I was delighted to be asked to present a keynote at the FIDO Authenticate Summit and chose to focus on digital identity governance, which is something of a hot topic at the moment. Little did I know that the day before my session was recorded the European Commission would propose a monumental change to eIDAS, the Europe Union’s digital identity framework – one of the main examples I was planning to refer to. I hastily skimmed the proposed new regulation before the recording but have since had the time to take a more detailed look.
[Dave Birch] When we think about electronic identity, we tend to think in terms of the identity structures that we are familiar with from the physical world, so we talk about passports and borders. But the current system of passports, visas and border controls doesn’t work terribly well — see the discussions ad infinitum about the recent Dubai death squad’s comedy disguises and simple faked passports — so I’m not sure it’s much of a basis for exploration. Why do I say this? Well, because I’ve been to a few presentations about the various systems involved recently and have been trying to understand some of the dynamics to help our customers develop some longer-term strategies around identity.
One of the problems is that there is so much going on. Start with moving on from SIS. The SIS2 (Schengen Information System 2) will store biometrics to prevent visa fraud. After a three year transitional period, SIS2 must check with the new Visa Information System (VIS). VIS will require fingerprints and these will be matched via AFIS (so that if, say, a Moroccan person applies for visas in both French and German consulates then this will be known). The fingerprints are currently kept for five years. The Central VIS will connect via a new secure network (S-TESTA) to the national VIS systems and these national systems are connected in turn to the national consulates overseas. Are you with me so far?
What’s the point? Well, it’s so that when a non-EU person applies for a visa in Schengen country, the details will be passed up to the central system and then they will be checked when the passport is presented at Schengen border control. The purpose of all this is to defeat a common immigration fraud, which is that a bona-fide Chinese businessman (say) gets a visa to come to a Schengen country, and gives it to someone else. That person enters Schengen and then sends the passport and visa back to China by DHL. The next Chinese person enters Schengen, and then posts it back again… Will SIS2 fix this? Surely the problem will shift to the feeder documents. It’s impossible to imagine that an EU consulate somewhere can accurately verify and validate passports from 196 countries, but let’s put that to one side for a moment. There are plenty of people who think that SIS will end up causing more problems than it is solving.
The number of computers with access to the Schengen Information System has doubled to 500,000 thanks to the extension of the EU.
Since half a million PCs around Europe can access the system, that means that to all intents and purposes everything on the system is public.
Statewatch, a group that monitors civil liberties in Europe, said it was aware of a case in Belgium where personal information extracted from the system by an official was sold to an organised criminal gang.
There’s another system coming online as well, the Euro Border Surveillance System, or Eurosur. This aims to reduce illegal migrants entering EU by sea, particularly aimed at Mediterranean). Good luck on that one. Spain has had some positive results from using satellite tracking (positive in the sense that the immigrants go to Italy instead) but I’m sure Eurosur will help further.
Then there’s the new e-passport. As has been discussed many times before, the current e-passport is a complement to the physical passport: that’s why it’s a chip inside the passport, not a chip instead of a passport. Almost everywhere you go in the world, the chip is not used, but in the future it may be. There’s security, naturally. The e-passports have Basic Access Control (BAC), which we’ve also discussed before. BAC locks the passport so that you have to physically read the passport MRZ in order to read the data from the chip (this is not strictly true, by the way, because the MRZ data isn’t random, but that’s a detail). Extended Access Control (EAC) is the next step: for one thing, it stops people from cloning the chips. But it adds additional functionality as well so, from 28th June 2009, member states have been required to issue EAC e-passports only.
Back to the difference between the chip and the book. If the e-passport is going to store data that isn’t on the passport (eg, your fingerprints) then these must be encrypted so that they can only be read by authorised authorities. An EAC passport will therefore only give up data to readers that it can authorise through the use of asymmetric cryptography (the reader must present a certificate signed by a recognised authority) and the passport can then encrypt and sign its own data. There’s something called Active Authentication as well, so the e-passport contains a key pair: the secret private key and the not secret public key (which appears in Data Group 14, DG14, in the data).
Unfortunately, shifting to EAC adds complexity because there are now two trust chains: the data trust chain (so that the readers can verify the passport data) and the terminal trust chain (so that the passport can verify the reader data). You can imagine that co-ordinating both of these chains across the globe has turned out to be something of a problem: every reader has to have every valid certificate from every country in it. The Brussels Interoperability Group (BIG) is responsible for harmonising the e-passport specification throughout the EU and has also been responsible for the certificate policies, protection profiles, conformance tests and interoperability tests. At ID World, Bob Carter from IPS said that the most difficult job was trying to work out how to exchange certificates between countries and he is, of course, right. One thing that is not yet in place is the protection profile from readers (a lesson from chip and PIN deployment in the UK: there’s no point having secure chips and wholly insecure readers).
It would be nice to be able to set a date when we might move to a wholly e-passport world, but to get there we have to get rid of visa stickers. There’s a name for this too: ESTA (Electronic System for Travel Authorisation). If this could be achieved, then there is no need to have manned border control, since introducing people into the loop could not improve the system in any way. This is a very appealing prospect to governments, but I think there is a real concern here: if a criminal is able to get a legitimate visa certificates, smart card, e-stamp or whatever else and is never questioned by a human security official, then once they are inside the perimeter they can operate with impunity.
[Dave Birch] Should people be allowed to have “anonymous” prepaid mobile phones (well, SIMs) or not? It’s a simple question, but a complicated subject. And it’s worth exploring because it helps us to have a real, focused discussion about practical privacy and security issues. The subject came up because of one of the current hot topics in the UK, which is the government’s proposed “crackdown” (although “crackup” might be a better description) on the authorised copying of copyright material. Once the government has disconnected most broadband users in Britain through the “three accusations and you’re out” policy, many desperate internet addicts will be driven to using mobile connections to continue online banking, reading about “I’m a celebrity get me out of here” behind the Murdoch paywall and playing World of Warcraft. At which point, the mobile operators will come under pressure to start disconnecting people as well. But as the always spot-on mobile industry analyst and Forum friend Dean Bubley notes
“On one hand, the government’s trying to encourage internet connectivity — bridging the digital divide — but a lot of people in lower socioeconomic groups are on prepay, and the vast majority are anonymous,” Bubley said
So the mobile operator won’t be able to turn over the name and address of the supposed copyright pyrate. When the letter from Apple Corporation arrives at Vodafone asking them to turn over the name and address of the person who downloaded “Love Me Do”, Vodafone won’t be able to tell them (so presumably Vodafone will then be found in contempt of court or something and their internet access will be turned off).
So what to do? Well, one approach (followed in many countries) is simply to force all prepaid phones to be registered with the authorities. In the UK, the government might use its splendid new national identity register, for example, to ensure that all prepaid phones have a passport or national identity card connected to them them. And, as in Spain, take immediate action against those terrorists, money launderers, child pornographers and criminals who refuse to do so.
Spanish mobile operators last night cut off an estimated three to four million pre-pay mobile phones whose owners had not followed government instructions to register their devices.
I can see exactly why law enforcement and government agencies object so strongly to anonymous mobile phones (although they still allow people to post letters anonymously) but I think they are wrong to react in this way. The truth is, the criminals will just use other peoples’ phones and will be even harder to track and trace than they were before.
Consider the most prosaic of examples. Where I live, in a deprived part of Europe called “Surrey”, a window in the house opposite to ours was smashed by a gang of feral youths. Sadly, we didn’t see this happen so we unable to assist the local constabulary. But suppose I had seen it happen? I have, currently, four prepaid mobile phones about my person (they are used for various demos and experiments for work) so I would have just picked up one of these phones and called the police with the details of the incident and a description of the yobs.
But now suppose that my prepaid phones were now connected to me through the national identity register? Now there’s no chance that I will pick up one of them and report the crime, because I’d be worried that my name and address would get (via the police or the database) to the gang in question.
This may be a silly example, but from battered women to corporate whistleblowers there are plenty of good reasons for allowing anonymity. We need this to be part of the infrastructure.
All this does prove, though, that there is a legitimate place for digital anonymity, and I hope that any identity management system required by the US government and others will allow anonymity and not prevent it.
Note the important qualification here: there is a legitimate place for “digital anonymity”. I would go further than that and say that without digital anonymity, we are creating the wrong kind of infrastructure for a successful and prosperous society. Now, your web site may choose to allow or decline access by digitally known, pseudonymous or anonymous identities. If you are a web site discussing Iranian democracy, you may well insist on the latter. If you are government department, you may insisit on the former. The infrastructure must cope with both.
[Dave Birch] The whole business of air travel is a laboratory for experimenting at the boundary between public and private identities, where national and international agreements interact with corporate alliances, outsourcing and value chains to produce a complex environment that needs and benefits from change. Speaking as a frequent traveller, and happy near-weekly user of Heathrow’s Terminal 5, it seems to me that air travel has got considerably quicker, more efficient and simpler in the last couple of years. I print my boarding pass out at home, jump in a cab or on the train, nip through T5 to the lounge and then on to the plane — the only hold-up in the whole process is the queue for security on the way out (sometimes this can be 10-15 minutes even at T5) and the queue for passport control on the way in.
However, the need to print a physical boarding pass, even using 2D barcodes rather than a magnetic stripe, and the lack of an efficient bag drop system means that despite the universal electronic ticket for air travel, more than two-thirds of passengers still went to a check-in desk. Where to look for the next improvement? Well, I’m sure like most people I think that the key technology that will change this is the mobile phone. If the mobile phone allows you to check in and obtain a boarding pass, and a kiosk at the airport allows you to self-tag (clearly there are some security issues around this) then the flow through airports would increase significantly and the costs would reduce accordingly.
In fact I saw a presentation for one of the companies that supplies infrastructure to airports recently an they were talking about their experiences with the mBCBP (mobile bar code boarding pass) — they said that “we only care about Blackberry, iPhone and high-end smartphones”, which means we can assume big, clear screens — but still the current 2D barcode solutions don’t carry enough data for the airlines to store more than three legs plus frequent-flier and other data.
So why am I looking at this space? One of the biggest players in the industry, IER, is advocating the “pass & fly” sticker solution and I saw them present on the Air New Zealand and Air France case studies which, I have to say, was rather impressive.
[Dave Birch] I’m going provide a case study on the use of multi-application smart cards with EMV “chip and PIN” software on them that I think contains some useful nuggets for us in the UK to ponder over, because the case study is about combining payment (EMV) and digital signature (PKI) applications on the same card.
Identity folks will have to understand a little about the payment folks’ EMV standard to understand the dynamics. There are actually three flavours of EMV, the international card scheme standard for chip transactions. These are Static Data Authentication (SDA), Dynamic Data Authentication (DDA) and Combined Data and Application Cryptogram (CDA). Most of the cards out on the streets in the UK are SDA cards without enciphered PIN (the PIN is not encrypted from the PIN pad into the card).
SDA cards are cheapest, which is why our banks issue them, but they can be cloned and used in terminals that are offline, so they are a security risk. DDA cards are not vulnerable in this way, but they are more expensive, both because the cards are more sophisticated — they have a cryptographic co-processor to handle asymmetric cryptography and take longer to “personalise” — but UK banks will have to replace SDA with DDA by end of 2010 (indeed, Consult Hyperion work with banks to help them to migrate in a cost-effective way). CDA cards cost the same as DDA, but still need to be planned for.
For technical reasons, CDA cards are more secure than DDA cards. Why? Because CDA protects against the “wedge attack”. It is possible to insert a device that would let a genuine DDA card generate a legitimate digital signature but then intercept the request for an application cryptogram and return a bogus one for a different amount to the terminal. The terminal would carry on regardless. This is not possible with CDA since both the DDA signature and cryptogram are delivered by the card at the same time.
OK, so all this is well-known, but why does it matter to the digital ID world? Well, if a bank goes to the expense of issuing DDA or CDA cards, then the presence of re-usable cryptographic software and the cryptographic co-processor mean that it is a minimum of cost and complexity for the card to carry an additional PKI application as well as the EMV application. Almost all of the PKI application’s “guts” are already on the card because they are used by the EMV application. What’s more, the card can generate its own key pairs (which is very good for security) and then, provided you have the infrastructure, third parties can sign the card’s public key(s) to create a wide variety of public key certificates to deliver interesting services. The card can store these certificates if it has enough memory or store pointers to the certificates online somewhere if it doesn’t.
Here’s a real example.
[Dave Birch] Well, this is interesting. One of my mobile phone operators (I currently have three: my iPhone, my dongle and my son’s phone) has sent me someone else’s bill. I now have someone’s name, address (why it came through our door I have no idea: the address isn’t even in the same town, let alone the same street), mobile number and an itemised bill. I’m sure I could get up to some mischief with this. I don’t want to pick on mobile operators in particular, but I do want to point out that this sort of thing will always happen. In a bizarre way, we’ve come to expect them. It’s even vaguely comforting to read about the usual colossal cock-ups with computers, because it reassures you that all is right with the world…
Zamora said the pump at the By-Pass Deli and Conoco service station at Stevens Drive and the Highway 240 Richland bypass registered only $26 for the fuel. But somehow the transaction was recorded on his debit card as totaling $81,400,836,908… After learning that afternoon by e-mail that his debit card was maxed out (no kidding! ed.) he called customer service… “Somebody from a foreign country who spoke in broken English argued with me for 10 to 15 minutes,” Zamora said. ” ‘Did you get the gas?’ he asked. Like I had to prove that I didn’t pump $81,400,836,908 in gas!”
I am literally astonished that a charge for $81 billion could go through the debit card system at all. Wouldn’t you have thought that the settlement system had some limit minding in it that will trigger if a transaction for more than, oh I don’t know, let’s say A BILLION DOLLARS comes through on a debit PAN? Clearly, whoever built the system never imagined that this could happen, so they never put in any logic to watch out for it.
It’s crazy to build systems on the assumption that nothing will go wrong. Amusingly, in a tragic and depressing kind of way, this was reinforced by the news that public employees have already been snooping around in the proto-national identity register to look up friends, family and presumably other “interesting” people even though it’s not even been built yet. Still, not to worry. So far it’s only 30 local authorities that have noticed a problem.
Staff at 30 local authorities have been responsible for “serious security breaches” in the government database that will form the core of the national ID cards programme. Local authority staff have viewed sensitive personal records on the Customer Information System (CIS) run by the Department for Work and Pensions (DWP), it emerged today. The £72m Customer Information System is an Oracle database being built by Accenture for the Department for Work and Pensions. It will hold a wide variety of data on nearly all UK citizens.
Why on earth would anyone have imagined that there would be any other outcome? And by the way, if I was one of these public employees snooping around for the purposes of amusement, I’d have been using someone else’s username and password, so there’s no real chance of catching them.
[Dave Birch] There’s been another rash of stories about fingerprinting and the linking of identity and authentication and I thought I’d take a look at a few of them after my afternoon at the Social Market Foundation. Let’s begin by looking at a mass market use of biometrics…
Under a new law published Monday, Mexico will start a national register of mobile phone users by fingerprinting all customers in an effort to catch criminals who use mobile phone to extort money and negotiate kidnapping ransoms. The new law, which will be in force this April, will give mobile phone companies a year to build the database of their clients – complete with fingerprints and any other personally identifiably information.
Fingerprint mobile phone users could never happen here, of course. Well, not for a while. But fingerprint mobile providers might…
Vodafone dealership DigitalMobile is the latest employer to introduce fingerprint scanning for staff. DigitalMobile spokesman Will Allan says the scanners have been installed in the company’s 22 stores around the country and most of its 190 staff are using them to clock in and out.
This seems pretty reasonable: using biometrics to make life easy more people is a much more convincing business case and, as far as I can see, a much more effective use of the technology than biometrics for security (outside nuclear missile launch codes and that kind of thing).
[Dave Birch] I went to the Social Market Foundation chat about biometrics sponsored by the Identity and Passport Service (IPS). The speakers — Jim Wayman from San Jose State University, Peter Hawks and Hugh Carr Archer (Aurora) from our friends at IAFB, Farzin Deravi from the University of Kent and forum friend Toby Stevens from EPG — got a good discussion going although personally I thought it was a little too short. I was very interested in some of the points being raised from the floor and would have appreciated more time for expert reflection from the panel.
Jim started his talk by referring to the “colourful” history of the future of biometrics, which appealed to my current obsession with paleo-futures at the CSFI, and made a couple of points that I think are worth opening up for discussion here. First of all, he made the key point that biometrics doesn’t solve the problem of identification but once you have identified someone then you can use biometrics to link them to that identity. Biometrics is easy, identification isn’t, and biometrics do not guarantee the validity of non-biometric data in database (this is why I keep promoting the “biometric only” plan from the UK National Identity Register). Secondly, he made me reflect on the difference between schemes where the “users” care about multiple uses or not. So, if I have a season ticket for the London underground, I don’t care about my brother using it on the days that I’m not. But I don’t want him using my credit cards on days that I do not. So why would you need a biometric for a bank card? Good point. I think that the answer is that if we want to use cards for larger transactions then we can’t use PINs because PINs are too easily snaffled, but I’m going to think some more about this and post in the future.
[Dave Birch] Well well. Now here is an interesting story that hasn’t got anything like the attention that it demands:
A South Korean woman barred from entering Japan last year has reportedly passed through its immigration screening system by using tape on her fingers to fool a fingerprint reading machine… A South Korean broker is believed to have supplied her with the tapes and a fake passport, the Yomiuri said, adding that officials believe many more foreigners might have entered Japan using the same technique.
Now, I wonder if the Japanese ministry of immigration (or whatever) chose that particular system on the basis that it was (according to the vendor) foolproof? That is certainly the perception of biometrics, particularly amongst politicians, but who can say? I suppose the risk analysis they carried out — I’m sure they must have carried out a risk analysis — would have put impersonation as a theoretical probability with a low likelihood and low chance of success. Ooops.