In our Live 5 for 2021, we said that governance would be a major topic for digital identity this year. Nowhere has this been more true than in the UK, where the government has been diligently working with a wide set of stakeholders to develop its digital identity and attribute trust framework – the rules of road for digital identity in the UK. The work continues but with the publication of the second iteration of the framework I thought it would be helpful to focus on one particular aspect – how might the framework apply to decentralised identity, given that is the direction of travel in the industry.
Tag: identity authentication verification
The best definition of Digital Identity
Our friends at Smartex challenged its readership to define Digital Identity the other day, with a bottle of wine on offer for the best definition. I’m pleased to say that the bottle of wine was won by Consult Hyperion, with a couple of competition entries submitted.
Coming up with a definition for digital identity is not easy. It can refer to quite a number of different things, making the task of encapsulating it in a sentence next to impossible. For my attempt I thought that rather than try to describe what it is, it would be better to describe what it does. I came up with this:
Digital identity allows us to trust each other by enabling us to share the minimum amount of verifiable information needed for the thing we want to do.
In one sentence I was trying to capture several points:
- Digital identity is a means to an end not an end in itself
- It’s bi-directional – in any transaction both parties need to have confidence in the other party
- It’s about the information you need to share, which will vary considerably between contexts.
- It protects privacy by only sharing the information (or claims) necessary.
NSTICy questions
I’ve been reading through the final version of the US government’s National Strategy on Trusted Identities in Cyberspace (NSTIC). This is roughly what journalists think about:
What’s envisioned by the White House is an end to passwords, a system in which a consumer will have a piece of software on a smartsphone or some kind of card or token, which they can swipe on their computers to log on to a website.
[From White House Proposes A Universal Credential For Web : The Two-Way : NPR]
And this is roughly what the public think about it
Why don’t they just put a chip in all of us and get it over with? What part of being a free people do these socialists not understand?
[From White House Proposes A Universal Credential For Web : The Two-Way : NPR]
And this is roughly what I think about it: I think that NSTIC isn’t bad at all. As I’ve noted before I’m pretty warm to it. The “identity ecosystem” it envisages is infinitely better than the current ecosystem and it embodies many of the principles that I regard a crucial to the online future. It explicitly says that “the identity ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers (presumably including government bodies) to link an individual’s transactions and says that by default only the minimum necessary information will be shared in transactions. They have a set of what they term the Fair Information Practice Principles (FIPPs) that share, shall we say, a common heritage with Forum friend Kim Cameron’s laws (for the record, the FIPPs cover transparency, individual participation, purpose specification, data minimisation, use limitation, data quality and integrity, security and accountability and audit).
It also, somewhat strangely, I think, says the this proposed ecosystem “will preserve online anonymity”, including “anonymous browsing”. I think this is strange because there is no online anonymity. If the government, or the police, or an organisation really want to track someone, they can. There are numerous examples which show this to be the case. There may be some practical limitations as to what they can do with this information, but that’s a slightly different matter: if I hunt through the inter web tubes to determine that that the person posting “Dave Birch fancies goats” on our blog comes from a particular house in Minsk, there’s not much I can do about it. But that doesn’t make them anonymous, it makes the economically anonymous, and that’s not the same thing, especially to people who don’t care about economics (eg, the security services). It’s not clear to me whether we as a society actually want an internet that allows anonymity or not, but we certainly don’t have one now.
The strategy says that the identity ecosystem must develop in parallel with ongoing “national efforts” to improve platform, network and software security, and I guess that no-one would argue against them, but if we were ever to begin to design an EUSTIC (ie, an EU Strategy for Trusted Identities in Cyberspace) I think I would like it to render platform, network and software security less important. That is, I want my identity to work properly in an untrusted cyberspace, one where ne’erdowells have put viruses on my phone and ever PC is part of a sinister botnet (in other words, the real world).
I rather liked the “envision” boxes that are used to illustrate some of the principles with specific examples to help politicians and journalists to understand what this all means. I have to say that it didn’t help in all cases…
The “power utility” example serves as a good focus for discussion. It expects secure authentication between the utility and the domestic meter, trusted hardware modules to ensure that the software configuration on the meter is correct and to ensure that commands and software upgrades do indeed come from the utility. All well and good (and I should declare an interest a disclose that Consult Hyperion has provided paid professional services in this area in the last year). There’s an incredible amount of work to be done, though, to translate these relatively modest requirements into a national-scale, multi-supplier roll-out.
Naturally I will claim the credit for the chat room “envision it”! I’ve used this for many years to illustrate a number of the key concepts in one simple example. But again, we have to acknowledge there’s a big step from the strategy to any realistic tactics. Right now, I can’t pay my kids school online (last Thursday saw yet another chaotic morning trying to find a cheque book to pay for a school outing) so the chance of them providing a zero-knowledge proof digital credential that the kids can use to access (say) BBC chatrooms is absolutely nil to any horizon I can envisage. In the UK, we’re going to have to start somewhere else, and I really think that that place should be with the mobile operators.
What is the government’s role in this then? The strategy expect policy and technology interoperability, and there’s an obvious role for government — given its purchasing power — to drive interoperability. The government must, however, at some point make some firm choices about its own systems, and this will mean choosing a specific set of standards and fixing a standards profile. They are creating a US National Project Office (NPO) within the Department of Commerce to co-ordinate the public and private sectors along the Implementation Roadmap that is being developed, so let’s wish them all the best and look forward to some early results from these efforts.
As an aside, I gave one of the keynote talks at the Smart Card Alliance conference in Chicago a few weeks ago, and I suggested, as a bit of an afterthought, after having sat through some interesting talks about the nascent NSTIC, that a properly implemented infrastructure could provide a viable alternative to the existing mass market payment schemes. But it occurs to me that it might also provide an avenue for EMV in the USA, because the DDA EMV cards that would be issued (were the USA to decide to go ahead and migrate to EMV) could easily be first-class implementations of identity credentials (since DDA cards have the onboard cryptography needed for encryption and digital signatures). What’s more, when the EMV cards migrate their way into phones, the PKI applications could follow them on the Secure Element (SE) and deliver an implementation of NSTIC that could succeed in the mass market with the mobile phone as a kind of “personal identity commander”.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
Confronting the issue
There’s an interesting choice of words in the O’Reilly Radar publication on “ePayments 2010“. The report’s subtitle is “Emerging Platforms, Embracing Mobile and Confronting Identity”. I thought that this is expressive: the payments industry is “confronting” identity.
…even as consumers come to expect online systems to know more about them in order to facilitate transactions and reduce friction in accomplishing tasks, they are likely to want to maintain control over which online services have access to distinct aspects of their identity.
Very well put. It illustrates a point that I find myself making in more and more discussions these days: that if the players in the payments industry don’t deal with the identity problem, then someone else will.
Identity is critical in many ways: It ensures the right degree of user personalization, enables the reliable billing of services used across a platform, and provides a strong foundation of trust for any transaction occurring on the platform.
Patrick is right to highlight the key role of identity in constructing the future payments infrastructure, although I would draw a slightly different diagram to illustrate the relationship. He has drawn identity on top of payment services, whereas as I would draw them side-by-side to show that some commerce applications will use identity and some will not, some commerce applications will use payments and some will not. This isn’t just a payments issue, of course. It’s rapidly becoming a major block on the development of the online economy. There’s a Chernobyl coming, and the recent fuss about Sony and Sega will appear utterly trivial in comparison. I’m not smart enough to know where or when it will happen, but it will happen. If I had to take a wild guess, I might be tempted to predict the epicentre if not the cause or symptoms.
I trust Facebook to give the messages that I type to my ‘friends’. I trust Facebook with the login details to my Yahoo email account… Even in the last week at least four of my friends have been link-jacked in Facebook – whereby their accounts start spewing malicious links onto the walls of their friends.
[From Trust co-opetition is the key to avoiding disintermediation « in2payments]
It’s the interlinking via social networking that is precisely the danger, because that means when something goes wrong is goes connectedly wrong and gets out of control in unpredictable ways. Something has got to be done to make identity mischief substantially more difficult. But how?
We need online identities anchored in hardware cryptography. Everybody who does financial cryptography understands that for anything of value, you can’t store the keys in software. You need hardware protected keys, with a cryptoprocessor to operate on them, and very importantly, a trusted UI to the human that doesn’t involve hackable software. EMV is a good basis for this
[From The Case for EMV Chip Cards in the US? — Payments Views from Glenbrook Partners]
Hear hear. I’d say that it was the chip with a crypto co-processor that is the basis (EMV is just an application running on such a chip) but the point holds. So where are these chips today? Well, they exist in your chip and PIN card is a sort of autistic form, with limited communication and narrow bandwidth through which we can reach the smart core. And they exist in your mobile phone, in the form of the UICC, where they have high bandwidth, constant connectivity, a UI, huge memory and an ecosystem beyond the device. And they will soon exist in your mobile phone, set-top box and elsewhere in the Secure Element (SE). (As an aside, in some models the SE will be resident in the UICC, so there may only be one physical chip.)
Therefore, there is an opportunity to roll-out an SE-based infrastructure, perhaps in the NSTIC architecture, that sets us down the path to identity security. I’m surprised that, in Europe at least, the mobile operators haven’t already got together to develop their joint response to NSTIC and begun work on the business models that it spawns. The mobile operator is a naturally identity and attribute provider and they already have the tamper-resistant hardware (ie, UICCs) out in the market. They know the customer, they know the network, they know the device. I should be logging on to everything using my handset already, not messing about with passwords and secret phrases and mother’s maiden name.
From the point of view of the UK, where the national identity card scheme has just been scrapped and there is no alternative identity infrastructure in place, there is much to be admired in the US approach.
[From Digital Identity: USTIC]
This may be another area where the ease of use afforded by NFC makes for a big difference in the shape of the marketplace and the trajectory of the stakeholders. There were some early experiments in SIM-based secure PKI, but they were very, very clunky because they needed SMS or Bluetooth to connect the handset to the target device, like a PC or a kiosk (or a POS). But in the new world of NFC, what could be simpler: use menu on phone to select identity, tap and go online. And since the SE can handle the proper cryptography, my phone can tell whether it is talking to the real Barclays as well as Barclays working out whether it is talking to my phone. The NSTIC framework, when combined with the security and ease-of-use of NFC in mobile phones, may not be whole solution, but it’s certainly a plausible hypothesis about what that solution may grow from.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
It all comes back to liability
I posted about the silo-style identity and authentication schemes we have in place at the moment and complained that we are making no progress on federation. Steve Wilson posted a thoughtful reply and picked me up on a few points, such as my “idea” (that’s a bit strong – more of a notion, really) of developing an equivalent of creative commons licences, a sort of open source framework. He says
CC licenses wouldn’t ever be enough. Absent new laws to make this kind of grand identity federation happen, we will still need new contracts — brand new contracts of an unusual form — struck between all the parties.
[From comment on Digital Identity: The sorry state of id and authentication]
But isn’t that what CC licences solve?
It’s complicated by the fact that banks & telcos don’t naturally see themselves as “identity providers”, not in the open anyway
[From comment on Digital Identity: The sorry state of id and authentication]
Well, I’m doing what I can to change that (see, for example, the Visa/CSFI Research Fellowship), but on the main point I happened to be reading the notes from the EURIM Identity Governance Subgroup meeting on 23 February 2011, talking about business cases for population scale identity management systems. The notes say that
It is alleged that the only body with the remit, power and capability needed for assuring and recording a root identity through a secure and reliable registration process is Government.
The notes then go on to talk about case studies such as the Nordic bank-issued eIDs though. These arguments are to some extent circular, of course, because the e-government applications in the Nordics are using bank-issued eIDs, but the only reason that the banks can issue these eIDs is because they are using government ID as the basis for KYC. In the discussion about this at a recent roundtable in that Visa/CSFI “Identity and Financial Services” series, someone made a comment in passing (and I’m embarrassed to say that I can’t remember who said this, because I noted the comment but forgot the commenter) that all of this takes places in a model absent liability. That is, as far as I understand what was said, the government accepts no liability from the banks, and vice versa. So if the bank opens an account for me Sven Birch, using a government “Sven Birch” identity, but it subsequently transpires that I am actually Theogenes de Montford, then the bank cannot claim against the government. Similarly, if I used my bank eID “Sven Birch” to access government services, but it subsequently transpires that I am actually Theogenes, then the government has no claim against the bank. (If this isn’t true, by the way, I would appreciate clarification from a knowledgeable correspondent.)
So what is the situation? Must we have a liability model, or can we all agree to get along without one. Or do you have to a have a more consensual society, or perhaps one with fewer lawyers per head of population?
And I’ve got my bronze swimming certificate
When I’m talking about identity, I sometimes joke that our ill-thought out perspectives on the topic have led to the bizarre situation that in the UK it is much easier to get a job with a bank than an account. In The Daily Telegraph for 29th January 2011, I read under the headline “False CV Fooled Bank” that:
A fraudster used a false CV [claiming degrees from Oxford and Harvard] to gain a £165,000 per annum job at a City investment bank.
I assumed that everybody made up stuff on their resumes, but it turns out that it’s against the law, so the culprit, Mr. Peter Gwinnell, was prosecuted and given a suspended sentence (I assume he’ll skip over this on his next CV). We keep being told that employers use Facebook profiles nowdays (I hope they use mine: it says that I am the most intelligent person alive today and that Nelson Mandela queued for my autograph) so perhaps CVs will soon be a thing of the past. Just out of curiosity I googled Mr. Gwinnell and found that as well as his empty LinkedIn profile, the bald fact of his departure is there on the web.
PETER GWINNELL Appointment terminated as director on 15 Feb 2010 (Document)
[From AHLI UNITED BANK (UK) PLC of W1H 6LR in LONDON UNITED KINGDOM]
To be honest, if an employer wanted proof of my A-Level in Mathematics or O-Level in British Constitution or the Degree I scraped through with in 1980, I’d be hard pressed to provide it. I don’t have the faintest idea where the relevant certificates are. I suppose I could ring the University and ask them to send me a letter, but how would the employer know I hadn’t forged the letter. And how would Southampton University know that it is me calling? Or, for that matter, how would they know that I hadn’t forged the O-Level in British Constitution certificate?
When I started my first job after university, I don’t remember being asked to provide any such proof. Come to that, I don’t remember being asked to prove who I was either. In those days, all you needed was a national insurance number. But if employers are going want proof, like the actual certificates, then there will be a bit of a premium on the certificates. Once the certificates are worth something, they will be stolen. This is what happens in China.
Local officials said the files were lost when state workers moved them from the first to the second floor of a government building. But the graduates say they believe officials stole the files and sold them to underachievers seeking new identities and better job prospects — a claim bolstered by a string of similar cases across China.
[From Files Vanished, Young Chinese Lose the Future – NYTimes.com]
How are we going to deal with this digitally? It shouldn’t be that complicated for Harvard to create a digital certificate to attest to the fact that the owner of a particular identity did, in fact, graduate. If there were some sort of device or token, perhaps some form of card, that contained my educational identity (ie, key pair) then Harvard could simply sign the public key with their private key and the whole problem is fixed (glossing over, of course, where this device or token might come from, and so on).
Something does have to be done though. The current system is simply a joke. It’s quite funny when someone cons a bank into giving them a senior position despite knowing nothing about banking (imagine!) but one of the areas that really bothers me, and probably should bother you too, is the ease with which medical credentials are forged.
A conman from Lancashire who posed as a vet and nearly killed a pony by botching its castration has been jailed for two years. Russell Oakes also masqueraded as a doctor, carried out an intimate examination and charged for false diagnoses, Liverpool Crown Court heard. The 43-year-old, of Hesketh Bank, admitted 41 charges of fraud, forgery and perverting the course of justice.
[From BBC News – Bogus Lancashire vet jailed after botched castration]
How did he do this? Was he a master forger, capable of producing an authentic-looking medical school diploma using specially-aged paper, his engraving skills and authentic ink procured from the correct German manufacturer? No, of course not: this is a post-modern crime.
He bought a fake university certificate off the internet, the court heard.
[From BBC News – Bogus Lancashire vet jailed after botched castration]
Now imagine an alternative infrastructure. I am asked to prove that I have a degree from Southampton University. I log on to the university using my OpenID id.dave.com and answer some questions, provide some data, to satisfy the university that I am, indeed, the relevant dave. My OpenID profile includes a public key, so the university creates a public key certificates, signing that key and some standard data that they provide. I can now give this certificate to anyone, and they can check it by verifying the signature using the published Southampton University public key, resolving the certificate chain in the usual way.
the BBC suffered another embarrassment today after a man interviewed on Radio 4’s World at One who claimed to be a Liberal Democrat MP was revealed to be an imposter.
[From Radio 4 follows Jeremy Hunt gaffe by interviewing fake MP | Media | guardian.co.uk]
How would the proposed infrastructure help here? The system has to be so easy to use that a harassed BBC researcher can use it. Come to that it has to be so easy that military installations, the police and other can use it too.
During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD’s military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area
[From Schneier on Security: The Security Threat of Forged Law-Enforcement Credentials]
Step forward the mobile phone. Every single one of the people who were “verifying” IDs in these stories has a mobile phone, so there’s no need to look any further. The military policeman’s mobile phone should be able to check your ID. And your mobile phone should be able to check his ID. And if you’re both using mobile phones, both IDs can be checked simultaneously. We already know that symmetry is an important property of an identity infrastructure: the bank needs to be able to check it’s me, but I need to be able check it’s the bank. And the mobile phone can do both. So next time Peter shows up for an interview, the interviewer can simply tap Peter’s NFC phone against their NFC phone and see a full list of his credentials.
(Law enforcement has special additional issue though: sometimes, the policeman doesn’t want to reveal that he’s a policeman, but that’s a topic for another day.)
Ageing problem
The simple and prosaic case of age verification has always been a litmus test for digital identity infrastructure and it’s taken on new dimensions because of social networking. We need some clear thinking to see through fog of moral panic, made worse by the turbocharging impact of the mobile phone, because it is such an individual and personal device. The spectre of legions of perverts luring children via their mobile phones is, indeed, disturbing. If only there were some way to know whether your new social networking friend is actually a child of your age and not an adult masquerading as such.
A mobile phone application which claims to identify adults posing as children is to be released. The team behind Child Defence says the app can analyse language to generate an age profile, identifying potential paedophiles.
[From BBC News – Researchers launch mobile device ‘to spot paedophiles’]
Of course, it ought to work the other way round as well. One of my son’s friends told me that members of his World of Warcraft Guild (all 13- and 14-year olds) enjoy pretending to be “grown ups” online (by pretending to have jobs and wives). But this seems an odd way to move forward, as well as something that will surely be gamed by determined perverts.
Why on Earth can’t we just do this properly, at the infrastructural level. If we had a half-decent digital identity infrastructure, there would be no need for this sort of thing. Look, here’s a simple of example of this, in Japan. If you want to use social networks via your mobile phone then it is the operator who verifies your age to the social network service (SNS) provider. Since the operator has the billing relationship, this makes sense.
KDDI announces age verification service for mobile SNS platforms; Gree, Mixi and MobaGa to start at the end of Jan
[From Mobile SNS Age Verification Service by Wireless Watch Japan]
Note that this has no implications for privacy. The operator could require you to come to one of their outlets and prove that you are, say, 18. Then they set a flag for service providers to tell them that you are over 18. It doesn’t tell them your age, or your name or where you are. Just that you are over 18. Note that this system hasn’t been invented for social networking: it is already used to prove age at vending machines (you can’t buy cigarettes or sake or whatever unless your phone says that you are old enough). It ought to be simple enough to do the same thing but using proper technology. Suppose that your Facebook page came with a red border if you have not provided proof of age? Then you could provide that proof of age and have your border changed to blue for under 18 or green for over 18 – then make the rule that anyone with a red border is only allowed to connect to people with green borders.
You see what I mean. Have something that is understandable at the user level and implement it using certificates, digital signatures and keys in tamper-resistant storage (in, for example, mobile phones). There would be no need to try and explain to people how PKI actually works (which killed it in the mass consumer market last time), just show them how to log in to things using their phones. There’s a waiting mass market for this sort of thing if you can be clear to consumers that it will protect their privacy and that market is adult services: porn and gambling, primarily, either of which should generate a decent income stream for the successful service provider. Simple. As a complete aside, there’s another connection between the adult world and social networking.
The surprise relationship between social networking and adult-themed sites came last September, when total page visits for social networking sites for the first time eclipsed that of adult sites.
[From BBC NEWS | Technology | Porn putting on its Sunday best]
So the internet isn’t all about porn after all!
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]