Fintech South 2020 – Maintaining trust and safety in a digital world

At the (sadly, virtual) Fintech South event the year, I was asked to chair a discussion on identity and privacy with three extremely well-qualified experts who had informed perspectives on the state of, and trends in, those important pillars of a digital society. These were Adam Gunther (SVP, Digital Identity for Equifax), Andrew Gowasack (Co-Founder and President at TrustStamp) and Megan Heinze (President, Financial Institutions, North America for IDEMIA). It was great to talk to a group of people who were not only well-informed on these topics but had some passion for them too.

I won’t go over everything that was discussed, but I do want to pick up on a comment that was made in passing when I was chatting to the panelists: someone said that a guiding principle should be “no scary systems”. Hear hear! But what is a scary system? It is, in my opinion, a system that privileges security over privacy. This is not how we should be designing the identity systems for the 21st century!

The best definition of Digital Identity

red lights in line on black surface

Our friends at Smartex challenged its readership to define Digital Identity the other day, with a bottle of wine on offer for the best definition. I’m pleased to say that the bottle of wine was won by Consult Hyperion, with a couple of competition entries submitted.

Coming up with a definition for digital identity is not easy. It can refer to quite a number of different things, making the task of encapsulating it in a sentence next to impossible. For my attempt I thought that rather than try to describe what it is, it would be better to describe what it does. I came up with this:

Digital identity allows us to trust each other by enabling us to share the minimum amount of verifiable information needed for the thing we want to do.

In one sentence I was trying to capture several points:

  • Digital identity is a means to an end not an end in itself
  • It’s bi-directional – in any transaction both parties need to have confidence in the other party
  • It’s about the information you need to share, which will vary considerably between contexts.
  • It protects privacy by only sharing the information (or claims) necessary.

Sorting out sorting

Another waste of money is around the corner for the UK banking sector.

“Almost 1 million UK bank customers will be forced to have to use new six-digit sort codes… The change has been caused by the Vickers rules, which force banks to ringfence their high street operations from other banking activities.”

Almost 1m UK bank customers will be forced to use new sort codes | Business | The Guardian

It’s time to put a stop to this yonks old nonsense about sort codes and account numbers and I think I know just the woman to do it: Andrea Leadsom, now Leader of the House of Commons, but formerly City Minister. In her evidence to Parliament in 2012, she said that:

“Full bank account portability would be good for the consumer and good for challenger banks. It would also be good for established banks—they should have nothing to fear from it being easier for customers to switch”

via House of Commons – Banking Standards: Written evidence from Andrea Leadsom MP

I have to admit to had a very soft spot for her when she was Minister. In a letter to The Daily Telegraph back in September 2013, she noted that — just as I had predicted — the Current Account Switching Service (CASS) which launched that month was (I paraphrase) a bit of a waste of time and money. In fact earlier this year, BACS promised to “remedy the system” because so few people have used it. The then Minister went on to say that customers should have account number portability and be able to switch banks as easily as they can switch mobile phone operators.

This was not new thinking. Six years ago the Independent Commission on Banking published an interim report on their Consultation on Reform Options. This report raised the subject of bank account number portability. Section 5.17, to be specific, says that:

Beyond improvements to the existing system, full account number portability would enable customers to change banking service providers without changing their bank account number. This would remove the need to transfer direct debits and standing orders, which remains the main area where problems may arise. In the past, portability has been rejected as overly costly, but if no other solutions appear effective and practicable, it should be reconsidered to see if this remains the case given improvements in IT and the payments system infrastructure.

It seemed reasonable for the Commission to wonder why customers cannot port their account number from one bank to another the way that they can port their mobile phone number from one network to another. That seemed a plausible request back in 2011, but the truth is that phone numbers and account numbers aren’t quite the same thing. A phone number is an indirect reference to your phone (well, your SIM card actually) whereas the account number is the “target”. Thus, we shouldn’t really compare the account number to the phone number, but think of it more as the SIM.

Hence a diversion into how mobile phones work. Each SIM card has a unique identifier, just as each bank account has an international bank account number (IBAN). When you turn on your phone, essentially, your SIM tells your mobile operator which phone it is in and then “registers” with a network. I am writing this in Copenhagen, where I just turned on my iPhone, so now my O2 SIM card is registered with a Danish operator. When you call my number, O2 will route the call to the Danish operator, who will then route it to my phone. But how does the call get to O2 in the first place?

In most developed nations there is what is called an “All Call Query” or ACQ system: there is a big database of mobile phone numbers that tells the operators which mobile network each number is routed by. In order to make call connections as fast as possible, each operator has their own copy of this database that is regularly updated. Note that for reasons that are too complicated (and boring) to go into there, in the UK there is a different scheme, known as indirect routing, whereby when you dial my phone number 07973 XXXXXX it is routed to Orange (because that’s where all 07973 numbers originated from) and then Orange looks XXXXXX number up in its own database to see where to route the call to (in this case to O2). This is why calls to ported numbers in the UK take longer to connect than they do in other countries.

So, back to the point. I am not against the principle that the Minister espoused. On the contrary, I am very much in favour of making it easier for customers to move accounts. It’s the implementation that is the problem.  She formulated the problem as:

Ever since I was first elected I have been campaigning to ensure customers can change their bank accounts as easily as a customer can change their mobile phone provider.

Andrea Leadsom | Home

If we treat the bank account number as the SIM number then we need to find something else to be the equivalent of the mobile phone number. It’s entirely possible to envisage a similar system working for banks, whereby we separate the equivalent of the mobile phone number — let’s call it the International Current Account Number (iCAN) — from the underlying bank account and have an industy database that maps iCANs to IBANs. This database would be the equivalent of the ACQ database. So the bank sends your salary via FPS to the iCan, and the database tells FPS which actual IBAN to route it to. No matter which bank accounts you use or change to throughout your employment, the employer always sends the salary to the iCan and thus reduce their own costs and your own hassle.

But what, in the UK, would be the actual iCAN? A good option is to have virtual account numbers. I’ve previously put forward the “7-0” solution around this.

The 70 code is unused, so we can issue people with [numbers] of the form 70-XX-XX 99999999. These would be compatible with all existing systems and with the IBAN scheme.

A suggestion for doing something about account switching in the UK

The idea here is that the customer gives billers, employers, counterparties the “70” account number that never changes but then chooses which bank account to map it to. They can change this at any time, there’s no need to go back to the billers, employers, counterparties and get them to change anything. This is a simple and inexpensive solution: allow anyone with a bank account to apply online for an iCAN and then let them change the account it maps to whenever they want to in the future. Bank customers could use the iCan immediately. And because of this strange quirk of British sort code allocation, it would mean that just as all mobile phone numbers begin 07, so all mobile account numbers would begin 70 and form the “unique identifier – in essence, a portable account number that would be retained by an individual/business on an ongoing basis” that the Minister referred to in her evidence.

The other way to approach the problem,  and the better way in the long run, is to stop messing about with 1960s sort codes and account numbers and just use names instead. I used to have a CompuServe number (100017,3342 if memory serves) but now I have a Facebook id, a Twitter id and a LinkedIn id. Why can’t I have an Money id? As I said at the Payment Innovation conference a couple of years ago…

This all links to the discussions about the idea of a financial service passport (or a “payname”) at techUK last year. I really think that the idea of pseudonymous, strongly-authenticated CDD-inside identities is an idea whose time has come. 

Payment system regulation as barrier to payment system innovation

In this concept, we just want a simple, portable, pointer to a person that can be used to index into their KYC (“know your customer”) persona. The easiest way to do this would be to assign a unique financial services identifier to a person or other legal entity the first time that they go through a KYC process. This would be a money identifier (£ID) that could be a target for payments.

I might have the identifier “citizendave!barclays.co.uk”, for example. One someone has one of these IDs, then there would be no need to drag them through KYC again. This would greatly reduce industry costs and make the process of obtaining a new financial service — a new bank account, a new credit card, a new insurance policy, a new accountant — much simpler. Imagine the simplicity of applying for in-store credit for that new sofa by just giving them your ID and watching the application form magically populate by itself on screen.

Now, each of these £IDs would be associated with a payment account (a bank account, a prepaid account, an electronic money account or whatever else) that is “reachable” in EU banking parlance. That is, a Payment Initiation Service Provider (PISP) can from the £ID work out which account it is linked to it and make a credit transfer to that account. Then someone could send you money by giving your £ID: no need to type in names, sort codes, account numbers. Anyone could pay anyone by entering the ID  into the ATM, or their internet banking screen, or (most likely) their mobile app.

Even better, of course, would be to make the £ID point to an iCAN rather than a bank account number. That way, we obtain the benefits of both approaches. It doesn’t matter if a person has many of these £IDs, because each £ID will have been obtained as the result of a KYC process. If the Directory ends up with two “Dave Birch” entries, so what? It’s not an ID card scheme, it’s a “save money for the financial services sector and make life easier for consumers” scheme. And it wouldn’t matter either if both of my £IDs point to different bank accounts: I might, for example, have a personal persona and a small business persona—lets say citizendave!barclays.co.uk and citizendave!rbs.co.uk and that point to my personal and my small business accounts—and I want to use them for different purposes. No problem.

Picture this new world of fintech and regtech in harmony. You are fed up with the appalling service you get from your bank, so you walk into a branch of New Bank. You ask to open an account, and are directed to the ATM in the lobby and asked to request a balance from your existing current account. You put in the card and enter the PIN. While the ATM is carrying out the balance enquiry, the £ID (obtained from your bank) is sent to the Directory and within a couple of seconds both your account balance (from your bank) and your picture (from the Directory) are on the screen. The New Bank agent presses a button and a pre-filled application form is presented for you to sign and, once you have, you are given the option of pointing your iCAN associated with the ID to the new account. No fuss, no effort, done. And if your employer sends you salary to your ID one second later, it will correctly route into the new account.

Thus, I can make Andrea’s dream come true and in a cost effective manner. Stage 1: create the “70” virtual account number directory and make sure that credit transfers to iCANs work properly. Stage 2: mandate that all banks give account holders the means to obtain an iCAN for each of their accounts. Stage 3: introduce financial services identifiers and allow holders of identifiers to map a default iCAN to that identifier.

Together with my colleagues at Consult Hyperion, I stand ready to answer the nation’s call. If they really want portable account numbers, we know what to do.

The social cost of identity

The police are apparently fed up with Walmart. They cut staff, introduced automated checkout and saw a big increase in shoplifting, which they pass on to the police.

“The constant calls from Walmart are just draining,” says Bill Ferguson, a police captain in Port Richey, Fla. “They recognize the problem and refuse to do anything about it.”

From Walmart’s Out-of-Control Crime Problem Is Driving Police Crazy

You can see the logic from the company’s point of view. They pay for staff but they don’t pay for the police, so they may as well externalise the costs of managing bad behaviour. To some extent, of course, we all do this. We expect the authorities to stop people from hurting us in a variety of ways. But there has to be a balance. It would be crazy for car companies to save money by not fitting car alarms and instead fit a cheaper device to alert the police when the car is stolen.  But never mind Walmart and Ford. Isn’t this what Twitter and Facebook have done?

Scotland Yard will spend £1.7million on a ‘Twitter squad’ to hunt trolls

From Scotland Yard invests £2m into new ‘thought police’ unit to hunt down trolls | Daily Mail Online

The problem of bad behaviour online appears to be out of control. I’m sure that police have considerably better things to do with their time than track down lunatics posting threats on Twitter or bullying bereaved people on Facebook. I’m particularly annoyed about the problem on Twitter because I love it so much. Personally, when someone posts abuse at me (and this – astonishingly – does happen from time to time) then I just mute them and carry on. But for some people, especially those more in the public eye, the abuse makes Twitter unusable. 

I posted a screenshot of the email, and a few lines about how I would not be using Twitter until they figured out how to stop making incidents like this one (gross, but comparatively benign) a less constant component of my Twitter experience.

From Twitter Has Become a Park Filled With Bats — Following: How We Live Online

Over time, this is becoming a very serious problem. The “trolls” are not only annoying to individuals they are undermining the medium.

But it’s biggest problem are those trolls. They’re winning. Too often Twitter’s users are subject to pernicious streams of abuse and harassment. This dissuades new users from wanting to sign up, drives formerly loyal tweeters to close their accounts, and gives advertisers pause as they consider where to place their brand dollars.

From Stopping Trolls Is Now Life and Death for Twitter — Backchannel

Twitter has responded to this well-known and widespread problem in the past. But it is really not clear to me how they can do this in an automated fashion. If you call me names on Twitter, is that trolling? If you tell you – repeatedly – that your idea for a database of transactions hashes is not a blockchain, is that harassment? And if you get me banned for it, what’s to stop me from just creating another account and carrying on? It is undeniably a very difficult problem, made worse by the absence of any suitable identity infrastructure.

Twitter has long come under criticism for not doing enough to police abusive behavior on the often-freewheeling messaging service.

From Twitter announces crackdown after online abuse of ‘Ghostbusters’ actor | Reuters

So. There has been a huge amount of discussion  about the problems of Twitter and falling usage as people abandon the platform because of bullying and trolling. Here’s the big question then. How can we align the social costs of policing anti-social media more effectively so that we can deal with trolls without having to spend gazillions on the police, courts and jails? My argument has always been that it is more cost-effective to support the industry in developing a identity infrastructure that may be used for this purpose (amongst others). And I’ve come around to thinking that banks are probably the right people to get it going. We need to get Twitter to let people create accounts using a Bank Identity (for want of a better word). But not much has happened. Naturally, I’ve written about this before. And as well as moaning about it I’ve made some positive suggestions for things to do about it, largely based on developing strong pseudonymity as the key infrastructure. Other people have put forward similar practical ideas, but they all rest on the ability to authenticate against a “real” identity.

Allow users to not show their tweets to unauthenticated users. 

From Putting out the Twitter trashfire — Medium

Some people think that instead of fixing the problem properly as suggested, we should instead rely on “real” name policies, but I disagree profoundly. There are many issues that people might want to comment on but not use their real names. Again, something I’ve written about extensively. So the basic knee-jerk reaction about names, while understandable, does not work for me. I want people to post their honest opinions and comments about difficult subjects and they need privacy to do this (note, for the one-thousandth time) privacy is not anonymity.

Social media users should be forced to reveal their real names so police can track down jilted lovers who post “revenge porn”, a peer has said.

[From Revenge porn: Peer says Twitter users must reveal real names – Telegraph]

The police do not need people to post their real names to do this. What they need is a route to the real names, which is why the idea of strong pseudonymity (pseudonyms managed by regulated institutions) is so appealing. If Barclays know who I am, then the police can ask Barclays and Barclays will tell them. But Barclays won’t tell anyone else, so I can post in privacy. Why banks do not get together to provide such an obviously beneficial identity services is beyond me. It’s all very well providing a bank identity to let me do my taxes, but I do this once every year, whereas I post abuse on social media almost hourly.

The WEF blueprint for digital identity – the middle way

The World Economic Forum (WEF) has just published their report on “A Blueprint for Digital Identity”. It begins with a disclaimer from “Deloitte”* saying that “This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business”. But what’s the point of reading a report that isn’t going change any decision or action that you make? I think quite the opposite: you should read the document and make the decision to have a strategy towards digital identity and start to explore different scenarios covering how it will affect your business right away.

First, let me admit that I was excited to see that WEF/Deloitte* have finally caught up with Consult Hyperion’s thinking on this kind of thing. Back in 2008, I wrote that:

Banks ought to be looking at both providing and consuming identity services and developing better identity and authentication services not merely for their internal use to reduce phishing and pharming but as a line of business in an online society. They are the obvious category of institution to provide credentials, manage personal information and deliver identity into the marketplace.

From Digital Identity: I’m sure banks have a strategy for this kind of thing

The WEF report says that “There is a strong business case for Financial Institutions to lead the development of digital identity systems” and goes out to categorise these are cost reduction, new revenue opportunities and transformational new models (i.e., outside core banking). I agree that it’s important to look at the saving money and making money opportunities in this way because in any bank that I’ve spoken to about this sort of thing, it’s been clear that the saving money business case has to stack up before there will be any investment.

As for the blueprint, the report suggests three approaches, – the institution, the consortium, the industry – which I paraphrase here:

  • A single institution could create its own system, focusing on cost saving but with limited potential for further adoption (but I think ”ChaseID” would struggle against “AppleID”);

  • A consortium could create a co-opetition infrastructure along the lines of the payment networks (some sort of financial services passport);

  • The financial services sector as a whole could create some form of industry identity utility that could be used to deliver “wholesale” identity services (I could get gas, electricity and identity all from the same retailer);

I’m rather in favour of the middle option as I think it delivers immediate improvements to the day-to-day transactions of modern life and it is, above all, feasible. But what exactly would it implement? The model of identity transactions that the WEF present (page 43), which divides identity transactions into authorisation, attributes and authentication is I think a little too narrow. The model we use at Consult Hyperion (“Three Domain Identity”, or 3DID) provides a better platform for discussion and exploration (but then I would say that wouldn’t I) because it makes the relationships between identities, attributes, credentials and so on more explicit.

3D Domain ID with FIDO

When it comes to discussing archetypes (or “marketectures”)  that will make sense (page 62), the use of the 3DID model makes it easier to understand the different options but considering who will control each of the domains. If, as WEF recommend, it is the financial institutions who control the Digital Identity and they link this to a variety of Mundane Identities from different sources and well as to a potentially large numbers of Virtual Identities (where credentials are held, essentially) it gives them a pivotal role. This might be in a federated structure, where each banks holds its own KYC and makes it available to other banks, or some other options. However it’s done, the authentication (proving you control the digital identity) is another matter.

One of the reason why I have such an interest in the “middle way” WEF blueprint is that I’ve been part of a techUK working group looking at this since 2014.

A ‘financial services passport’ refers to an aspirational digital identity, issued by UK financial services providers, and mutually recognised across the financial services industry.

From Workshop: Towards a Financial Services Passport

Such a passport would not only be used for financial services and for the benefit of financial institutions. It could be used to improve all sorts of services that desperately need a proper identity infrastructure. It could with internet dating, protecting people on twitter from trolls, access to adult services and other “sharp end” applications of digital identity that would be transformational not only for bank revenues but also for consumers in the mass market. The solutions to the big, immediate problems in these areas come not from the digital identity itself but from the virtual identities built on top of it, because the virtual identities are a way to communicate attributes rather than identity.

So what might banks do with your identity once they’ve got it safely locked away in their vaults? Well, one idea, particularly popular with me, is that they might give you a safe, pseudonymous virtual identity to go out an about with.

From Tired: Banks that store money. Wired: Banks that store identity | Consult Hyperion

The idea of strong pseudonymity is particularly appealing: a pseudonymous virtual identity with a bundle of credentials attested to by regulated financial institutions should be more than enough for almost all day-to-day transactions. This would allow for a new tranche of what economists call “incentive functions” to be created by banks, encouraging transactions where none would have taken place otherwise.

But back to the WEF report. In conclusion, despite my preference for our model (!), when it comes down to it, I think that the middle way (the consortium approach) is the place to start and I strongly agree with the principal recommendation of the report, which is that (page 101) “Implementation of a digital identity system should follow a bottom-up approach”. What the WEF calls “natural identity networks” I might be very tempted to label”communities”. So let’s create identity solutions for communities (starting with the financial services passport for the retail financial community of customers, providers and regulators) and find ways to interconnect them rather than trying to think up some kind of top-down “World ID” for the communities to implement.

* “Deloitte” refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients.

Facing the facts

I always have a lovely time in Sydney, one of my favourite places in the whole world, and I had a particularly lovely time down there last month at the Biometrics Institute Asia-Pacific conference at their invitation.

 Biometrics Institute Asia Pacific

I was asked there to talk about biometric authentication for digital identities, but most of the other talks were about biometric identification. These included a superb talk by Patrick Nemeth, Director of the Identity Operations Division, Office of Biometric Identity Management (OBIM) at the Department of Homeland Security (DHS), who was talking about the practicalities of their work and their plans for the future. 

Patrick mentioned in passing that in future they will start storing DNA, not for identification but for the purpose of “familial matching”. So if somebody turns up at an airport with a child and claims to be a parent or sibling, the new technology means that it will only take around two hours to determine whether there is a familial match, which I thought was pretty cool. I could not, however, resist the mischief of pointing out that in the UK, around one in 25 children are not related to their presumed biological father. In the US it is approximately around one in 20 and according to some web reports that I found, in some parts of Florida it is supposedly a third!

You can just imagine the embarrassment of JFK can’t you? When you filled in that customs form?

“How many members in your family group?”

“Three.”

“Please guess again”…

Oh well. Interestingly, and more relevantly, Patrick said that OBIM would not be going any further with fingerprint technology would be exploring voice recognition for immigration services and face recognition at points of entry. This technology used to be absolutely hopeless, but I am sure that it has improved considerably.

A system installed a Keflavik airport in Iceland — not primarily aimed at terrorists but at drug dealers, missing children and so on — never matched a single wanted person

From Home biometric fun | Consult Hyperion

Actually, I know that it has, because one of our recent projects involved due diligence on a face recognition system installed in Latin America. Patrick went on to say that he expected the private sector rather than the government to make the next technological breakthrough in face recognition. I wondered if he was referring to recent Russian breakthroughs in automated stalking:

FindFace, an app launched by a Russian startup two months ago, lets its users identify strangers from pictures of their faces. It does so by matching the photos against profile pictures from VK—also known as VKontakte—a Russian social networking website similar to Facebook.

From How Russia’s New Facial Recognition App Could End Anonymity – The Atlantic

The genie is well and truly out of this bottle and I can only see two long-term outcomes. Either we become socially attuned to tracking at all times in all non-private spaces or we become socially attuned to hiding our faces using some form of burkha. In fact, burkhas might become the norm in public places because the biometrics guys are not just trying to do face recognition, there are also looking at body recognition (there was a very good presentation about this as well, by the way).

How life will change! It will be a quasi religious experience I suppose when you only take off the burkha and reveal your face when at home and in the company of family or close friends. It looks as if my plan to make my fortune by manufacturing Facebook-blue burkhas in a variety of sizes is looking better all the time.

Putting “identity” on the “blockchain”. Part 2: Create an identity model

I’m continuing my week of thinking out loud about identity on the blockchain. In Part 1, we came up with a real problem that needs fixing and explored the idea of a financial services passport. In Part 2, we’re going to put forward an identity model that could form part of solution to that real problem. The starting point for the thinking here is that as part of some recent work for a client, at Consult Hyperion needed to create a simple digital identity model to facilitate discussion around the provision of digital identity services to support financial services. In order to do this we revisited three basic concepts of identity infrastructure. These are the mundane identity (the “real world” physical entity that the digital identity is connected to), the digital identity itself and the virtual identities that are used to interact online (all transactions, in this model are between virtual identities).

The reason for this three part model for identity is that it is a fundamental rule of systems analysis, going back to the earliest days of data modelling, that you cannot have many-to-many entity relationships. Since there may be multiple physical entities relating to multiple virtual identities (an obvious example is a company, where a number of people have executive control over a number of virtual identities that are used to transact with other companies, government, regulators and so forth), we introduce digital identity as the linking entity to enable a workable identity management infrastructure.

This part of the model should be familiar. You probably read about it a few years ago in “A Model for Digital Identity” by Neil McEvoy and me in that indispensable tome “Digital Identity Management: Technological, Business and Social Implications“, edited by yours truly. (It’s on pages 95-104, for ready reference.) In that chapter, Neil and I put forward this idea of digital identity as the bridge between mundane and virtual identities for a variety of reasons anchored in the entity-linking structure, one of them being that the use of multiple pseudonymous virtual identities is a great way to move forward past some of the apparent paradoxes of identity and a great way to think about identity in an online world.

Anyway, I wanted to use this model to explore the issue of biometric authentication. This was because Isabelle Moeller from the Biometrics Institute (below centre) had kindly invited me to give at talk on the topic of biometrics and digital identity at their 2016 Asia-Pacific Conference in Sydney and then take part in a panel discussion with Victoria Richardson from APCA (who was unfortunately caught up in other things on the day but the excellent Nick Cliff stood in for her) and Mandy Smith from ANZ (below left). Since the audience would be mainly people with experience and interest in biometrics, I thought (correctly, as it turned out) that a simple of model of digital identity would be needed to anchor my talk and give context to the central part of the presentation, which was about biometrics as a convenience technology when combined with mobile as an authentication platform.

 Asia Pac Biometrics Institute

 To make that simple model, I chose to map the three identity entities to three different domains where a binding is required (hence three domain digital identity, or “3D-ID”). You can see the three domains and the three bindings in the picture below. In the identification domain we do the complex and expensive binding of the person or organisation or thing to the digital identity. In the authentication domain we bind the digital identity to a person or organisation of thing that is entitled to use it. In the authorisation domain we bind the digital identity to the virtual identities that interact online to execute transactions. For the purposes of simplicity, think about the digital identity as a private-public key pair and think about the virtual identities as public key certificates that take the public key from the digital identity and link it to attributes to form credentials.

3D Digital ID Model

So who might be a provider of digital identity, given that the binding of digital identities to mundane identities is complex and expensive? Well, here’s what Neil and I wrote in the book nearly a decade ago: 

One could certainly imagine niche identity issuers springing up across both horizontal and vertical sectors (the government, from this perspective, becomes a special case of a niche identity issuer) where economics or other pressures dictate.

An obvious case would be that of banks.  Since they are already covered by “know your customer” (KYC) and other legislation, they are perfectly capable of issuing digital IDs that might be widely accepted.  These and other digital IDs would then be used to create one or more virtual identities (eg, an employer creating an employee identity), most likely through brand-based businesses using white-label services.

To illustrate what we meant by this, think of the example of a dating site. The dating site needs to know that I am a real person, but it doesn’t need to know who I am. If it knows who I am, then it has a responsibility to look after my identity, which I’m sure it doesn’t want. I don’t want it either, because when the dating site is inevitably hacked I don’t want my identity smeared all over the web. So when I go to create my account at the dating site (in others words, when I go to create my dating virtual identity) I can present my bank virtual identity. The dating site forces an authentication (using, for example, FIDO) and once it gets the positive response it can then take the public key from the bank virtual identity, add attributes that it can attest to (e.g., date joined, name chosen, etc) and sign that with its own private key. This creates a new dating virtual identity at minimal cost. (We’’ return to the point abut correlating public keys across virtual identities when we come back to think more about implementations.) Take it from me, it all works, provided you have somewhere to store the private key. Sound familiar? Well, we’ll talk about digital identity and the blockchain in another post soon.

The focus of my talk was that the arrival of biometrics as a convenience technology in the authentication domain transforms the usefulness of this model in the mass market. There’s a world of difference between creating a new account at the dating site and then being asked to look at your phone (face biometrics are especially popular amongst older people, for example) and being asked to get out a dongle, insert your EMV card, enter your PIN, read a code and then type it into a web page. And, as an aside, one of the most interesting presentations I saw at the event was about he use of the phone and the touch screen to perform continuous background authentication so that when a service provider forces an authentication on the device, the customer may well have to do absolutely nothing at all!

One more thing about the model. On re-reading that chapter (which was first drafted a decade ago), I couldn’t help but notice that Neil and I had already had an inkling that the paths of the Internet of Things and digital identity would cross. We wrote:

People will account for only a fraction of the digital IDs associated with stuff, and a lot of stuff will be interacting with virtual identities: after all, a vending machine dispensing chocolate may not need to know anything about a person, but one dispensing cigarettes certainly does.  Since it would be ludicrous (and an open invitation to identity theft) to insist that people present their real identity to a vending machine, it is the attribute (eg, “is_over_18” or something similar) bound into the virtual identity that is the critical element in enabling the transaction.

Rather forward thinking, if you ask me, especially since on my last trip to Frankfurt I discovered that there are cigarette vending machines in the street that require customers to present their actual identity cards (well, someone’s identity card, anyway) in order to purchase!

Cigarette Machine in Frankfurt

What the machine should do, of course, is require you to present your “adult identity” (that contains no identifying information and merely testifies that you are over 18) and then force an authentication against that (via Bluetooth or whatever). As we all know, in a commercial transaction of this nature, your “real” identity is your least important attribute.

We must stop solicitors from using e-mail as soon as possible

I was watching Panorama on the BBC on Monday. It was about hacking, ID theft, the usual stuff. The main takeaway for the general public was, I think, that everyone’s personal details have already been stolen and are common currency amongst criminals.

Hackers have stolen the personal details of millions of customers from companies like Talk Talk. So how do cybercriminals get hold of our data? Reporter Daniel Foggo meets the hackers who can break into any website and finds out how criminals profit from our information.

[From 

BBC One – Panorama, How Hackers Steal Your ID

]

It featured one sad case of a woman who had been misled by fraudsters. She was buying a house and got an e-mail from (she thought) her solicitor asking her to transfer the funds for the house purchase (some £50,000) to a particular bank account. She did. The e-mail was, of course, from crooks and they transferred the money out and were never seen again (so much for the KYC/AML checks we spend so much money on). With so much money at stake, I couldn’t help but wonder, wouldn’t some form of security seem appropriate?

According to the American Bar Association (ABA), only a third of lawyers use encryption to communicate with their clients and of the lawyers who claim that they do use encryption, fully a third cannot say what kind of encryption they use. Of those who could say what type of encryption they use, the most commonly identified type was general purpose software with encryption features that required the recipient to be sent a separate password. Which is perfectly acceptable: I do the same all the time, using some zip utility to encrypt with a password then texting the password to the recipient. But I can’t help but wonder: why it is that Facebook can send me e-mail that is encrypted and digitally-signed and lawyers cannot? It’s not as if there isn’t a threat model!

Mrs d’Adhemar engaged a solicitor to handle the transaction and sent all correspondence through her secure work email address, but used her personal email account for everything else, including contact with the estate agent, Chestertons.

But 10 days after the sale was completed they received a call from their solicitor, who said NatWest had flagged up a problem with their account. Alarm bells immediately rang. The couple didn’t have a NatWest account, they banked with HSBC.

[From 

Email hacking: another home-seller robbed of £270,000 – Telegraph

]

Just in case you are thinking that I’m highlighting odd or exceptional cases in order to make a point, I can assure you that I am not. This sort of thing goes on all the time in the UK.

Mr Lupton’s solicitor, Perry Hay & Co in Richmond, Surrey, emailed him requesting his bank account details for the sale proceeds to be paid into.

As millions of people do regularly and without thought, he duly replied, sending his Barclays bank account number and sort code.
The email was intercepted by fraudsters. Posing as Mr Lupton, the fraudsters swiftly emailed Perry Hay & Co again – from the same email account – and told it to disregard the previous details and send the money to a different account instead.

[From 

‘Fraudsters hacked emails to my solicitor and stole £340,000 from my property sale’ – Telegraph

]

After all these years, we still can’t make e-mail security work. Imagine the hassle that the average solicitor would face in trying to get an average customer to install GPG or something. It’s never going to happen. The solution, as Ian Grigg pointed out seven years ago when I was going on about the security of e-mail another time, is to stop trying to fix e-mail and (as my teenagers did) move somewhere else. Why not use messaging systems that are secure, like Facetime? Yes they aren’t interoperable (so you would need to know whether the customer had Skype or Yahoo or WeChat or WhatsApp or whatever) but I don’t think it would be hard to set up a few accounts. Then the fraudsters would have to take over the solicitor’s account rather than just send an e-mail. This would have two immediate benefits: first, the security of the account would be specifically the problem of the solicitor and they would fix it by using strong authentication and, second, all communications could be encrypted (I remember that we worked on a pilot system like this – for financial services rather than for solicitors – a few years ago and even then the overheads associated with encrypting and signing were negligible).

We need solicitors to stop using e-mail as soon as possible, but we need to provide a viable alternative. If not social media or messaging, then why can’t we have something like they have in Denmark, where everyone has a sort of secure government postbox?

P.S. It’s a rhetorical question. I know perfectly well why we can’t: it’s because Denmark has a national digital identity infrastructure and we don’t. But why not have it as a bank service, like the Barclays Cloud thingy? Since the solicitor knows your bank account, they would automatically know which bank cloud to send the documents to. And if you wanted to tell your solicitor to send money somewhere else or some other instruction, you would have to do it from inside your bank cloud. Surely, with a nuclear-powered robot on Mars, it ought to be possible to send documents from a postbox in one bank cloud to a postbox in another?

“Personal” computers weren’t

Kicking off the session on “Old vs. New P2P” at Mobile Banking & Payments in New York, Steve Kirsch (the CEO of Token) made the strong point that somehow the era of the PC and the Internet left the basic payment “rails” unchanged. For a long time we’ve papered over the cracks — using 3D Secure, PCI-DSS and so on — but with the arrival of the smartphone we could all see that it was time for change. What we may have underestimated is just how big that change will be.

it can still feel natural to talk of the PC as the most fully-featured version of the internet, and mobile as the place where you have to make lots of allowances for limitations of various kinds… I’d suggest that we should think about inverting this – it’s actually the PC that has the limited, basic, cut-down version of the internet.

[From Mobile first — Benedict Evans]

I couldn’t agree more. And in my framing, it’s all to do with identity. The PC was never personal: it didn’t have a SIM. My laptop isn’t mine in the same sense that my smartphone is and, as a consequence, will never be able to deliver as personal a service. Now, I suppose you could argue that it’s silly to talk about smartphones as PCs because they are, after all, phones.

The study also showed that four in ten users could manage without the call-making capability on their handset.

[From Soft cell: 40% of Brits don’t make calls on smartphones – report — RT UK]

I rarely make calls on my smartphone and I rarely answer them either. Unless it’s the police, my CEO or my wife then I’ll let it go to voicemail or hit the “please text me if it’s anything important” button. Calling it a phone is just a figure of speech, like when you say you are going to dial a number to someone who has never seen a phone dial and has no idea why the word “dial” is used in that context.

So what is the smartphone for?

We’ve all seen a thousand conference slides that show the smartphone as a Swiss army knife: calendar, watch, contact book, diary, games console, social media gateway, radio and so on. But if we go back to Benedict’s point, then we can answer the question in a different way. My smartphone is… me. Well, as good as. It’s sort of proxy me.

a smartphone knows much more than a PC did… It can see who your friends are, where you spend your time, what photos you’ve taken, whether you’re walking or running and what your credit card is.

[From Mobile first — Benedict Evans]

We can all see the what the consequences are in payments and banking. The practical result of the identity-less PC vs. the proxy-identity smartphone is that when I want to transfer some money or pay a bill, I use my excellent Barclays mobile app. I’ll only use my laptop if I absolutely have to because I have to type stuff in (like setting up a new payee). Conversely, it seems bizarre that when I phone up my bank, or my insurance company, or my airline or whatever else, I’m asked to demonstrate my identity by getting involved in (as I heard someone describe it recently) an episode of Jeopardy hosted by Kafka — OK, Franz, let’s go with “places I have lived” — when they could just ask the other me. The mini-me. The mobile-me.

Similarly when I go into a bank branch or a retail outlet or a government office, why do they ask me for bits of paper that cannot possibly be verified when they could just ping mobile-me. App pops up on the phone, you put your finger on the sensor, job done. And just as the crucial role of the smartphone in disrupting the payments industry is to take payments, not make them, so the crucial role of the smartphone in disrupting the payments industry is to validate credentials, not present them. Since my mobile-me can check that your mobile-me is real, our mobile world ought to be much safer our internet world.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights