Tag: identity privacy technology consumer

The future is another (virtual) country

Posted on by 3 Comments
Greyscale backing image
[Dave Birch] In many countries the banks have begun to issue 2FA tokens of one form or another. In some places, such as Singapore, 2FA is already mandatory for home banking, and everyone is used to carrying around their token. In many companies, people use 2FA tokens of one form or another for intranet and VPN access. Authentication is improved tremendously, hurrah. But the “necklace problem” looms. The necklace problem is that if you need half-a-dozen different tokens to log in to your different bank accounts and corporate systems, not to mention government services, then you will have to carry them around your neck or risk not having the right one by your side when you need to do something. Oddly, despite the existence of (for sake of argument) SAML or OpenID, none of the tokens that I have in my possession are in the least bit interoperable. My Barclays token doesn’t even help me log in to another U.K. bank, let alone the U.K. government or a corporate site.

Continue reading “The future is another (virtual) country”

More data hilarity

Posted on by Leave a comment
Greyscale backing image
[Dave Birch] Last week it was PA Consulting who were on the front page for losing masses of personal data, partly because the newspapers love stories about government data getting lost (I’m surprised they’re not bored with it, since it happens absolutely all the time) and partly because PA Consulting are designing Britain’s new ID card. The Home Office said back in March that the first cards will be issued by “day 330 of 2008”, which I think is their way of saying 1st December. SInce that’s only two months away, I’m sure that the first-class design is all squared away and the media are making a mountain out of a molehill over PA Consulting losing a USB memory stick full of data — this has nothing to do with the ID card scheme, as far as I know.

PA Consulting – which on Tuesday told ministers it had misplaced the unencrypted names, dates of birth and expected release dates of the inmates, as well as the addresses of 33,000 prolific criminals – has won £240m of government contracts since 2004, including one as the Home Office’s “development partner” to “work on the design, feasibility testing, business case and procurement elements of the identity cards programme”.

[From Consultants who lost data are working on ID cards – UK Politics, UK – The Independent]

Today, however, PA Consulting have vanished from the papers, having been swept away by the hilarious blunder by one of RBS’ suppliers, who sold a disk drive on eBay without erasing it first.

The computer hard drive was sold for a paltry £35 but the information on it was priceless, as it contained highly sensitive documentation on American Express, NatWest and Royal Bank of Scotland customers.

[From Customers’ bank data sold through eBay | News | TechRadar UK]

Now, while the newspaper anger is, to my mind, slightly misplaced — while RBS losing peoples’ personal details including mother’s maiden name is bad, what’s worse is that you can use personal details including mother’s maiden name to execute transactions because RBS (like many other banks) have no consistent two- or three- factor security across channels, so the paper should be angry at banks for not implementing digital identity rather than losing hard drives — it must at some level lead to even further erosion of trust in banks.

Continue reading “More data hilarity”

Technology lessons

Posted on by Leave a comment
Greyscale backing image
[Dave Birch] It must make me sound like some sort of snob, but I genuinely feel that one of the problems with the discussion of identity, privacy and related issues in the public sphere is that, ultimately, the policymakers, regulators and politicians just do not understand either technology as part of the problem or technology as part of the solution. Ian Brown’s review of the Thomas/Walport report about data sharing touches on this:

While it makes a brief mention of credentials (r. 5), the report is extremely backward-looking on technology,

[From Blogzilla: Thomas/Walport data sharing review published]

The problem, I think, is more insidious than it seems at first. It isn’t just that the people writing the report don’t understand the technology, it’s that they don’t even appear to think that the technology is important. As I noted at the time of the review…

Pete Bramhall from HP sagely noted that the consultation document began with the statement that it assumed a familiarity with the Data Protection Act and other relevant legislation. How come, he pointed out, it did not assume a familiarity with rudimentary information technology, basic data security, elementary cryptography or, indeed, anything else that might help to develop a privacy-enhancing infrastructure for the modern world. Quite.

[From Digital Identity Forum: Another thing invented by lawyers]

How are we going to get a genuine breakthrough in identity management when the gap between the “two cultures” appears to be widening. No, not those two cultures but the cultures of information and communications technology one the one hand and lawyers (particularly the ones that end up in the government).

Continue reading “Technology lessons”

UK Confidential

Posted on by 4 Comments
Greyscale backing image
[Dave Birch] The excellent DEMOS report on privacy “UK Confidential” contains contributions from many of the people i regard as thought leaders in the field and has ideas aplenty. It was supported by BT “in the interests of furthering public debate”, which it certainly does. I’m curious about the extent to which the “tag line” on the report is true or not. It says “an open society depends on individuals rediscovering the social value of privacy”. Is it really for individuals? It seems to me that it is something that needs to be woven into the fabric of society — partly through the technological implementation of identity, the kind of thing that interests me greatly — because it’s a social good.

Anyway, in the introduction, Charlie Edwards and Catherine Fieschi say that “We lack the language to discuss privacy holistically. We use outdated frames of reference that are no longer adequate to discuss the contemporary landscape of privacy concerns or re-frame complex issues about data protection and vulnerability in other terms”. I couldn’t agree more — I’ve been writing a magazine article arguing, similarly, that both the government and its critics on identity management share this outdated frame of reference (which I’ve labelled “Orwellian”) — and there’s no doubt that it is a major impediment, a contributing factor to the privacy logjam we’re now stuck in, where privacy and security are seen as opposites that we have to balance in some way. I don’t want to dip into the “what is privacy” discussion here, except to note that it is important not to make the mistake of conflating a brief period of essentially urban anonymity with privacy and therefore make privacy something we can return to or get back in some way: Most people, throughout most of history, have had no privacy whatsoever.
The essential core of privacy in a modern context, I think, must be built around choice and consent (this is why I’m looking forward to our participation in a couple of Technology Strategy Board projects on Privacy & Consent later in the year). I tend to see these as important components of future consumer propositions and therefore viable if chosen carefully — there’s no point coming with great privacy plans that business will never implement. They call the privacy component of an exchange an “invisible transaction”, which is nice way of putting it. If companies can find privacy-enhancing processes that go with the grain of business, then surely they will promote them (much as they have begun to promote “green” elements of their operations).
In the conclusion Charlie and Catherine say that “our collective ignorance means that we get the privacy we deserve” but I’m not sure I’d be so negative. People are ignorant about lots of things, but they expect professionals (eg, us, I hope) to make good decisions for them. I’m happy to contribute to that debate.

Continue reading “UK Confidential”

Meet the people

Posted on by Leave a comment
Greyscale backing image
[Dave Birch] Preparing my notes for RUSI, I was thinking about what it would take to get the public to have confidence in a national identity management scheme, and it reminded me that I took part in a very good public debate about privacy and surveillance recently. I was on a panel that included the assistant Information Commissioner Jonathan Bamford and Tom Ilube of Garlik as well as fellow Royal Academy of Engineering Working Group member Martin Thomas. It was a little unusual (for me) in that many of the audience were genuine members of the public rather than technology or sector specialists, so I thought it might be a useful service to bring some of their questions to your attention. They were a timely reminder to me about the kind of concerns that our customers will have to address to formulate successfull consumer propositions with an identity component. For example, there were a couple of questions about vehicle tracking. I’m certainly guilty of spending most of my time thinking about personal data in too few dimensions: vehicle tracking was as much a concern the the audience as people tracking. But the subtext should be noted: many of the anecdotes were about how wrong the DVLA database is, which clearly informed opinions about the people database (aka national identity register): there’s a clear distinction, as far as I can see, between the small number of people who are against government identity management because it’s just plain wrong and the much larger number of people (I might go so far as to venture, the majority) who are against it because they think the government will lose, delete, corrupt or spy on their data if they ever get the system working in the first place.

Continue reading “Meet the people”

NFC, privacy and identity infrastructure

Posted on by 6 Comments
Greyscale backing image
[Dave Birch] I’ve had a few e-mails from people about this paper by Colin Mulliner. This paper describes vulnerabilities in NFC implementations using "smart posters". It’s the nature of the attacks, rather than exposure levels, that are worth looking at since, as Colin says,

 

The attacks demonstrated are trivial due to the manufacturer time to market (TTM) obsession, thereby shipping devices with trivial vulnerabilities, in Mulliner’s research they orbit around passive tags which are mostly abused as vectors for the any of the attacks demonstrated.

[From Attacks on NFC mobile phones demonstrated | Zero Day | ZDNet.com]

The attacks fall, broadly, into two categories. There are attacks on the implementation of the NFC tag standard in a current handset — these remind us of a useful lesson about implementing new standards, but are not that significant in the long run — and attacks on the way that tags work in the current NFC standards. The problem that Colin has focussed on here is that there is no way of knowing whether a tag is "real" or not: you wave your phone at a Royal Bank of Scotland advert at the train station, but the tag has been tampered with (shielded by a bogus tag, for example) so that your phone is redirected to a web site in the Ukraine which looks like RBS but is just going to use your entered username/password to log in to your account for nefarious purposes. Unfortunately, that’s the way tags work: there is no way of preventing this and Colin is right to highlight both modifying original tags and replacing them with malicious tags as interesting security questions.

These questions relate to the better understood issue of product vs. provenance in the RFID world and, as we know, one way to solve that problem is by using digital identity: it’s just that it’s the identity of stuff in question, not the identity of people.

Continue reading “NFC, privacy and identity infrastructure”

From paradise? No, Luton South

Posted on by 2 Comments
Greyscale backing image
[Dave Birch] What a guru I am! It’s almost uncanny! On 11th May 2008, I wrote (in an unpublished draft for this blog) that “I It’s only a matter of time before some M.P. suggests that one of the many benefits of the government’s splendid new identity card scheme is that is that it will help with identifying kids on the web to protect them or stop them from buying knives or something”. Well, today I read that

If you can’t prove how old you are, your days of shopping on the internet may be numbered. Fears that young people could be getting hold of knives, adult DVDs and alcohol are all fuelling a campaign by Margaret Moran, MP for Luton South, to make online age verification compulsory in the UK.

[From Online ID checks to limit teen booze and knife purchases | The Register]

I assumed that selling alcohol to someone under 18 was illegal whether you do it in a shop or on the web and so merchants would want to carry out age verification to avoid prosecution. As the reporter says, “Does anyone feel yet another justification for compulsory ID coming on?”

Continue reading “From paradise? No, Luton South”

Fasten your seat belt

Posted on by Leave a comment
Greyscale backing image
[Dave Birch] I was so bored in my hotel room while I was waiting for Microsoft Office to re-build my mail database that I picked up a copy of Newsweek and started leafing through it. To my surprise, I came across an interesting piece about privacy.

The economics of privacy is, like anything else, a matter of trade-offs… The problem is that people can’t make informed decisions if they don’t know exactly what the trade-offs are. And they’ve proven that they don’t.

[From Protect the Willfully Ignorant | Newsweek International Edition | Newsweek.com]

I couldn’t agree more. As it happens, Consult Hyperion is part of a consortium that has just been chosen by the U.K.’s Technology Strategy Board to carry out a research project in this field, trying to find better ways to describe and display privacy so that the consumers and citizens can make informed choices, can negotiate around privacy in a constructive way and can deal more effectively with both corporate and government organisations. The article goes on to make a comparison that I’m not sure is entirely valid: the comparison is between privacy and safety, and the reason I’m unsure about it is because it uses the example of cars, seat belts and accidents — all of which are things that consumers understand and can experience in a way that they cannot with privacy (at least, they cannot until our research project bears fruit!). Anyway, the article says

Car manufacturers let consumers pick engine sizes, color and the fabric on the seats, but not the design of the seat belt. “Consumers lack expertise about seat-belt design and don’t want to invest time learning about it,”… Rather than let people figure out the optimal seat belt for themselves, experts pick a standard.

[From Protect the Willfully Ignorant | Newsweek International Edition | Newsweek.com]

Ok, so let’s pick a standard. I vote for… er… hmmm… wait, I’ll get back to you on this.

, ,

Continue reading “Fasten your seat belt”

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.