An independent consultancy that helps make new things happen, safely and securely, in Identity, Payments and Smart Ticketing
Our friends at Smartex challenged its readership to define Digital Identity the other day, with a bottle of wine on offer for the best definition. I’m pleased to say that the bottle of wine was won by Consult Hyperion, with a couple of competition entries submitted.
[Dave Birch] It’s pretty obvious that RFID is going to transform a variety of retail supply chains, adding value to the services delivered to the end customers.
Izzy’s Ice Cream Café in St. Paul, Minnesota is putting to use RFID technology for giving real time updated on flavors available in its dipping cabinet. It offers more than 100 flavors but serves only 32 in its dipping cabinet at any point of time. The cabinet comes equipped with readers capturing every flavour’s corresponding labels embedded with an RFID tag. The reader captures information 22 times every second and is sent to a system which updates website of the parlour so that customers get to know what is available even before they enter the store. Coloured dots are projected on the wall of the store or TV behind the counter so that the customers get to know the flavours available.
Now this is a great use of the technology and I’m sure it’s only one of the ways in which retailers will find that RFID provides a platform for better management, better service and entirely new services. Nevertheless,iIt’s a step from this kind of use of RFID to the idea of an “Internet of things” has been around for a while.
The “Internet of things” (can’t we think of a better name? the everynet? the allnet? — what about “skynet”, or has that been used somewhere before?) has two essential components: the concept that everything is connected to everything else, and the concept that everything can distinguished from everything else. Universal connection and universal identification. If we take the former for granted and take the Electronic Product Code (EPC) as an example of the latter, we can immediately see that this will create as many problems as it solves (which is not a reason for not doing it, since it also creates many opportunities). It’s easy to see why. Suppose that your phone reads the EPC from my underpants. So what? Now your phone knows that I am wearing either Gucci underpants or a pair of Primark underpants with a Gucci chip in them to impress the ladies. If such phones and such tags were to exist, what would actually happen? What would be the impact on society of knowing what everything is and where everything is all the time.
[Dave Birch] Here at Consult Hyperion we’ve recommended to more than one non-US customer that they look at specifying PIV solutions. Why? Because PIV does almost all of what they want, and the cost and integration advantages make it a better short- to medium-term solution. But there’s another less tangible reason for being interested in it: because once the US government has chosen something as a “standard”, then that is where the energy will go, because the suppliers are rational people. The seal of approval is very, very important. Which is why I”m not the only one who has been reflecting on just how significant the US government’s support for OpenID is. When this support was announced, Bob Blakely highlighted just how important an announcement it was.
But the identity world had its own big news today; the news is that the US Government has teamed up with the OpenID Foundation, the Information Card Foundation, the Kantara Initiative, and InCommon in creating the Open Identity Initiative.
[From Burton Group Identity Blog: US Government Identity News]
I was involved in some discussions with a government department a few months ago — long before the US government announcement — during which I suggested opening up some public services using OpenID. My reasoning was that we could experiment with “soft” OpenIDs provided by (to consumers) familiar services. If you asked a customer to log in to the DVLC using their Facebook “Identity”, then I’m sure they would manage to do this with little training and no mention of trust infrastructures and the like. Once they are comfortable with this, then you can restrict access to “hard” OpenIDs (by which I mean 2FA OpenIDs).
The central point, though, was that the government could help to create an identity infrastructure built on a diverse selection of “private” digital identities. I think that, as Burton note, the US government’s decision signals a genuine paradigm shift in this direction, a genuine change in the mental model are identity.
after years of government attempts to create identities and assign them to citizens (via such bad ideas as the UK National ID scheme and the US REAL-ID act), a government has finally recognized that individuals already HAVE identities, and that it’s a better idea, for most purposes, to use these identities than to establish a new government bureaucracy to create new identities
[From Burton Group Identity Blog: US Government Identity News]
Personally, I think that the government ought to be a “gold standard” identity provider as well as an identity oonsumer, but that’s another issue.
[Dave Birch] I re-read an excellent post over at Emergent Chaos. It reflected an important discussion between two people, both of whom I take very seriously. To paraphrase and simplify horribly, Bob thinks that the social structures maintain privacy, Adam thinks that technological structures maintain privacy.
In a world where some people say “I’ve got nothing to hide” and others pay for post office boxes, I don’t know how we can settle on a single societal norm. And in a world in which cheesy-looking web sites get more personal data — no really, listen to Alessandro Acquisti, or read the summary of “Online Data Present a Privacy Minefield” on All Things Considered… — I’m not sure the social frame will save us.
[From Emergent Chaos: Bob Blakley Gets Future Shock Dead Wrong]
The lack of a “norm” is a good point here, and I have to say it made me think. We should be developing tools that allow people to construct their norms (within boundaries, obviously) but not setting out a norm so that the tools can only implement one model. For this reason, amongst others, I tend to come down on the more technological side of this argument, which is why I’m so keen to see privacy as part of customer propositions and privacy-enhancing technologies as part of the systems being built in both public and private sectors.
[Dave Birch] One of the things that I thought might happen this year is that the US government standard for ID cards might begin to spread into the commercial sector, simply because of the impact of standardisation. I wasn’t the only person who thought this, by the way.
In 2009, common access card programs will get another chance to conquer the enterprise market due to the government’s drive to implement PIV cards for all employees and contractors, the availability of standards and compatible products, the spread of standards beyond the federal government to state and local entities as well as government-linked enterprises. Most importantly, security convergence will finally receive market traction.
[From ContactlessNews | Look for renewed interest in enterprise common access card programs in 2009]
I should say that I thought this was a good thing. The PIV might not be an exact match with some corporate requirements, but on the other hand a standard means lower costs and an emerging ecosystem. So, if we want to improve corporate security, do we start designing our own, optimal solution, or go with the grain of what’s out there on the basis that it’s much, much better than nothing?
[Dave Birch] OK, so I know it sounds spooky and people are uncomfortable with RIFD-at-a-distance, but there would be some advantages to being “recognised” by machines. Think about the subject from a customer service perspective rather than a security, spying and generally creepy perspective. As, in fact, some people already have been.
The Financial Services Technology Consortium (FSTC) today announced the launch of a project whose goal is to help member banks adopt radio frequency identification technology (RFID).
[From FSTC | Financial Services Technology Consortium – Press & Articles]
Why would banks want to do that? Well, it is relatively easy to implement vicinity (let’s say up to a couple of metres) read-only functionality along side the proximity (let’s say up to a couple of centimetres) read-write functionality used in contactless identity cards, bank cards and NFC phones. The chip sets are readily available. Handled correctly, this is something that a great many customers would appreciate.
Imagine a world where, when you walk into your bank, messages and adverts pop up that address you by name.
While The Times might see this as something for 2020, more technologically advanced nations are already experimenting with the technology,
Now “Yes Bank” which is a commercial bank operating out of India has been piloting an RFID system so that bank employees can identify these rich fat customers and offer them personalized services. Under the pilot RFID banking cards have been offered to select customers apart from deployment of RFID interrogators and customized gate antennas at bank premises… The moment the elite customer arrives in the bank his details are flashed on the system which enables the relationship team to identify the concerned person so that they can accord him services in the best possible manner.
[From The RFID Weblog: RFID being used to give preferential treatment to rich clients in Indian banks]
I can readily imagine using a Tesco Clubcard with this technology, or a BA Executive Club card or a transit card. As a consumers, I want to get better service where possible and the idea that everything from shopping cards to airport display boards might know who I am and deliver personalised service because of that is rather appealing. At least, it’s rather appealing provided that my identity is managed properly and my privacy is assured. This could be done at a physical level: you might, for example, have a Clubcard that only functions when you press a button on it.
This system creates a tiny, ultra-thin, pressure sensitive switch “which ensures that the device can only be read when the owner is pressing the switch”, said Peratech.
Well, I can see how that might work for a card, although it seems a bit of a hassle in practice. But what about other form factors, particularly form factors that might make it difficult for someone to physically reach the switch. For example:
In times where a lot of hue and cry is being raised over injecting humans with RFID tags here is a video of a guy who seems pretty cool about injecting RFID chip in his hand
[From The RFID Weblog: The Do It yourself Guide to implanting RFID Chip in your hand]
Connecting things up is easy, but disconnecting them is hard! The solution, surely, is not down at the physical layer but in the logical layer above it. Extending the future digital identity management infrastructure to the Internet of things has to be the way forward and if properly designed such an infrastructure could deliver more, I think, thank many people imagine. In particular, such an infrastructure could protect privacy through the judicious use of cryptography rather than through codes of practice or goodwill.
[Dave Birch] One of the frustrating aspects of being a technologist in the identity space is that I know that the technology can deliver more than customers want. There are a number of reasons for this, but two of them will suffice to make a point. Firstly, people’s “common sense” version of identity is simply not sophisticated enough for a modern economy and, secondly, that the people who actually specify and procure systems that hinge on identity do not make privacy part of the proposition because they (incorrectly) view security and privacy as opposites. In fact, the technology can deliver both and some times it’s very easy to make it do just that. Look at the basic case study of “no fly” lists, where the problem is to check whether someone’s name appears on a list of people to be excluded…
In comparing the contents of two databases, such as an airline-passenger list and a no-fly list, for example, officials should be interested only in the names that appear on both lists. They have no need for the rest of the passengers’ names. Those mutual names can be found by first encrypting both lists using strong encryption.
Quite. And if the lists are encrypted, and don’t need to be decrypted to make them work, then privacy is automatically improved without ombudsmen, best endeavours and the rest of it. A rudimentary understanding of the issues is all that is needed to deliver vastly better solutions.
[Dave Birch] For many years I have consistently maintained that multiple identities (more specifically, multiple virtual identities bound to digital identities that can be authenticated against “real world” identities) are an integral part of the digital identity infrastructure of the future and emphatically part of the solution, not part of the problem. There is a technical caveat though: the virtual identities must be kept separate. As Robin Wilton notes, with his usual perceptiveness,
maintaining different ‘personas’ can contribute to personal privacy – and personal privacy is undermined when the barriers between those ‘personas’ are broken down.
[From Racingsnake – the blog of Future Identity: Is privacy only for the rich?]
So we need a good technology (firewalls, PKI, keys, tamper-resistant hardware blah blah blah, you know the score) to make the barriers and should not rely on guidelines or ombudsmen instead. However, I made a terrible mistake explaining this vision to group of people recently. I said that the partitioning of identity in this way was the equivalent of building a big ship with a series of waterproof compartments separated by strong bulkheads, so that if one compartment is holed, the ship is not threatened. What, someone said, you mean like the Titanic?
[Dave Birch] Over on Digital Money there’s been some discussion about the current state of, and future of, the 3D Secure (3DS) authentication schemes used by Visa and MasterCard to add security to online transactions (under the brand names Verified by Visa and SecureCode). One the problems with the deployment of these services was that customers didn’t really understand the technology and were confused by the sign-up and usage processes. Now the schemes have responded with a raft of efforts to make 3DS more effective.
The research highlighted that consumers wanted to be certain that Verified by Visa was part of the purchase process. A key feature of the new user interface is that the consumer does not leave the merchant site during the identity checking process; instead the Verified by Visa authentication window appears as an overlay on top of the merchant page.
[From Verified by Visa Europe upgraded to improve cardholder experience]
MasterCard has also come up with a way to make 3DS more palatable to consumers and merchants alike.
To date, all e-commerce purchases on Maestro cards leverage MasterCard® SecureCode™ authentication to ensure the highest security for payment card transactions. The Maestro Advance Registration Program™ enables select online merchants to accept Maestro cards for e-commerce transactions by using SecureCode™ to enroll the customer during the first transaction. Subsequent purchases the same customer makes at the merchant web site using the same Maestro account can now be processed without MasterCard SecureCode authentication, making repeat buying both convenient and fast.
I’m interested in these efforts because if banks found a way to make 3D Secure authentication effective, painless and ubiquitous then it would make sense for other organisations to pay the banks to provide that authentication services to them, rather than build their own versions. In these circumstances I could well imagine using my Barclays thingy (a.k.a. PINsentry) and debit card to log in to do my taxes or whatever.
Subscribe to our newsletter