I was delighted to be asked to present a keynote at the FIDO Authenticate Summit and chose to focus on digital identity governance, which is something of a hot topic at the moment. Little did I know that the day before my session was recorded the European Commission would propose a monumental change to eIDAS, the Europe Union’s digital identity framework – one of the main examples I was planning to refer to. I hastily skimmed the proposed new regulation before the recording but have since had the time to take a more detailed look.
When consumers install software on their devices, they often perform some sort of risk evaluation, even if they don’t consciously realise it. They might consider who provides the software, whether it is from an app-store, what social media says, and whether they have seen any reviews. But what if once a piece of software had been installed, the goalposts moved, and something that was a genuine software tool at the time of installation turned into a piece of malware overnight.
This is what happened to approximately 300,000 active users of Chrome ad blocking extension Nano Adblocker. You see, at the beginning of October, the developer of Nano Adblocker sold it to another developer who promptly deployed malware into it that issued likes to hundreds of Instagram posts without user interaction. There is some suspicion that it may have also been uploading session cookies.
Here at Consult Hyperion we tend to go on about the lack of a joined up thinking around government policy on digital identity and source authentication but mostly it doesn’t really affect us personally. I mean, we get this stuff, we can spot a scam a mile off. But sometimes it does get a bit close to home…
I discovered today that my frail but still mentally competent parents have been quarantining for the past week, and a bit, because they received an NHS Test and Trace text warning that they’d been in the proximity to someone diagnosed with COVID-19. As they’re in the very high risk category, you can imagine how worried they were. But here’s the thing – they never give their mobile number to anyone and they wouldn’t know how to download an app even if I spent a year explaining it to them. It was a scam – in fact the text deleted itself, but almost certainly it will have contained “more information” link, which would have downloaded malware onto their phone.
Our friends at Smartex challenged its readership to define Digital Identity the other day, with a bottle of wine on offer for the best definition. I’m pleased to say that the bottle of wine was won by Consult Hyperion, with a couple of competition entries submitted.
Coming up with a definition for digital identity is not easy. It can refer to quite a number of different things, making the task of encapsulating it in a sentence next to impossible. For my attempt I thought that rather than try to describe what it is, it would be better to describe what it does. I came up with this:
Digital identity allows us to trust each other by enabling us to share the minimum amount of verifiable information needed for the thing we want to do.
In one sentence I was trying to capture several points:
- Digital identity is a means to an end not an end in itself
- It’s bi-directional – in any transaction both parties need to have confidence in the other party
- It’s about the information you need to share, which will vary considerably between contexts.
- It protects privacy by only sharing the information (or claims) necessary.
[Dave Birch] It’s pretty obvious that RFID is going to transform a variety of retail supply chains, adding value to the services delivered to the end customers.
Izzy’s Ice Cream Café in St. Paul, Minnesota is putting to use RFID technology for giving real time updated on flavors available in its dipping cabinet. It offers more than 100 flavors but serves only 32 in its dipping cabinet at any point of time. The cabinet comes equipped with readers capturing every flavour’s corresponding labels embedded with an RFID tag. The reader captures information 22 times every second and is sent to a system which updates website of the parlour so that customers get to know what is available even before they enter the store. Coloured dots are projected on the wall of the store or TV behind the counter so that the customers get to know the flavours available.
Now this is a great use of the technology and I’m sure it’s only one of the ways in which retailers will find that RFID provides a platform for better management, better service and entirely new services. Nevertheless,iIt’s a step from this kind of use of RFID to the idea of an “Internet of things” has been around for a while.
The “Internet of things” (can’t we think of a better name? the everynet? the allnet? — what about “skynet”, or has that been used somewhere before?) has two essential components: the concept that everything is connected to everything else, and the concept that everything can distinguished from everything else. Universal connection and universal identification. If we take the former for granted and take the Electronic Product Code (EPC) as an example of the latter, we can immediately see that this will create as many problems as it solves (which is not a reason for not doing it, since it also creates many opportunities). It’s easy to see why. Suppose that your phone reads the EPC from my underpants. So what? Now your phone knows that I am wearing either Gucci underpants or a pair of Primark underpants with a Gucci chip in them to impress the ladies. If such phones and such tags were to exist, what would actually happen? What would be the impact on society of knowing what everything is and where everything is all the time.
[Dave Birch] Here at Consult Hyperion we’ve recommended to more than one non-US customer that they look at specifying PIV solutions. Why? Because PIV does almost all of what they want, and the cost and integration advantages make it a better short- to medium-term solution. But there’s another less tangible reason for being interested in it: because once the US government has chosen something as a “standard”, then that is where the energy will go, because the suppliers are rational people. The seal of approval is very, very important. Which is why I”m not the only one who has been reflecting on just how significant the US government’s support for OpenID is. When this support was announced, Bob Blakely highlighted just how important an announcement it was.
But the identity world had its own big news today; the news is that the US Government has teamed up with the OpenID Foundation, the Information Card Foundation, the Kantara Initiative, and InCommon in creating the Open Identity Initiative.
I was involved in some discussions with a government department a few months ago — long before the US government announcement — during which I suggested opening up some public services using OpenID. My reasoning was that we could experiment with “soft” OpenIDs provided by (to consumers) familiar services. If you asked a customer to log in to the DVLC using their Facebook “Identity”, then I’m sure they would manage to do this with little training and no mention of trust infrastructures and the like. Once they are comfortable with this, then you can restrict access to “hard” OpenIDs (by which I mean 2FA OpenIDs).
The central point, though, was that the government could help to create an identity infrastructure built on a diverse selection of “private” digital identities. I think that, as Burton note, the US government’s decision signals a genuine paradigm shift in this direction, a genuine change in the mental model are identity.
after years of government attempts to create identities and assign them to citizens (via such bad ideas as the UK National ID scheme and the US REAL-ID act), a government has finally recognized that individuals already HAVE identities, and that it’s a better idea, for most purposes, to use these identities than to establish a new government bureaucracy to create new identities
Personally, I think that the government ought to be a “gold standard” identity provider as well as an identity oonsumer, but that’s another issue.
[Dave Birch] I re-read an excellent post over at Emergent Chaos. It reflected an important discussion between two people, both of whom I take very seriously. To paraphrase and simplify horribly, Bob thinks that the social structures maintain privacy, Adam thinks that technological structures maintain privacy.
In a world where some people say “I’ve got nothing to hide” and others pay for post office boxes, I don’t know how we can settle on a single societal norm. And in a world in which cheesy-looking web sites get more personal data — no really, listen to Alessandro Acquisti, or read the summary of “Online Data Present a Privacy Minefield” on All Things Considered… — I’m not sure the social frame will save us.
The lack of a “norm” is a good point here, and I have to say it made me think. We should be developing tools that allow people to construct their norms (within boundaries, obviously) but not setting out a norm so that the tools can only implement one model. For this reason, amongst others, I tend to come down on the more technological side of this argument, which is why I’m so keen to see privacy as part of customer propositions and privacy-enhancing technologies as part of the systems being built in both public and private sectors.
[Dave Birch] One of the things that I thought might happen this year is that the US government standard for ID cards might begin to spread into the commercial sector, simply because of the impact of standardisation. I wasn’t the only person who thought this, by the way.
In 2009, common access card programs will get another chance to conquer the enterprise market due to the government’s drive to implement PIV cards for all employees and contractors, the availability of standards and compatible products, the spread of standards beyond the federal government to state and local entities as well as government-linked enterprises. Most importantly, security convergence will finally receive market traction.
I should say that I thought this was a good thing. The PIV might not be an exact match with some corporate requirements, but on the other hand a standard means lower costs and an emerging ecosystem. So, if we want to improve corporate security, do we start designing our own, optimal solution, or go with the grain of what’s out there on the basis that it’s much, much better than nothing?
[Dave Birch] OK, so I know it sounds spooky and people are uncomfortable with RIFD-at-a-distance, but there would be some advantages to being “recognised” by machines. Think about the subject from a customer service perspective rather than a security, spying and generally creepy perspective. As, in fact, some people already have been.
The Financial Services Technology Consortium (FSTC) today announced the launch of a project whose goal is to help member banks adopt radio frequency identification technology (RFID).
Why would banks want to do that? Well, it is relatively easy to implement vicinity (let’s say up to a couple of metres) read-only functionality along side the proximity (let’s say up to a couple of centimetres) read-write functionality used in contactless identity cards, bank cards and NFC phones. The chip sets are readily available. Handled correctly, this is something that a great many customers would appreciate.
Imagine a world where, when you walk into your bank, messages and adverts pop up that address you by name.
While The Times might see this as something for 2020, more technologically advanced nations are already experimenting with the technology,
Now “Yes Bank” which is a commercial bank operating out of India has been piloting an RFID system so that bank employees can identify these rich fat customers and offer them personalized services. Under the pilot RFID banking cards have been offered to select customers apart from deployment of RFID interrogators and customized gate antennas at bank premises… The moment the elite customer arrives in the bank his details are flashed on the system which enables the relationship team to identify the concerned person so that they can accord him services in the best possible manner.
I can readily imagine using a Tesco Clubcard with this technology, or a BA Executive Club card or a transit card. As a consumers, I want to get better service where possible and the idea that everything from shopping cards to airport display boards might know who I am and deliver personalised service because of that is rather appealing. At least, it’s rather appealing provided that my identity is managed properly and my privacy is assured. This could be done at a physical level: you might, for example, have a Clubcard that only functions when you press a button on it.
This system creates a tiny, ultra-thin, pressure sensitive switch “which ensures that the device can only be read when the owner is pressing the switch”, said Peratech.
Well, I can see how that might work for a card, although it seems a bit of a hassle in practice. But what about other form factors, particularly form factors that might make it difficult for someone to physically reach the switch. For example:
In times where a lot of hue and cry is being raised over injecting humans with RFID tags here is a video of a guy who seems pretty cool about injecting RFID chip in his hand
Connecting things up is easy, but disconnecting them is hard! The solution, surely, is not down at the physical layer but in the logical layer above it. Extending the future digital identity management infrastructure to the Internet of things has to be the way forward and if properly designed such an infrastructure could deliver more, I think, thank many people imagine. In particular, such an infrastructure could protect privacy through the judicious use of cryptography rather than through codes of practice or goodwill.