Fintech South 2020 – Maintaining trust and safety in a digital world

At the (sadly, virtual) Fintech South event the year, I was asked to chair a discussion on identity and privacy with three extremely well-qualified experts who had informed perspectives on the state of, and trends in, those important pillars of a digital society. These were Adam Gunther (SVP, Digital Identity for Equifax), Andrew Gowasack (Co-Founder and President at TrustStamp) and Megan Heinze (President, Financial Institutions, North America for IDEMIA). It was great to talk to a group of people who were not only well-informed on these topics but had some passion for them too.

I won’t go over everything that was discussed, but I do want to pick up on a comment that was made in passing when I was chatting to the panelists: someone said that a guiding principle should be “no scary systems”. Hear hear! But what is a scary system? It is, in my opinion, a system that privileges security over privacy. This is not how we should be designing the identity systems for the 21st century!

Anywhere, anyone

I’ve been reading Emily Nagel’s book “Anywhere“. She’s the CEO of Yankee Group and the book is about global connectivity revolutionising business. I hope she won’t be offended if I say that it’s an “airport book”, but it’s an accurate description, at least for me, because I read it on the plane. There’s something that bothers me about it, though. It has lots of stories and examples and narrative about ways in which business is transformed as it goes online, but it doesn’t have “identity” or “authentication” in the index and says nothing about the identity problems that will need to be solved in order to realise the full potential of connectivity. As I’ve often observed before, using my favourite Kevin Kelly classification, connection isn’t the problem: it’s the disconnection technologies that will shape the medium-term roadmap for transforming new technology into business models: once everything is connected to everything else, the business model shifts to the creation and management of subgroups within that single, giant internet of everything.

Here, things aren’t going so well. By coincidence, the Saturday newspaper that I picked up after putting down Emily’s book had a technology advice column, and there was a letter from a typical consumer in it. I paraphrase:

I have a long list of passwords for home banking, shopping, social networks, magazines and so on. I’ve put them all in a Word document. How can I encrypt it?

This is, in a nutshell, the state of the mass market today. We all have masses of passwords, we’ve been complaining about it since 1994, and nothing much seems to happen, largely (I think) because the costs of our time don’t factor into business models. And yet… we don’t seem to be evolving any better business models and we don’t seem any closer to better identity infrastructure. Should we give up? No! I say we should remember William Samuel Henson.

It is sad that the name of William Samuel Henson is largely unknown today. A man of great vision, he petitioned Parliament for permission to set up an airline — with a business model largely based on post — flying to Egypt, India and China. Parliament turned his proposal down on the grounds that it was 1843 and no-one had invented airplanes yet. Henson knew this, obviously, but could see which way technology was evolving and correctly reasoned that just because he didn’t know how to get an airplane off the ground (he had been involved in numerous experiments around powered flight), that didn’t mean that no-one else would. And when they did, there would be a new business to build on aviation technology. So he started thinking about the businesses that would make sense and, since the post had just been invented in the UK, he looked at how that might work in the future.

This is a parable of our identity space now. We can’t get the technology to work, but we know that someone will, so we’re trying to think of business models (I should be clear in our case: we’re trying to think of business models for our clients) that will make sense when the technology works. But we’re thinking about web browsing and e-mail because these have just been invented and they’re our equivalent of the post service. Maybe we should challenge ourselves harder to look at wider possibilities, start from the perspective of social networking, virtual worlds and Twitter rather than Alice sending her credit card details to Bob.

Facebook is better understood, not as a country, but as a refugee camp for people who feel today’s lack of identity-forging social experience.

[From Facebook: the heart in a heartless world | spiked]

I think many organisations should be focusing on the next phase of evolution of online business, and phase that will be fundamentally shaped by the emerging identity infrastructure. But we must be careful not to take what has just been invented (in this case, say, Facebook) and project it into the future as the key to new business models. We have to think more broadly to develop strategic roadmaps for business that can react to the general trends to exploit the technology downstream. An example? Well, it doesn’t matter which social network we’ll be using in five years time, we’ll still need to authenticate ourselves in a more effective way that a Word file full of passwords. It isn’t only me that thinks this.

The president wants consumers to use strong authentication, something more than user name and password, which will most likely add another security factor, say officials familiar with the project.

For example, user name and password is one-factor security, something you know. But additional factors can be added. A token or digital certificate can be a second factor, something you have, resulting in stronger two-factor authentication. If you add a fingerprint or other biometric, something you are, it’s increased to three-factor security.

[From NFCNews | Potential technologies that consumers may use for online ID]

There follows an interesting, but confused, list of options. I’d like to suggest a more straightforward taxonomy, based on a digital identity infrastructure (which doesn’t exist, of course). The article, to my mind, confuses the distinct bindings between the virtual identities that exist in the Net and the real identities that are connected to. This is why it is useful to introduce the notion of digital identity in the middle. So then we get the two categories of things that might be used to solve the

  • Linking virtual identities to digital identities. The article suggests that digital certificates and PKI might be a good way to do this and I agree. Think of a digital identity as a private-public key pair … tamper-resistance… smart cards, tokens, smart phones.
  • Linking digital identities to real-world entities. The article suggests that passwords will be supplanted by biometrics.

Each of these will be a separate business that operates according to difference scale factors (scale in the first case, scope in the second). I don’t know how to make them work, but someone will.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

NSTICy questions

I’ve been reading through the final version of the US government’s National Strategy on Trusted Identities in Cyberspace (NSTIC). This is roughly what journalists think about:

What’s envisioned by the White House is an end to passwords, a system in which a consumer will have a piece of software on a smartsphone or some kind of card or token, which they can swipe on their computers to log on to a website.

[From White House Proposes A Universal Credential For Web : The Two-Way : NPR]

And this is roughly what the public think about it

Why don’t they just put a chip in all of us and get it over with? What part of being a free people do these socialists not understand?

[From White House Proposes A Universal Credential For Web : The Two-Way : NPR]

And this is roughly what I think about it: I think that NSTIC isn’t bad at all. As I’ve noted before I’m pretty warm to it. The “identity ecosystem” it envisages is infinitely better than the current ecosystem and it embodies many of the principles that I regard a crucial to the online future. It explicitly says that “the identity ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers (presumably including government bodies) to link an individual’s transactions and says that by default only the minimum necessary information will be shared in transactions. They have a set of what they term the Fair Information Practice Principles (FIPPs) that share, shall we say, a common heritage with Forum friend Kim Cameron’s laws (for the record, the FIPPs cover transparency, individual participation, purpose specification, data minimisation, use limitation, data quality and integrity, security and accountability and audit).

It also, somewhat strangely, I think, says the this proposed ecosystem “will preserve online anonymity”, including “anonymous browsing”. I think this is strange because there is no online anonymity. If the government, or the police, or an organisation really want to track someone, they can. There are numerous examples which show this to be the case. There may be some practical limitations as to what they can do with this information, but that’s a slightly different matter: if I hunt through the inter web tubes to determine that that the person posting “Dave Birch fancies goats” on our blog comes from a particular house in Minsk, there’s not much I can do about it. But that doesn’t make them anonymous, it makes the economically anonymous, and that’s not the same thing, especially to people who don’t care about economics (eg, the security services). It’s not clear to me whether we as a society actually want an internet that allows anonymity or not, but we certainly don’t have one now.

The strategy says that the identity ecosystem must develop in parallel with ongoing “national efforts” to improve platform, network and software security, and I guess that no-one would argue against them, but if we were ever to begin to design an EUSTIC (ie, an EU Strategy for Trusted Identities in Cyberspace) I think I would like it to render platform, network and software security less important. That is, I want my identity to work properly in an untrusted cyberspace, one where ne’erdowells have put viruses on my phone and ever PC is part of a sinister botnet (in other words, the real world).

I rather liked the “envision” boxes that are used to illustrate some of the principles with specific examples to help politicians and journalists to understand what this all means. I have to say that it didn’t help in all cases…

The “power utility” example serves as a good focus for discussion. It expects secure authentication between the utility and the domestic meter, trusted hardware modules to ensure that the software configuration on the meter is correct and to ensure that commands and software upgrades do indeed come from the utility. All well and good (and I should declare an interest a disclose that Consult Hyperion has provided paid professional services in this area in the last year). There’s an incredible amount of work to be done, though, to translate these relatively modest requirements into a national-scale, multi-supplier roll-out.

Naturally I will claim the credit for the chat room “envision it”! I’ve used this for many years to illustrate a number of the key concepts in one simple example. But again, we have to acknowledge there’s a big step from the strategy to any realistic tactics. Right now, I can’t pay my kids school online (last Thursday saw yet another chaotic morning trying to find a cheque book to pay for a school outing) so the chance of them providing a zero-knowledge proof digital credential that the kids can use to access (say) BBC chatrooms is absolutely nil to any horizon I can envisage. In the UK, we’re going to have to start somewhere else, and I really think that that place should be with the mobile operators.

What is the government’s role in this then? The strategy expect policy and technology interoperability, and there’s an obvious role for government — given its purchasing power — to drive interoperability. The government must, however, at some point make some firm choices about its own systems, and this will mean choosing a specific set of standards and fixing a standards profile. They are creating a US National Project Office (NPO) within the Department of Commerce to co-ordinate the public and private sectors along the Implementation Roadmap that is being developed, so let’s wish them all the best and look forward to some early results from these efforts.

As an aside, I gave one of the keynote talks at the Smart Card Alliance conference in Chicago a few weeks ago, and I suggested, as a bit of an afterthought, after having sat through some interesting talks about the nascent NSTIC, that a properly implemented infrastructure could provide a viable alternative to the existing mass market payment schemes. But it occurs to me that it might also provide an avenue for EMV in the USA, because the DDA EMV cards that would be issued (were the USA to decide to go ahead and migrate to EMV) could easily be first-class implementations of identity credentials (since DDA cards have the onboard cryptography needed for encryption and digital signatures). What’s more, when the EMV cards migrate their way into phones, the PKI applications could follow them on the Secure Element (SE) and deliver an implementation of NSTIC that could succeed in the mass market with the mobile phone as a kind of “personal identity commander”.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

It’s all fun and games, until… no, wait, it is all fun and games

Consult Hyperion has been working on a project called VOME with the UK Technology Strategy Board. The idea of the project is to help people who are specifying and designing new, mass-market products and services (eg, Consult Hyperion’s clients) to understand privacy issues and make better decisions on architecture.

VOME, a research project that will reveal and utilise end users’ ideas and concepts regarding privacy and consent, facilitating a clearer requirement of the hardware and software required to meet end users’ expectations.

[From Technology Strategy Board | News | Latest News | New research projects help to ensure privacy of data]

Part of the project is about finding different ways to communicate with the public about privacy and factor their concerns into the requirements and design processes. Some of these ways involve various kinds of artistic experiments and it’s been fun to be involved with these. We’ve already taken part in a couple of unusual experiments, such as getting amateur writers to produce work about privacy from different perspectives.

More recently we have been working with Woking Writers’ Circle on the production of a collection of short stories and poems entitled ‘Privacy Perspectives’.

[From Media – Consult Hyperion]

As one of the technical team, I have to say that it’s very useful to be forced to try to think about things like privacy-enhanced technology, data protection and risk in these different contexts. One the artistic experiments underway at the moment, primarily aimed at educating teenagers and young people about the value of their personal data, is the development of a card game that explores the concept. The card game experiment, lead by Dr. David Barnard-Wills from Cranfield University, has reached the point where the game needs playtesting. So… we all met up in London to play a couple of games of it.

Turned out that not only had the chaps developed the game way further than I had imagined, but they’ve invented a pretty good game. Think the constant trading of “Settlers of Catan” with the power structures of “Illuminati” mixed with game play of “Crunch”. I liked it.

You get cards representing personal data of different kinds. Depending on who you are (each player is a different kind of business: bank, dating agency, insurance company etc) you want different datasets and you want to link them together into your corporate database. A dataset is a line of three or more data items of the same kind. Here’s a corporate database with two datasets in it: the green biographical data 2-2-3 and the orange financial data 3-3-3, these will score at the end of the game.

There are event cards, that pop up each round to affect the play, and some special cards that the players get from time to time. Check out the database I ended up with in the game that my colleague and I won! I was the bank, so I was trying to collect financial data in my database but I was also trying to collect social data (purple) in my hand.

We had great fun, and we all contributed a ton of ideas. The game is being refined for a new version in a month or two, so we’ll try it again then and I’ll let you know how it’s going! I don’t know if the guys are actually going to turn it into a commercial product (that isn’t really the point of it) but I’d say they are on to a winner. My tip: instead of calling it “Privacy”, call it “Super Injunction”.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

An idea for the Independent Commission on Banking

The Independent Commission on Banking recently published an interim report on their Consultation on Reform Options. This interim report raises the subject of bank account number portability. Section 5.17, to be specific, says that:

Beyond improvements to the existing system, full account number portability would enable customers to change banking service providers without changing their bank account number. This would remove the need to transfer direct debits and standing orders, which remains the main area where problems may arise. In the past, portability has been rejected as overly costly, but if no other solutions appear effective and practicable, it should be reconsidered to see if this remains the case given improvements in IT and the payments system infrastructure.

It seems reasonable for the Commission to wonder why customers cannot port their account number from one bank to another the way that they can port their mobile phone number from one network to another. That seems a plausible request for 2011, but phone numbers and account numbers aren’t quite the same thing. A phone number is an indirect reference to your phone (well, your SIM card actually) whereas the account number is the “target”. Thus, we shouldn’t really compare the account number to the phone number, but think of it more as the SIM. Each SIM card has a unique identifier, just as each bank account has an international bank account number (IBAN). When you turn on your phone, essentially, your SIM tells your mobile operator which phone it is in and then “registers” with a network. I am writing this in Singapore, where I just turned on my iPhone, so now my O2 SIM card is registered with Singtel. When you call my number, O2 will route the call to Singtel, who will then route it to my phone. But how does the call get to O2 in the first place?

In most developed nations there is what is called an “All Call Query” or ACQ system: there is a big database of mobile phone numbers that tells the operators which mobile network each number is routed by. In order to make call connections as fast as possible, each operator has their own copy of this database that is regularly updated. Note that for reasons that are too complicated (and boring) to go into there, in the UK there is a different scheme, known as indirect routing, whereby when you dial my phone number 07973 XXXXXX it is routed to Orange (because that’s where all 07973 numbers originated from) and then Orange looks XXXXXX number up in its own database to see where to route the call to (in this case to O2). This is why calls to ported numbers in the UK take longer to connect than they do in other countries.

It’s entirely possible to envisage a similar system working for banks, whereby we separate the equivalent of the mobile phone number — let’s call it the Current Account Number (CAN) — from the underlying bank account and have an industy database that maps CANs to IBANs. This database would be the equivalent of the ACQ database. (I rather like the branding too: if the banks decided to operate this cross-border, they could label it the international current account number, or iCan.) So the bank sends your salary via FPS to the iCan, and the database tells FPS which actual IBAN to route it to. No matter which bank accounts you use or change to throughout your employment, the employer always sends the salary to the iCan and thus reduces their own costs.

There is an analogy to this is in the way that some of the new contactless payment cards work. In the US, American Express credit cards give up what is called an “alias PAN”. The PAN, or primary account number, is the 16-digit number on your credit card. When you use your Amex card via contactless, the 16-digit number it gives up is not the actual plan but an alias PAN. Only Amex know which actual PAN this alias PAN refers to. The advantage of doing this is that if criminals get hold of the alias PAN, they can’t use it to make a counterfeit magnetic stripe card, because the alias PANs are only valid for the contactless cards (which they can’t counterfeit, because the contactless cards have computer chips in them).

In the UK, we route by sort codes. Any account number beginning 20- is known to be Barclays, so a payment switch will send the payment through to Barclays. We might decide, say, that sort codes beginning with 00 are iCans. When you get your first bank account, the bank sets up the IBAN and iCan. For your salary, direct debits, standing orders and so forth, you give the iCan. BACS and FPS will be told about iCans, so when a payment to an IBAN beginning “UK00-” enters one of those systems, they go to a shared database and look up the IBAN to route the payment to.

The advantages of this are that banks would not have to do anything with their existing systems, because the iCans will always be translated into IBANs by the time they reach their systems.

The disadvantages are that the public might not understand what is going on and, since they don’t change bank accounts that often, they might not bother to find their iCan and tell their employers, utility companies and others. It doesn’t deliver enough value to them, so we need to find some way of bundling the iCan to find more ways to use it to the benefit of stakeholders. One idea might be to create some kind of Financial Services Identifier, or FSI, which is an index not only to the iCan but to other data as well. If this meant an increase in consumer convenience, then it would spread by itself and take the iCan with it.

To see how it might work, consider my household. I rather belatedly decided to remortgage in order to abandon my outrageous fixed rate and obtain a base rate plus variable rate mortgage just in time for interest rates to rise again (I know nothing about personal finance). I went along to Barclays, my bank of 33 years, to apply and they sent me a multi-page form to complete. I was unable to uncover a single question on this form that they didn’t already know the answer to. Yet I had to fill it out and they had to type it in. What a waste of time and money.

Similarly, when I applied for the most middle-class of all financial instruments, the John Lewis MasterCard with cashback in the form of Waitrose vouchers, I went off to their web site and filled some stuff out and it said something like “congratulations, you’re accepted”. My happiness was short lived, as it soon became apparent that they weren’t going to send me a card at all, but a form to fill out and sign. Whatever. When it turned up I signed it, my wife signed it and I sent it back, then went away on business.

My wife phoned me after a few days wondering where her new card was. When I got back, I discovered that my card had arrived but hers had not. So I gallantly gave her mine (one of the great advantages of PIN cards over signature or biometric cards), and started going through the rest of the backlog of mail. Eventually I came across a letter to me explaining that John Lewis could not send my wife her card without further proof of identity because of know-your-customer and anti-money laundering regulations. My wife has only lived in the UK since 1986 and has only had a Barclays account for 20 years, so you can see why they might be suspicious. She follows a pattern well-known to FATF investigators of international organised crime: live at the same address for the last 15 years, use your Barclaycard to buy food at the same Waitrose every week and work for Surrey County Council, presumably a known hot-bed for narco-terrorism.

In order to prove her identity, and therefore get her card, she had to (in hommage to the founding of the John Lewis partnership in 1929) post them her council tax bill and last month’s bank statement, a handy identity theft kit all in one. Coincidentally, she also had to post off her driving licence because of a speed camera ticket, and it never came back. Foreign readers might be puzzled at this Victorian process, but it’s because British driving licences have a paper supplement on which (I’m not making this up) the police write your speeding points. Such is the state of our identity infrastructure in 2011.

All of this is ridiculous in this day and age. Once someone is “known” to the British, or perhaps even European, financial services industry then there should be no need to go through all of this nonsense every single time they come into contact with the industry again.

In the world of payments, a related discussion has sprung up. This is the discussion about Legal Entity Identifiers (LEIs) that have been going on recently. Many interbank payment messages have account identifiers only and the some law enforcement agencies want to stop this and have banks validate the names as well (it will help to track funds to and from suspects I guess).

A global standardized Legal Entity Identifier (LEI) will help enable organizations to more effectively measure and manage counterparty exposure, while providing substantial operational efficiencies and customer service improvements to the industry … The LEI Solution is a capability that will help global regulators and supervisors better measure and monitor systemic risk.

[From Legal Entity Identifiers: An Emerging Risk Management System]

I’m sure I’d heard somewhere before, possibly at the International Payment Summit, that the plan was to use the SWIFT business identifier codes (BICs), but apparently that’s no longer the case. Fabian Vandenreydt, the new Head of Securities and Treasury Markets at SWFIT, recently said that the International Standardization Organization’s Technical Committee 68 (ISO TC68) has concluded that developing a new code would help avoid ambiguities that might be involved if existing codes are used. The BIC is made up of eight to 11 alphanumeric characters with four letters for the bank, two letters for the country, two digits for the location, and three digits for the specific branch but ISO TC68 want we we nerds call an MBUN (a “meaningless but unique number”).

I don’t think this is way forward for people, though. LEIs are unique corporate identifiers: a corporate identity has one, and only one, LEI. Fortunately, or unfortunately, depending on your view, there is no unique identifier for British persons (and nor is there likely to be under the present administration), nor Europeans, nor citzens of the world. And I don’t think we would want the financial services industry to develop its own sort-of-identity card scheme. We just want a simple, portable, pointer to a person that can be used to index into their KYC’d persona.

The easiest way to do this would be to assign a unique financial services identifier (FSI) to a person or other legal entity the first time that they go through a KYC process. I might have the FSI “citizendave!barclays.co.uk”, for example. One someone has one of these FSIs, then there would be no need to drag them through “know your customer” (KYC) again. This would greatly reduce industry costs and make the process of obtaining a new financial service — a new bank account, a new credit card, a new insurance policy, a new accountant — much simpler. Imagine the simplicity of applying for in-store credit for that new sofa by just giving them your FSI and watching the application form magically populate by itself on screen.

It doesn’t matter if a person has multiple FSIs, because each FSI will have been obtained as the result of a KYC process. If the FSI Directory ends up with two “Dave Birch” entries, so what? It’s not an ID card scheme, it’s a “save money for the financial services sector and make life easier for consumers” scheme. And it wouldn’t matter either if both of my FSIs point to different iCans: I might, for example, have a personal persona and a small business persona — lets say citizendave!barclays.co.uk and citizendave!rbs.co.uk and that point to my personal and my small business accounts — and I want to use them for different purposes.

Picture this. You are fed up with the appalling service you get from your bank, so you walk into a branch of New Bank. You ask to open an account, and are directed to the ATM in the lobby and asked to request a balance from your existing current account. You put in the card and enter the PIN. While the ATM is carrying out the balance enquiry, the FSI (obtained from your card) is sent to the Directory and within a couple of seconds both your account balance (from your bank) and your picture (from the FSI Directory) are on the screen. The New Bank agent presses a button and a pre-filled application form is printed out for you to sign and, once you have, the existing system for transferring accounts is triggered.

There might be another useful spin-off from the FSI as well. Suppose you could designate a default account against the FSI: generally speaking, your iCan, but it could also be a prepaid account somewhere, or your PayPal account or whatever. Then someone could send you money by giving your FSI: no need to type in names, sort codes, account numbers. Anyone could pay anyone by entering the FSI into the ATM, or their internet banking screen, or (most likely) their mobile. You might get used to storing FSIs in address books. There’s nothing secret about them, and because every use of an FSI would require two-factor authentication, no-one can do anything with your FSI just by knowing it (except send you money).

For this to work, then, there needs to be some way for a customer to prove that they are, indeed, the person referenced by the FSI. There’s no need to invent anything new for this: banks could use CAP/DPA, some third-party service (which in a rational world would be provided by mobile operators) or their own app to do the authorisation. We have everything we need to deliver the results that the Commission wants: step 1 create the iCan, step 2 create the FSI, step 3 operate a more efficient, more effective and more convenient banking system.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

News from the bunker

The government is battening down the hatches and repelling all boarders, even if they have e-tickets. And not before time!

Foreign intelligence agencies are carrying out sustained cyberattacks on the UK Treasury, targeting it with malicious emails and programs designed to steal information, the Chancellor, George Osborne, has revealed. He said that government systems are the target of up to 20,000 malicious emails every month

[From Osborne: Treasury under sustained cyberattack | Technology | guardian.co.uk]

And that’s not counting the ones from taxpayers, I imagine. Setting aside how ludicrous and meaningless this figure is, there is nonetheless a serious point. If Son-of-Stuxnet crashes the Treasury, that might well be a net benefit to the economy, but if it crashes the electricity distribution network, even I won’t be laughing. We need effective cyberdefences. So what should the authorities do to bolster these defences? I would have thought that have some kind of working identity infrastructure might be a first step, and in that respect things haven’t been going to well in the UK.

The Home Office slipped out the final report of the Independent Scheme Advisory Panel (ISAP) this week, more than a year after it was written. The ostensibly independent report, which reveals how the ID system had been compromised by poor design and management, was submitted to the Home Office in December 2009.

[From Henry Porter – Home Office suppressed embarrassing ID cards report]

The report says that there were no specifications for usage or verification (which we knew – this was one of my constant complaints at the time) and, revealingly, that (in section 3.3) that “it is likely that European travel” will emerge as the key consumer benefit. This, I think, is an interesting comment. As I have pointed, what the Identity & Passport Service (IPS) delivered was, well, a passport. It had no other functionality and, given the heritage, was never going to have. Hence my idea of renaming it “Passport Plus” and selling it to frequent travellers (eg, me) as a convenience, and idea that really should have been taken more seriously by the coalition administration.

As an aside, the report also says (in section 5.5) that the “significant” number of change requests after the contracts had been awarded would likely increase risk, cost and timescale. Again, while this is a predictable comment, it is a reflection on the outdated consultation, specification and procurement processes used. Instead of a flagship government project heralding a new economy, we ended up with the usual fare: incomplete specifications, huge management consultant bills, massive and inflexible supply contracts.

The report repeated the same warnings ISAP had given the Home Office every year since the system blueprint was published in December 2006 by Liam Byrne and Joan Ryan, then Home Office Ministers, and James Hall, then head of the Identity and Passport Service (IPS).

[From Home Office suppressed embarrassing ID cards report – 1/7/2011 – Computer Weekly]

How did it all go do wrong? Liam Byrne was supposed something about IT as he used to work for Accenture, as did the James Hall (Joan Ryan was a sociology teacher who later became famous for claiming more than £170k/annum in expenses). All in all, it was a pretty disastrous period for those of us who think that identity infrastructure is crucial to the future of UK plc, let alone the UK government. This is not to say that, despite all of the evidence (including today’s fascinating FT piece on the UK government’s equally disastrous NHS infrastructure project), that the UK is uniquely hopeless at developing identity infrastructure for the 21st century.

Thai citizens who applied for their first national identity card or who applied to have their ID card renewed, have been issued with a yellow slip instead of the new microchip-embedded “smart” cards. The reason behind the problem is that the Interior Ministry refused to accept the new “smart” cards which were supplied by the Ministry of Information and Communications Technology, claiming that they did not meet the prescribed specifications stipulated in the ministerial regulation.

[From Bangkok Post : The silly saga of ‘smart’ cards]

Now, this may seem funny, but I ought to point out in the interests of international balance that there are, right now, in 2011, many people walking around branches of the British government with printed pictures of smart cards hanging around their necks. Yes, that’s right: pictures of smart cards, rather than actual smart cards. I’m afraid our cyberdefences are more a cyber home guard at the moment.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

25% increase in authentication

I had an annoying problem with my PayPal account that ended up with me being posted a password, all quite tedious and strangely manual. As I observed at the time, it seemed odd that in 2011 we hadn’t got anything figured out when it comes to authentication. Why couldn’t I use my Barclays 2FA PINSentry to prove who I was to PayPal? In fact, why couldn’t I use it for 2FA in general, since moving from passwords to 2FA involving tamper-resistant hardware would be a simple way to improve security across a range of services. We don’t use 2FA, and we should.

But that might be changing [recently] Google launched two-factor authentication for Google Accounts—the credentials you use to log in to all Google services, including Gmail.

[From Two-factor authentication: Gmail’s new system offers more security than just a password. – By Farhad Manjoo – Slate Magazine]

This is a good step. I use gmail, and I’d actually prefer to use it with 2FA than without, provided that the 2FA is based on something I already have, such as my phone, because I don’t want to carry another dongle. Unfortunately, my mobile operator doesn’t provide any sort of identity management or authentication services, so I can’t use my phone. I do already have a tamper-resistant chip that I have with me most of the time, and that’s in my bank card. Why not use that in some way?

Alternatively, you could slide your credit card through your phone’s card reader—or simply wave your credit card so that it can be recognized by the “near-field communication” chip in your phone.
Are these things too far out?

[From Two-factor authentication: Gmail’s new system offers more security than just a password. – By Farhad Manjoo – Slate Magazine]

I’d say not really, especially since I’ve seen SecureKey‘s system for doing just this work perfectly with Google, using a USB key NFC reader and the customer’s contactless bank card to provide the second factor. Today I read about someone pitching iris recognition via USB device as a potential third factor as well. But are three factors enough?

I saw a discussion over at the Identity Management Specialists Group on LinkedIn that set me wondering about authentication factors. Traditionally, us experts have referred to three authentication factors: something you know, something you have and something you are (or, as Ben Laurie once told me, something you’ve forgotten, something you’ve lost and something you were). The LinkedIn discussion was about whether location might be a fourth authentication factor, because it is independent of the other three and can be determined in isolation.

So does this make sense? Is location an alternative third factor, another kind of “something you are” or is it genuinely something new that adds an additional degree of authentication power. The conclusion in the group discussion was (I think!) that location isn’t an authentication factor because where you are doesn’t change who you are, but that it is an authorisation factor because you may wish to assign different capabilities to an identity depending on where the physical person is (ie, are they in the office or at home?). I’m not so sure about this: it seems to me that corroborating your location obtained from your mobile phone with, say, a password, does indeed strengthen authentication. There are plenty of options, so a workable strong authentication scheme must be getting closer. right?

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Mexican standoff

At last year’s conference on The Macroeconomics of Mobile Money held at Columbia University in April 2010, Carol van Cleef (a partner at Paton Boggs LLP in Washington) gave a presentation on the “Opportunities and Dangers of E-Payments”, in which she noted that the Mumbai terrorists used mobile phones and “showed themselves to be part of the mobile phone generation” (as, I imagine, they showed themselves to be part of the mass transit generation and the automatic weapons generation). She notes that the attackers were using their own phones (so the IMEIs could be tracked, making the life of law enforcement easier) and that they had purchased more than 37 SIMs in different names using false identification (so the compulsory SIM registration was shown to be pointless — although some of the SIM card sellers were arrested). She also says that the most critical tool for drug traffickers in Canada is the prepaid phone (I’m sure she’s wrong: I’ll bet it’s either cash or cars).

I remember thinking when I read this at the time that this continued law enforcement focus on the prepaid phone and the prepaid card, both of which are critical tools for financial inclusion, would end up with restrictions on both that would make no difference to criminals but would make life much harder for the financially excluded, because of the strong link between identity and money.

Why do I think that? Well it is just not clear to me that demanding strong proof of identity for prepaid products will help. In Mexico there is a national registry for prepaid phones and all purchasers are recorded and fingerprinted, the operators keep calls logs, texts and voice mail for a year (in a database only accessible with a court order — or by criminals, I’d wager). All prepaid phones not in the registry were supposed to be turned off this month, although a quick round of googling and searching couldn’t tell me whether this is actually happening or not. As I wrote a couple of weeks ago, in the context of the Mexican government’s reward scheme for people who call in reports of money laundering:

Good luck to anyone who decides to report in person, or by telephone. SIM registration is mandatory in Mexico, which means that the money launderers will find you before the police do

[From Reputation does not depend on “real” identity]

If we focus on phones, for a moment, is it reasonable to assume that demanding identity in the purchase of phones (prepaid or otherwise) will do anything to reduce crime (or will it simply shift the crime to acquiring identities and actually raise the criminal premium on those identities?).

Eight men and one woman have been arrested on suspicion of conspiracy to defraud… calling expensive premium-rate numbers owned by the fraudsters that charge up to £10 a minute… O2 had a total of £1.2m stolen through premium phone lines throughout July, with police claiming that a West African gang bought the phones from high street stores using false identities.

[From British police arrest iPhone scam gang | News | TechRadar UK]

Like many similar scams, this isn’t a mobile fraud or a payment fraud or any other kind of fraud: it’s basic identity fraud, yet again. To some extent, therefore, one has to be a tiny bit unsympathetic to O2. Clearly, if they make everyone jump through hoops to get an iPhone then they won’t sell very many of them. On the other hand, allowing people to take out contracts without really proving who they are or (and this is the commercial arrangement that is lacking) providing an identity that is underwritten by someone who will take liability for it being wrong, means accepting risk. Remember, it’s not the mobile operators, handset manufacturers or criminals who pay for the police raids, the court system, the prison time: it’s us, the taxpayer. So the distribution of risks is not aligned with the distribution of liabilities, as is so often the case in the world of identity fraud. This isn’t a UK-only problem. It is very clear that in countries without secure national identity registers (ie, almost all countries), requiring mobile operators to determine the identity of subscribers (contract or prepaid) will solve nothing. This does not, by the way, mean that it is impossible to catch criminals. Far from it.

Deputy District Attorney Mena Guirguis said that after Manunga and her former boyfriend stopped dating in 2008, she took out a pre-paid cell phone in his sister-in-law’s name, and started sending the threatening text messages to her regular cell phone… Her scheme was uncovered when the victims went to the phone store, talked with the salesman and learned that Manunga had bought the pre-paid phone under the sister-in-law’s name, Guirguis said.

They reported that information to a Costa Mesa police detective, but by then a third arrest warrant had been issued for the sister-in-law. During a follow-up investigation, the detective discovered that most of the threatening text messages were sent when the pre-paid cell phone was in close proximity to Manjunga’s home or work.

[From Woman jailed for making threats – to herself | sister, law, manunga – News – The Orange County Register]

What this story shows is that actual police work is helped by the perps using mobile phones, even if you don’t know the identity of the person using the phone, because phones mean tracking and tracing and location. We read today that iPhones keep a complete record of everywhere they’ve been…

Apple iPhone users’ movements are being tracked and stored without their knowledge in a file that could easily be accessed by a snooping employer or jealous spouse, security researchers have found.

[From Apple iPhone tracks users’ location in hidden file – Telegraph]

Surely it would be better to have criminals running around with iPhones, sending money to each other using mobile networks and generally becoming data points in the internet of things than to set rigorous, quite pointless identity barriers to keep them hidden.

Who thinks pseudonymity isn’t important?

OK, at the extreme risk of boring everyone to tears, let’s ask the same old question again: should you be allowed to do things on the Internet without giving away your “real” identity? Remember this was something that was discussed here a little while back, using the simple case of newspaper comments as an example. Someone has come up with an interesting way of solving for two problems simultaneously: paying for news online and making people responsible for their comments…

However, he recently went back and was surprised that, in order to comment you need to hand over your credit card, and the paper will charge you $0.99. Obviously, this is more to prove that you are who you say you are, but it does seem a bit distorted when the newspaper wants to charge people just to comment. Also, once charged, your name and hometown are automatically associated with your comments.

[From Newspaper Wants You To Pay To Comment | Techdirt]

Interesting. I think the idea of paying to comment is very interesting. I might be tempted to do that in some cases. But paying to give up your real name? I’m not so sure. I might well want to comment on something without that kind of disclosure. Back to “real names” again. The discussion goes on and on.

Why does a comment with a real name have so much more value?

[From The Real “Authenticity Killer” (and an aside about how bad the Yahoo brand has gotten) — Scobleizer]

This isn’t always true. A nurse at a hospital, forced to comment with her real name, is highly unlikely to post anything critical of a doctor. There’s a difference between an authenticated persona (so that the web site can be sure she really is a nurse at the hospital) that may be based on a pseduonym (or even a cryptographically strong unconditionally unlinkable anonym) and an authenticated identity. There may be many reasons why the latter is undesirable.

Mexico announced a plan Monday to reward people who report suspected money laundering, under a program that will allow them to get up to one-quarter of any illicit funds or property seized. Under the new plan, people can file reports in person, by telephone or by e-mail. The exact percentage of individual rewards will be determined case by case by a special committee.

[From Mexico sets rewards for reporting money laundering | ajc.com]

Would you e-mail in a tip about a suspected money launderer and expect to pick up the reward? It seems to me that this is a good example of system that demands real names for integrity but real names mean it can never work. (Although, and it’s outside the scope of this piece, it is entirely cryptographically possible to enable the payment of rewards to anonymous people).

Public servants, law enforcement and banking system employees will not be eligible for the rewards, in part because it is already their duty to report suspicious transactions.

[From Mexico sets rewards for reporting money laundering | ajc.com]

Good luck to anyone who decides to report in person, or by telephone. SIM registration is mandatory in Mexico, which means that the money launderers will find you before the police do — don’t forget, they have more money than the police do. Come to that, they have more money than anyone does.

More shocking, and more important, the bank was sanctioned for failing to apply the proper anti-laundering strictures to the transfer of $378.4bn – a sum equivalent to one-third of Mexico’s gross national product – into dollar accounts from so-called casas de cambio (CDCs) in Mexico, currency exchange houses with which the bank did business.

[From How a big US bank laundered billions from Mexico’s murderous drug gangs | World news | The Observer]

Given the stringent anti-money laundering (AML) regulations in place around the globe — which meant it took me 15 minutes to put a few quid on my Travelex prepaid card at Heathrow, something I will never do again — I’m surprised that this could have happened, but there you go. Perhaps instead of hassling people trying to load low-value prepaid payment accounts, the authorities could focus on the counterparties in larger electronic transfers. Hence the discussions about Legal Entity Identifiers (LEIs) that have been going on recently. Many interbank payment messages have account identifiers only — you could send money to my account with the name Carlos Tevez and it would still get to me because it’s only the account stuff that matters — and the some law enforcement agencies want to stop this and have banks validate the names as well (it will help to track funds to and from suspects I guess).

LEI will be assigned at the over all corporate entity level and also at subsidiary levels. Its usage will be standardized Internationally. My immediate thought was, never mind systemic risk, this is the perfect means to route B2B transactions across a myriad of financial systems and payment schemes worldwide!

[From Reflections on NACHA Payments 2011 — Payments Views from Glenbrook Partners]

I’m sure I’d heard somewhere before, possibly at IPS 2010, that the plan was to use the SWIFT business identifier codes (BICs), but apparently that’s no longer the case.

Vandenreydt said SWIFT is changing its tune due to a recent meeting of the International Standardization Organization’s Technical Committee 68, where SWIFT has a seat. At the meeting, participants concluded that developing a new code would help avoid ambiguities that might be involved if existing codes are used. “[The committee] wants a pure number without country or other information,” Vandenreydt added. The BIC is made up of eight to 11 alphanumeric characters with four letters for the bank, two letters for the country, two digits for the location, and three digits for the specific branch.

The utility is still working with ISO on what the identifier would look like. Vandenreydt said that process could take up to three months, though he expects a decision to be made sooner. He noted the proposal also depends on other details about the initiative that haven’t been specified by OFR, such as how long the registration authority would have to ramp up the system, whether IDs will be assigned or requested, and how many codes are expected.

[From SWIFT Retools Legal Entity Identifier Proposal]

So here’s a positive suggestion. Forget about the 1960s notion of an identifier as a unique alphanumeric code and instead make the identifier a pseudonym attested by a bank. So we become consult.hyperion!barclays.co.uk or something similar. It doesn’t matter whether the sender, or anyone else, knows who Consult Hyperon is, because the identifier tells them that Barclays does. And for 99% of real-world transactions, that’s enough. What’s important is that we are always consult.hyperion!barclays.co.uk in all relevant linked transactions. Then, if consult.hyperion!barclays.co.uk is found to be sending money to Osama bin Laden on a regular basis, the appropriate law enforcement agencies can provide Barclays with a warrant and Barclays will disclose. For general commerce, the persistence is the critical foundation. The always-accurate Eve Maler pointed this out a while back:

The neat thing is, we do this all the time already. When you meet someone face-to-face and they say their Skype handle is KoolDood, and later a KoolDood asks to connect with you on Skype and describes the circumstances of your meeting, you have a reasonable expectation it’s the right guy ever after. And it’s precisely the way persistent pseudonyms work in federated identity: as I’ve pointed out before, a relying-party website might not know you’re a dog, but it usually needs to know you’re the same dog as last time.

[From Tofu, online trust, and spiritual wisdom | Pushing String]

Quite. But there’s another point. You don’t need to be a “real” persistent identity to have a reputation, as should be obvious. A useful reminder of this came at the end of 2010, when an anonymous critic was named the Village Voice’s “Music Critic of the Year”.

Twitter spokesperson Matt Graves called it a “milestone”; whether he’s serious or not, (“dead serious,” he later said) @discographies certainly carries a certain seriousness throughout today’s interview in the Village Voice. “Twitter,” the account holder says, “may be the first mass communications system that also functions as a meritocracy: it actively promotes good ideas and good content, regardless of where they come from.”

[From Anonymous Twitter Account Named Music Critic of Year by Village Voice]

I’m not sure that meritocracy is the right word, but I think the sentiment is accurate: you have to earn reputation to attach to your identifier, and once it’s been earned it’s hard to replicate (unlike intellectual property). So I might want to send money to @discographies without knowing or caring whether @discographies is a roomful of students or an internationally-known music critic. (And, over on Digital Money, I will point out that I want to send money to @dgwbirch — which is an entirely unique Twitter identifier — by MasterCard, PayPal, WebMoney, M-PESA or anything else, but that’s another point entirely.) Why can’t @discographies be mutated into discographics!wellsfargo.com or whatever?

It’s an entirely plausible model: banks managing reputation, because it’s more important than money. The presence of banks legitimises the market, so knowing that a bank has carried out some KYC on @discographies means that other players can treat the reputation attached to it seriously without being concerned about the “real” identity.

Tough choices

The relationship between identity and privacy is deep: privacy (in the sense of control over data associated with an identity) ought to be facilitated by the identity infrastructure. But that control cannot be absolute: society needs a balance in order to function, so the infrastructure ought to include a mechanism for making that balance explicit. It is very easy to set the balance in the wrong place even with the best of intentions. And once the balance is set in the wrong place, it may have most undesirable consequences.

An obsession with child protection in the UK and throughout the EU is encouraging a cavalier approach to law-making, which less democratic regimes are using to justify much broader repression on any speech seen as extreme or dangerous…. “The UK and EU are supporting measures that allow for websites to be censored on the basis of purely administrative processes, without need for judicial oversight.”

[From Net censors use UK’s kid-safety frenzy to justify clampdown • The Register]

So a politician in one country decides, say, that we should all be able to read out neighbour’s emails just in case our neighbour is a pervert or serial killer or terrorist and the next thing we know is that Iranian government supporters in the UK are reading their neighbours emails and passing on their details to a hit squad if the emails contain any anti-regime comments.

By requiring law enforcement backdoors, we open ourselves to surveillance by hackers and foreign intelligence agencies

[From slight paranoia: Web 2.0 FBI backdoors are bad for national security]

This is, of course, absolutely correct, and it was shown in relief today when I read that…

Some day soon, when pro-democracy campaigners have their cellphones confiscated by police, they’ll be able to hit the “panic button” — a special app that will both wipe out the phone’s address book and emit emergency alerts to other activists… one of the new technologies the U.S. State Department is promoting to equip pro-democracy activists in countries ranging from the Middle East to China with the tools to fight back against repressive governments.

[From U.S. develops panic button for democracy activists | Reuters]

Surely this also means that terrorists about to execute a dastardly plot in the US will be able to wipe their mobile phones and alert their co-conspirators when the FBI knock on the door and, to use the emotive example, that child pornographers will be able to wipe their phones and alert fellow abusers when the police come calling. Tough choices indeed. We want to protect individual freedom so we must create private space. And yet we still need some kind of “smash the glass” option, because criminals do use the interweb tubes and there are legitimate law enforcement and national security interests here. Perhaps, however, the way forward to move away from the idea of balance completely.

In my own area of study, the familiar trope of “balancing privacy and security” is a source of constant frustration to privacy advocates, because while there are clearly sometimes tradeoffs between the two, it often seems that the zero-sum rhetoric of “balancing” leads people to view them as always in conflict. This is, I suspect, the source of much of the psychological appeal of “security theater”: If we implicitly think of privacy and security as balanced on a scale, a loss of privacy is ipso facto a gain in security. It sounds silly when stated explicitly, but the power of frames is precisely that they shape our thinking without being stated explicitly.

[From The Trouble With “Balance” Metaphors]

This is a great point, and when I read it it immediately helped me to think more clearly. There is no evidence that taking away privacy improves security, so it’s purely a matter of security theatre.

Retaining telecommunications data is no help in fighting crime, according to a study of German police statistics, released Thursday. Indeed, it could even make matters worse… This is because users began to employ avoidance techniques, says AK Vorrat.

[From Retaining Data Does Not Help Fight Crime, Says Group – PCWorld]

This is precisely the trajectory that we will all be following. The twin pressures from Big Content and law enforcement mean that the monitoring, recording and analysis of internet traffic is inevitable. But it will also be largely pointless, as my own recent experiences have proven. When I was in China, I wanted to use Twitter but it was blocked. So I logged in to a VPN back in the UK and twittered away. When I wanted to listen to the football on Radio 5 while in Spain, the BBC told me that I couldn’t, so I logged back in to my VPN and cheered the Blues. When I want to watch “The Daily Show” from the UK or when I want to watch “The Killing” via iPlayer in the US, I just go via VPN.

I’m surprised more ISPs don’t offer this as value-added service themselves. I already pay £100 per month for my Virgin triple-play (50Mb/s broadband, digital TV and telephone, so another £5 per month for OpenVPN would suit me fine).


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.