I’m entitled to adult services

My old chum Andy Ramsden wrote a nice piece on LinkedIn the other day, pointing out the difference between transactions that need identification (almost none of them) and transactions that need credentials (most of them). He used a current British case in point, which is how to come up with a scheme for preventing “health tourism” on the National Health Service (NHS) which is largely free at the point of delivery.

The receptionist doesn’t even need to know my name, all they need to verify is whether or not I am eligible for NHS treatment.

From Proving your identity needn’t be this hard | Andy Ramsden | Pulse | LinkedIn

Indeed. Which is why a National Entitlement Scheme (NES) makes sense. Andy’s point is not a special case – quite the opposite, it is the general case. In almost all day-to-day transactions, who you are is not important. This is why, in our “Three Domain Identity” (3DID) model, transactions take place in the authorisation domain, not the identification domain.

3D Domain Model

 

Now, in the NHS case I imagine that for most people giving out your real name is probably not a barrier to seeking treatment (although I can easily imagine cases where it is – what does James Bond’s NHS card say, for example?) but I can think of plenty of cases where giving out your real name is not only a barrier to transactions taking place, it’s downright crazy. Adult services are an obvious case and they are a case that I like to use because they are a useful example for focusing security, privacy and commercial issues that apply to a wide range of services. What do I mean by adult services? Well, to fork one of my favourite jokes from one of my all time favourite TV shows, Greg the Bunny, I don’t mean voting. I mean services that grown up people might want to use that they do not necessarily want other people to know about: gambling, fantasy football leagues, dungeons and dragons discussions groups and so on. If we can fix the problem for adult services we can fix it for most other things.

Ofcom’s guidance on age checks for online video content suggest a range of options – from confirmation of credit card ownership to cross-checking a user’s details with information on the electoral register.

From Plan to block porn sites accessible to children – BBC News

Both of these ideas are bad and are certain to lead to disaster, because both of them require the adult service provider to know who you are. This means that when they get hacked, as they inevitably will be, the personal details of the customers will be available to all. And, as actually happened in the case of the Ashley Madison hack, people will die. It’s not funny. Whether its adult web sites, or counselling services, or gay dating, or drug addiction helplines or whatever, where I go online is my business. We need a better solution than some dumb mandate to accelerate identity theft and foist its consequences on everybody.

Now, we already know what to do (that is, to have a functional identity privacy-enhancing infrastructure) but as yet there’s no sign of it coming into being. Therefore in the shorter term we have to come up with some workable alternative. It seems to me that a rather obvious way forward would be for banks, who have invested zillions in tokenisation services, to issue John Doe tokens to customers over 18. So, I can load my Barclays debit card into my Apple / Samsung / Android (* delete where applicable) wallet for free, but for £5 per annum I get an additional Privacy-Enhancing Token (a PET name). This stealth token would have the name of “John Barleycorn” and the address (for AVS purposes) of “Nowhere”.

Now, I can go online to the UK Adult Gateway Service or whatever it ends up being called and use the PET name to obtain an adult passport. Then I can use this adult passport to go and log in to Lovelies in Leather Trousers (which I only read for the gardening tips). Now:

  1. Lovelies in Leather Trousers know that I am adult passport “John Barleycorn” and that they can charge to that passport (when they do, Apple Pay pops up on my phone and asks for authorisation).

  2. When Lovelies in Leather Trousers gets hacked, the hackers find the adult passport John Barleycorn but they can’t use it to find out who I am. Even if they could log in to the Adult Gateway Service, it only knows that I am John Barleycorn and that the token comes from Barclays. Since there are tens of thousands of Barclays PETs with the name John Barleycorn, who cares.

  3. If the hackers get into Barclays and discover that the particular PET name belongs to me, then Barclays have a far amount more to worry about than the £100,000 compensation they will be paying me for breaching my privacy.

  4. Meanwhile, if the adult passport John Barleycorn is used in some criminal activity, the police can simply go to Barclays with a warrant and Barclays will tell them it is me.

Simple. Incidentally, there’s another aspect to all which means that the networks and the banks might want to invest in this kind of infrastructure. Since adult payments are lucrative, and since an effective privacy-enhancing age check would increase the use of such services, and since a tokenised approach would also reduce fraud and chargebacks, there are real incentives for the stakeholders to get out their and put something in place.

The Digital Economy Bill already includes measures to bring in age checks and the power to withdraw payment services from sites which do not implement the controls.

From Plan to block porn sites accessible to children – BBC News

I really don’t like the idea of using the payment system as a policeman, but it makes sense as an interim solution until such time as we actually have a working identity infrastructure with pseudonymous virtual identities that can be used for adult transactions, just as they will be used for all other transactions. Including getting hospital treatment if you are entitled to it.

And I’ve got my bronze swimming certificate

When I’m talking about identity, I sometimes joke that our ill-thought out perspectives on the topic have led to the bizarre situation that in the UK it is much easier to get a job with a bank than an account. In The Daily Telegraph for 29th January 2011, I read under the headline “False CV Fooled Bank” that:

A fraudster used a false CV [claiming degrees from Oxford and Harvard] to gain a £165,000 per annum job at a City investment bank.

I assumed that everybody made up stuff on their resumes, but it turns out that it’s against the law, so the culprit, Mr. Peter Gwinnell, was prosecuted and given a suspended sentence (I assume he’ll skip over this on his next CV). We keep being told that employers use Facebook profiles nowdays (I hope they use mine: it says that I am the most intelligent person alive today and that Nelson Mandela queued for my autograph) so perhaps CVs will soon be a thing of the past. Just out of curiosity I googled Mr. Gwinnell and found that as well as his empty LinkedIn profile, the bald fact of his departure is there on the web.

PETER GWINNELL Appointment terminated as director on 15 Feb 2010 (Document)

[From AHLI UNITED BANK (UK) PLC of W1H 6LR in LONDON UNITED KINGDOM]

To be honest, if an employer wanted proof of my A-Level in Mathematics or O-Level in British Constitution or the Degree I scraped through with in 1980, I’d be hard pressed to provide it. I don’t have the faintest idea where the relevant certificates are. I suppose I could ring the University and ask them to send me a letter, but how would the employer know I hadn’t forged the letter. And how would Southampton University know that it is me calling? Or, for that matter, how would they know that I hadn’t forged the O-Level in British Constitution certificate?

When I started my first job after university, I don’t remember being asked to provide any such proof. Come to that, I don’t remember being asked to prove who I was either. In those days, all you needed was a national insurance number. But if employers are going want proof, like the actual certificates, then there will be a bit of a premium on the certificates. Once the certificates are worth something, they will be stolen. This is what happens in China.

Local officials said the files were lost when state workers moved them from the first to the second floor of a government building. But the graduates say they believe officials stole the files and sold them to underachievers seeking new identities and better job prospects — a claim bolstered by a string of similar cases across China.

[From Files Vanished, Young Chinese Lose the Future – NYTimes.com]

How are we going to deal with this digitally? It shouldn’t be that complicated for Harvard to create a digital certificate to attest to the fact that the owner of a particular identity did, in fact, graduate. If there were some sort of device or token, perhaps some form of card, that contained my educational identity (ie, key pair) then Harvard could simply sign the public key with their private key and the whole problem is fixed (glossing over, of course, where this device or token might come from, and so on).

Something does have to be done though. The current system is simply a joke. It’s quite funny when someone cons a bank into giving them a senior position despite knowing nothing about banking (imagine!) but one of the areas that really bothers me, and probably should bother you too, is the ease with which medical credentials are forged.

A conman from Lancashire who posed as a vet and nearly killed a pony by botching its castration has been jailed for two years. Russell Oakes also masqueraded as a doctor, carried out an intimate examination and charged for false diagnoses, Liverpool Crown Court heard. The 43-year-old, of Hesketh Bank, admitted 41 charges of fraud, forgery and perverting the course of justice.

[From BBC News – Bogus Lancashire vet jailed after botched castration]

How did he do this? Was he a master forger, capable of producing an authentic-looking medical school diploma using specially-aged paper, his engraving skills and authentic ink procured from the correct German manufacturer? No, of course not: this is a post-modern crime.

He bought a fake university certificate off the internet, the court heard.

[From BBC News – Bogus Lancashire vet jailed after botched castration]

Now imagine an alternative infrastructure. I am asked to prove that I have a degree from Southampton University. I log on to the university using my OpenID id.dave.com and answer some questions, provide some data, to satisfy the university that I am, indeed, the relevant dave. My OpenID profile includes a public key, so the university creates a public key certificates, signing that key and some standard data that they provide. I can now give this certificate to anyone, and they can check it by verifying the signature using the published Southampton University public key, resolving the certificate chain in the usual way.

the BBC suffered another embarrassment today after a man interviewed on Radio 4’s World at One who claimed to be a Liberal Democrat MP was revealed to be an imposter.

[From Radio 4 follows Jeremy Hunt gaffe by interviewing fake MP | Media | guardian.co.uk]

How would the proposed infrastructure help here? The system has to be so easy to use that a harassed BBC researcher can use it. Come to that it has to be so easy that military installations, the police and other can use it too.

During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD’s military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area

[From Schneier on Security: The Security Threat of Forged Law-Enforcement Credentials]

Step forward the mobile phone. Every single one of the people who were “verifying” IDs in these stories has a mobile phone, so there’s no need to look any further. The military policeman’s mobile phone should be able to check your ID. And your mobile phone should be able to check his ID. And if you’re both using mobile phones, both IDs can be checked simultaneously. We already know that symmetry is an important property of an identity infrastructure: the bank needs to be able to check it’s me, but I need to be able check it’s the bank. And the mobile phone can do both. So next time Peter shows up for an interview, the interviewer can simply tap Peter’s NFC phone against their NFC phone and see a full list of his credentials.

(Law enforcement has special additional issue though: sometimes, the policeman doesn’t want to reveal that he’s a policeman, but that’s a topic for another day.)


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.