme is now, and where it will be going. She kindly agreed to stay for an extended question and answer session, and just to show how modern we are I've posted a couple of minutes of this up on YouTube. She gave a couple of examples where businesses might want to use the cards, which was the point of the seminar. The example of video rental was once again to the fore, as well as banks. Meg also said that retailers could see the benefit of requiring an identity card to be presented for certain services and this set me wondering what kind of retailers these might be. I can see that retailers might need to know whether you are 16 to buy glue, or 18 to buy beer or whatever, but they don't need to know who you are. The more I thought about it, the more I thought that there is a real distinction between retail transactions where the retailer needs to know who you are, and retail transactions where the retailer wants to know who you are (and, conversely, in some cases you might want them to know who you are, because of warranties or something), and retail transactions where the retailer doesn't care who you are but needs to uniquely recognise you because of loyalty schemes or promotions. I have to say I was left unconvinced by the retail example. Her public sector arguments were much better, because it is a common an infuriating experience to have to keep giving your name and address and personal details to various departments over and over again. The example that Meg gave was of going through maternity services in the NHS, where she has to keep filling out the same personal information over and over again. I didn't think that was a good example, because the current government has spent TWELVE BILLION POUNDS on the computerisation of NHS patient records. It doesn't automatically follow that another few billion on the identity scheme would make any difference to her experience interacting with her local council, hospital or schools. Meg was also right to say that it's frustrating to have to fill out forms online, and indeed it is, but we had an afternoon presentation form the chief security architect at IPS, Andy Smith, and it was not clear to me from his description quite how the scheme is going to help here. Perhaps more technically-informed delegates could explain further.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.