Engineering principles

[Dave Birch] Privacy and security aren’t additional extras, costly options for new system. They are (or should be) part of the fabric. You can choose how to implement systems in either a privacy-enhancing or privacy-reducing way. Take, for example, congestion charging. There are a couple of ways to do this: you could do it the way they do in Singapore, where you have a prepaid card that communicates via RF with an overhead gantry. When you go through a gantry, the system attempts to take a fee from the card. If the transaction goes through (it’s an offline purse transaction) then you’re on your way. If you borrow a mate’s car, you can take your card and put it in his car, no problem. But if you don’t have a card, or you don’t have any money on your card, then you get photographed. Alternatively, you can do it the British way. In London, all cars get photographed and then automatic numberplate recognition is used to try and work out who to charge. In many cases, it works and the correct account of a poor person is charged. I say poor person, because rich people register their Lambourghinis as taxis and avoid the charge


Cleangreencars has discovered that there are an unusually high number of luxury cars that have been granted the private hire designation, including two Maserati Quattroportes, three Maybach 62 and eight Rolls Royce Phantoms.

[From Taxi!? London luxury car owners register Maseratis, Rolls Royces as C-charge-free private hire vehicles – AutoblogGreen]

Incidentally, if you can’t be bothered to send your chauffeur round to register the Porsche as a private hire, you can always just leave the Belgian plates on it, because the supercomputer running the system is not connected to other supercomputers in other European countries…


I drove for 4 years in london with a german plate, many times in the zone (once it was introduced), never paying and my ex never got a ticket sent to her place in HH where the car was registered.

[From London congestion charge for foreign cars]

In fact, as that tax-avoiders’ handbook The Independent notes,


there are a number of ways to exploit the loopholes in this system as a private, law-abiding motorist if you are willing to be a little inventive.

[From Congestion charge loopholes: Now just learn the Knowlege… – Features, Motoring – The Independent]

Bit I digress. My point is that we have choices, and not building privacy-enhancing technology into a system is making a positive choice to have a data catastrophe at some point downstream.

Now, who’s smart and who’s dumb?

[Dave Birch] There are a great many advantages to smart cards as a platform for digital identity — they’re smart (ie, they have a microprocessor in them) for one thing — but there’s one huge drawback. They need readers. Now you might reasonably assume that no-one would countenance launching a smart card scheme with no readers, but that’s precisely what has just happened in the U.K.


Eleven million free travel smart cards have been issued but many buses are not equipped to read them, a report by MPs claims. The report, by the House of Commons Transport Committee, entitled Ticketing and Concessionary Travel on Public Transport, said the situation was "daft". Ten years after committing to integrated bus ticketing, the Government has "achieved too little of practical value", the report said.

[From The Press Association: £1bn bus pass scheme ‘stalling’]

When they say "not many" buses have been equipped to use the cards, what they actually mean is "virtually no" buses have been equipped to read the cards. The cards are simply being used as "flash passes" so as long as you wave something that looks like a valid card then the bus driver will let you on board since he/she has no way of verifying that the card is valid. Since the cards have a two-year lifetime, and since the readers won’t be in place for two years, it’s hard to see what the use of them is. It seems like a huge waste of money to me, but then I am not well-versed in government smart card policy…


The first nationwide smartcard-based travel scheme launches next month, but the majority of passengers outside London will not be able to use the advanced functions.

[From Free smartcard travel arrives – 20 Mar 2008 – Computing]

Nor will the majority — in fact, all — of the passengers in London since (as the article makes clear) Transport for London won’t even begin trialing the readers for these cards until mid-2009 and won’t be installing them until 2010.

Addressing a real problem

[Dave Birch] There’s a general class of problem whereby one party to a transaction needs the other party’s address to proceed, but the other party doesn’t want to proceed with the transaction if they have to give up their address. Here are a couple of examples.

Over on the Digital Money Blog we decided to mark the launch of the Single European Payments Area (SEPA) by making a celebratory SEPA Credit Transfer (SCT) to a friend in the Netherlands. In order to do this, we had to obtain his bank account details: his IBAN. Now I think that in many circumstances, people will be reluctant to give this sort of information out, lest they suffer a Jeremy Clarkson-style incursion. So why can’t the bank give me a pseudonym to use in transactions: if someone wants to send me money, they can send it to, or whatever. I don’t mind giving out this pseudonym, since only the banks knows that it’s mean. So when an SCT for leadbelly arrives, the money can be routed to my account. I can publish the pseudonym on my web page if I want, just as I can happily give out my PayPal address, since only I know that it’s mine (well, PayPal know as well, of course).

Another example comes from the retail space. A retailer wants me to give him my mobile phone number so that he can let me know when a relevant special offer is on. I want to know that the relevant special offer is on. But I’m not giving my mobile phone number to a retailer: I don’t want them ringing me up until Kingdom Come. I want control over the link between the retailer and me. Once again, why doesn’t the phone company allow me to create arbitrary pseudonyms, so I can tell the retailer that I’m leadbelly@O2: the retailer (and any else) can text to leadbelly@O2 and the O2 SMS centre will route it to the correct phone number. If I don’t want to do business any more, I can just junk the pseudonym.

Hey presto, an addressing scheme that provides both convenience and privacy.

Privacy TV

[Dave Birch] I’ve been watching ever since the BBC launched it’s new drama series about the surveillance state. It’s called The Last Enemy, and I was quite looking forward to watching it, as were others, since it touches on a lot of the issues that I spend a lot of time thinking about. Given my conviction that sometime you need to turn to art to help you to understand change, I thought it might deliver some insight into the balance between privacy and security in the modern world. Actually, it’s turned out to be a bit dull, and I’ve been a little disappointed.

It’s just occurred to me why.

It’s because the BBC, like the Government, is a vast hierarchical beauracracy that it is essentially backward-looking, group-thinking and inward-focused. Just as the government can only envisage things like ID cards in a kind of 1960s frame of reference, of centralised databases and giant computers, so the BBC can only construct a discussion around them in that same frame of reference, a cross between George Orwell and Groundhog Day, endlessly retreading the same tired version of the future.

Hence the event stream seems a bit ridiculous: why on earth would people be lurking around looking for anyone in a world where there appears to be camera in every room? In one episode there’s a bit of road rage and one motorist shoots two others, but nothing happens. I guess the cameras are only looking out for dangerous double-parkers or congestion charge-evaders. As far as I can see, the scriptwriters are just producing a standard cowboys-and-indians story with ID technology as a plot backdrop, not even a maguffin to keep things moving (although I’m sure that, at some point, there will be a chase involving a CD containing important data that could just as easily be e-mailed). And as in all TV shows that involve computers, it was rife with stereotypes:


People type furiously on a keyboard to open up a new window – check
  People have multiple screens open with photos on, but never seem to pick a screen to put stuff onto – check
  Fonts are big enough to be seen from miles away – check
  Interface is in its own basement room – check.

[From Tech & Gadgets Editor’s Blog]

And, of course, the computer spoke, which in "real life" would drive you mad. What was funniest of all was the central icon of the near-future state, the pillar of the technologically omnipotent surveillance state: the ID card that the characters had to use to get into buildings and so forth. It was a trivially-counterfeitable magnetic stripe card, circa 1971.


[Dave Birch] In any discussion about identity in the U.K. recently, the big unknown has been the government’s proposed national identity card scheme. There was a lot of uncertainty about how exactly the scheme might work, what the timetable might, what the vision for the scheme was. I was therefore very excited to have been invited to come along in person to the think tank DEMOS this morning to hear the Home Secretary, Jacqui Smith, set out the government’s plan. I was thinking that I don’t often get the chance to talk to someone like Jacqui (ie, an incumbent in one of the great offices of state) and that she probably doesn’t often get the chance to talk to someone like me (ie, someone who knows about national ID card schemes), so it would be an interesting exchange. The government published both a plan to deliver the ID scheme (well, most of) by 2017 and the Crosby report.

When I took my seat, it turned out I was next to Meg Hillier, the Minister for ID Cards, who was kind enough to introduce herself. She turned out to be a good sport…

Meg Hillier: Pleased to meet you, I’m Meg Hillier.

Me: Hello, I’m Dave Birch from the Digital Identity Forum, pleased to meet you. Oh, was it you who said that ID cards were a bit like internal passports?

Meg Hillier: Yes, it was an unfortunate turn of phrase. They’re not, of course. There’ll be no legal requirement to produce them.

Me: What, not even if you’re buying a second home?

She was polite enough not have me thrown out so I was able to stay and listen to Jacqui. Anyway, the event was being recorded and broadcast so I thought I would add to the sum total of understanding by doing the same. I’ve taken Jacqui’s speech as well as the question and answer session and made them into a special edition of the Digital Identity podcast that will be posted on our feed shortly. Have a listen to what she says and make up your own mind about it (alternatively, you can read the speech online).

By the way, it wasn’t an idle boast inserted above (about knowing about national identity card schemes). Consult Hyperion is currently advising on its fourth national identity card scheme at the moment (or a European government) so I’d like to think that our opinions might count for something.

Just how much is your data worth (reprise)

[Dave Birch] I’ve uncovered some more fascinating data points in my quest to establish the value of personal data, in different circumstances, to feed into some of our risk analysis work for clients in both the private and the public sectors.

HM Revenue & Customs paid £100,000 for data that it is using to launch investigations of up to 100 British citizens who have accounts at Liechtenstein’s biggest bank… The bank informant has already provoked a storm in Germany by selling data on 750 wealthy Germans’ accounts to the country’s intelligence service for £3.2m in January last year.

[From Tax authorities pay for Britons’ bank details – Times Online]

Bearing in mind the errors in my calculations last time, this time I was careful to double check. My conclusion is that details of your bank account are worth £1,000 to the tax authorities in the U.K. but £4,000 to the tax authorities in Germany. I’m not sure what to conclude from this: either Germans evade more tax, HMRC overpays for information (whether from criminals or management consultants) or the story has been made up by journalists, but nevertheless it gives another useful data point for the collection. Criminals will pay £10 for your bank account details, governments £1,000.

Bringing privacy into the equation

[Dave Birch] The equation, in this case, being sum(security+privacy)=rand(). Now, while you might argue that it is at least possible that there is some more complicated mathematical expression that may relate the two in some way, I think I’m coming round to the opinion that we should treat security and privacy as entirely uncorrelated from the point of view of system specification and design. Apart from anything else, it’s why I think we should decouple the concept of the national identity register (which is about security) from the concept of the national identity card (which ought to be, but isn’t, about privacy). It’s also the reason why any statement (in particular, government statements) about giving up some privacy in order to obtain security seem so empty and why technology could deliver so much more than many people imagine.

Still practising

[Dave Birch] I went to a European Commission “epractice” seminar to share best practice about electronic identity — and in particular the interoperability thereof — in Europe. Consult Hyperion have been doing a lot of work in this area — we were commissioned by the EU to study identity interoperability last year — and so I thought it would be very useful to come along and exchange ideas. It was gratifying to discover that the conclusion of our work for the Commissin was congruent with the findings of all of the other studies for the Commission: not only is there no interoperability whatsoever at a European level, there’s precious little of it at the local level either (ie, you can’t use your HMRC login to log on to DVLA and so on). There were some studies that have gone down another level, and they discovered that one of the reasons for the lack of interoperability is that none of the European identity schemes are using a standard-based approach (with the except of SAML that is being used in a small number of schemes).

It was quite well-attended (there must have been more than 40 people there) and while there were a few familiar faces, I enjoyed the opportunity to listen to some new(to me) perspectives. One of the points made at the beginning was, I think, key not only at the international level but at the national level too. It was that the focus should be on interoperability rather than harmonisation. There is no need for everyone to use the same identity management scheme, identity cards, identifiers and all the rest of it. Hence one of the ways forward is to imagine a set of technology-neutral national gateways and interconnect through those gateways.

In the afternoon I went into the breakout to discuss mobile e-identity, which I’m becoming increasingly enthusiastic about. The reasoning is that in order to make some form of electronic identity useful to citizens, it has to do some interesting things. But a card can’t do anything interesting things, whereas mobile phones can and — and I think this is central to the discussion looking forward two or three years — what’s the point in issuing another smart card when the entire population has a mobile phone already.

Some best practices

[Dave Birch] The European Commission’s is hosting a free workshop on electronic identity in Brussels on February 14th. I’ll be going along to hear three best practice presentations — from Spain, Belgium and Estonia — and to join in the discussion about how to learn from and build on them. See below for more details if you want to come along too.

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.