Tag: identity

Internet driver’s license?

10th January 2011by Consult Hyperion5 Comments

Last year I said that I thought that the US National Strategy for Trusted Identities in Cyberspace (NSTIC) was heading in the right direction. I’m very much in favour of the private sector providing multiple identities into a framework that it used by the public sector and vice versa. I’m in favour of choice: if I choose to use my Barclays identity to access the DVLA or my DWP identity to access O2 it shouldn’t matter to the effective and efficient use of online transactions. There was one area where I felt it could have presented a slightly different vision, and that’s in the use of pseudonyms, which I think should be the norm rather than the exception.

People should consider it normal to get a virtual identity from their bank or their mobile phone operator in a pseudonymous name so that they can browse, transact and comment without revealing anything about themselves other than the facts relevant to a transaction.
[From Digital Identity: USTIC]

James Van Dyke, when discussing NSTIC (which seems have become known unofficially as “Obama’s Internet Identity System”) warned about

Apocalyptic fear-mongers. Yes I’m ending with the crazies here, but hear me out. The extreme cable networks and televangelists will surely jump on this as the digital incarnation of the Mark of either the Beast or “(gasp!) Obama liberals. Historians will recall that social security numbers were supposed to be an apocalyptic conspiracy.
[From Obama’s Internet Identity System: Could This Change Everything? – Javelin Strategy & Research Blog]

I don’t think the danger is the crazies — although I feel a little sheepish writing this a couple of days after a crazy did, in fact, murder several people and seriously injure a congresswoman — but the journalists, politicians, commentators and observers who don’t really understand the rather complex topic of digital identity. Or, as “Identity Woman” Kailya Hamlin (who some of you may remember from the first European Internet Identity Workshop that Consult Hyperion sponsored with our friends from Innopay and Mydex back in October) said about NSTIC:

I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative
[From National! Identity! Cyberspace!: Why we shouldn’t freak out about NSTIC. | Fast Company]

She’s bang on with this. Here’s a couple of typical examples from the blogosphere:

CNET reported on January 7, 2011 that Obama has signed authority over to U.S. Commerce Department to create new privacy laws that require American citizens to hold an Internet ID card.
[From Internet Anonymity: Obama Pushes for an American Internet ID]

And

President Obama has signaled that he will give the United States Commerce Department the authority over a proposed national cybersecurity measure that would involve giving each American a unique online identity
[From Obama administration moves forward with unique internet ID for all Americans, Commerce Department to head system up — Engadget]

As far as I can see, NSTIC being managed by the Commerce Department has nothing to do with “privacy laws” and the idea that it will require Americans to have an “Internet ID” is a journalistic invention. The actual situation is that NSTIC is to go from being an idea to an actual system:

The Obama administration plans to announce today plans for an Internet identity system that will limit fraud and streamline online transactions, leading to a surge in Web commerce, officials said. While the White House has spearheaded development of the framework for secure online identities, the system led by the U.S. Commerce Department will be voluntary and maintained by private companies,
[From Internet Identity System Said Readied by Obama Administration – BusinessWeek]

What this means is not that Americans will get an “Internet Driver’s License” but that they will be able to log in to their bank, the Veteran’s Administration, the DMV and their favourite blogs using a variety of IDs provided by their bank, their mobile phone operators and others.

[White House Cybersecurity Coordinator] Howard Schmidt stressed today that anonymity and pseudonymity will remain possible on the Internet. “I don’t have to get a credential, if I don’t want to,” he said.
[From Obama to hand Commerce Dept. authority over cybersecurity ID | Privacy Inc. – CNET News]

As long as it’s a matter of choice, I really don’t see a problem with this. The idea of NSTIC is that it is the infrastructure that is standardised, and this is good. We need standards for credentials and such like so that I can use my Woking Council ID to log in central government services and my Barclays Bank ID so that I can log in to do my taxes online: but I might pay Barclays for an additional ID that has some key credentials (IS_A_PERSON, IS_OVER_18, IS_NOT_BANKRUPT, that sort of thing) but does not reveal my identity. This sort of Joe Bloggs (or, for our cousins over the water, John Doe) identity would be more than adequate for the vast majority of web browsing and if other people want to wander the highways and byways of the interweb with a Manchester United, Prince or BBC ID, then it’s up to them. Let a thousand flowers bloom, as they say (well, as Chairman Mao said).

If the crazies want to be concerned about a single ID mark of the e-beast infocalypse, they’re perfectly entitled to, but I don’t understand why they are convinced it will come from the government in general or Obama in particular – there are half-a-billion people out there (including me) who have already handed over their personal information to a single unaccountable entity.

Facebook Login lets any website on the planet use its identity infrastructure—and underlying security safeguards. It’s easy to implement Facebook Login, simply by adding few lines of code to a web server. Once that change is made, the site’s users will see a “Connect with Facebook” button. If they’re already logged into Facebook (having recently visited the site), they can just click on it and they’re in. If they haven’t logged in recently, they are prompted for their Facebook user name and password.
[From Facebook Wants to Supply Your Internet Driver’s License – Technology Review]

Now, at the moment Facebook Connect just uses a password, so it’s no more secure than banks or government agencies, but it could move to a 2FA implementation implementation in the future. Widespread 2FA access to online services really should have become a business for banks or mobile operators already (think how long Identrus has been around) but it just hasn’t happened: I can’t use my Barclays PINSentry to log on to Barclaycard, let alone the government or an insurance company. But suppose my Facebook login required access to my mobile phone so it was much more secure: you know the sort of thing, enter e-mail address, wait for code to arrive on mobile phone, enter code (a proper UICC-based digital signature solution would be much better, but that’s another topic). Then I could use Facebook Connect for serious business. This would have an interesting side-effect: Facebook would know where I go on the web, which seems to me to be much more like the mark of the e-beast.

An interesting side benefit for website operators is that Facebook Login provides the site with users’ real names (in most cases) and optionally a variety of other information, such as the users’ “friends” and “likes.”
[From Facebook Wants to Supply Your Internet Driver’s License – Technology Review]

Which is, of course, why I don’t use it. On the other hand, if Facebook decided to use cryptography to secure and protect this sort of information, they could at a stroke create a desirable internet passport: by “blinding” the passport to prevent service providers from tracking the identity across web sites Facebook could significantly improve both convenience and privacy for the average users.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Paleo-crypto

3rd January 2011by Consult HyperionLeave a comment

In some of the workshops that I’ve been running, I’ve mentioned that I think that transparency will be one of the key elements of new propositions in the world of electronic transactions and that clients looking to develop new businesses in that space might want to consider the opportunities for sustained advantage. Why not let me look inside my bank and see where my money is, so to speak? If I log in to my credit card issuer I can see that I spent £43 on books at Amazon: if I log in to Amazon I can that I spent £43 but I can also see what books I bought, recommendations, reviews and so on. They have the data, so they let me look at it. If I want to buy a carpet from a carpet company, how do I know whether they will go bankrupt or not before they deliver? Can I have a look at their order book?
Transparency increases confidence and trust. I often use a story from the August 1931 edition of Popular Mechanics to illustrate this point. The article concerns the relationship between transparency and behaviour in the specific case of depression-era extra-judicial unlicensed wealth redistribution…

BANK hold-ups may soon become things of the past if the common-sense but revolutionary ideas of Francis Keally, New York architect, are put into effect. He suggests that banks be constructed with glass walls and that office partitions within the building likewise be transparent, so that a clear view of everything that is happening inside the bank will be afforded from all angles at all times.
[From Glass Banks Will Foil Hold-Ups]

I urge you to clink on the link, by the way, to see the lovely drawing that goes with the article. The point is well made though: you can’t rob a glass bank. No walls, no Bernie Madoff. But you can see the problem: some of the information in the bank is confidential: my personal details, for example. Thus, it would be great if I could look through the list of bank deposits to check that the bank really has the money it says it has, but I shouldn’t be able to see who those depositors are (although I will want third-party verification that they exist!).

Why am I talking about this? Well, I read recently that Bank of America has called in management consultants to help them manage the fallout from an as-yet-nonexistent leak of corporate secrets, although why these secrets be prove embarrassing is not clear. In fact, no-one knows whether the leak will happen, or whether it will impact BofA, although Wikileaks’ Julian Assange had previously mentioned having a BofA hard disk in his possession, so the market drew its own conclusions.

Bank of America shares fell 3 percent in trading the day after Mr. Assange made his threat against a nameless bank
[From Facing WikiLeaks Threat, Bank of America Plays Defense – NYTimes.com]

Serious money. Anyway, I’m interested in what this means for the future rather than what it means now: irrespective of what Bank of America’s secrets actually are because

when WikiLeaks, a whistle-blowing website, promised to publish five gigabytes of files from an unnamed financial institution early next year, bankers everywhere started quaking in their hand-made shoes. And businesses were struck by an alarming thought: even if this threat proves empty, commercial secrets are no longer safe.
[From Business and WikiLeaks: Be afraid | The Economist]

Does technology provide any comfort here at all? I think it does. Many years ago, I had the pleasant experience of having dinner with Nicholas Negroponte, John Barlow and Eric Hughes, author of the cypherpunk manifesto, at a seminar in Palm Springs. This was in, I think, 1995. I can remember Eric talking about “encrypted open books”, a topic that now seems fantastically prescient. His idea was to develop cryptographic techniques so that you could perform certain kinds of operations on encrypted data: in other words, you could build glass organisations where anyone could run some software to check your books without actually being able to read your books. Nick Szabo later referred back to the same concepts when talking about the specific issue of auditing.

Knowing that mutually confidential auditing can be accomplished in principle may lead us to practical solutions. Eric Hughes’ “encrypted open books” was one attempt.
[From Szabo]

Things like this seem impossible when you think of books in terms of paper and index cards: how can you show me your books without giving away commercial data? But when we think in terms of bits, and cryptography, and “blinding” it is all perfectly sensible. This technology seems to me to open up a new model, where corporate data is encrypted but open to all so that no-one cares whether it is copied or distributed in any way. Instead of individuals being given the keys to the database, they will be given keys to decrypt only the data that they are allowed to see and since these keys can easily be stored in tamper-resistant hardware (whereas databases can’t) the implementation becomes cost-effective. While I was thinking about this, Bob Hettinga reminded me about Peter Wayner’s “translucent databases“, that build on the Eric’s concepts.

Wayner really does end up where a lot of us think databases will be someday, particularly in finance: repositories of data accessible only by digital bearer tokens using various blind signature protocols… and, oddly enough, not because someone or other wants to strike a blow against the empire, but simply because it’s safer — and cheaper — to do that way.
[From Book Review: Peter Wayner’s “Translucent Databases”]

There are other kinds of corporate data that it may at first seem need to be secret, but on reflection could be translucent (I’ll switch to Peter’s word here because it’s a much better description of practical implementations). An example might be salaries. Have the payroll encrypted but open, so anyone can access a company’s salary data and see what salaries are earned. Publish the key to decrypt the salaries, but not any other data. Now anyone who needs access to salary data (eg, the taxman, pressure groups, potential employees, customers etc) can see it and the relevant company data is transparent to them. One particular category of people who might need access to this data is staff! So, let’s say I’m working on a particular project and need access to our salary data because I need to work out the costs of a proposed new business unit. All I need to know is the distribution of salaries: I don’t need to know who they belong to. If our payroll data is open, I can get on and use it without having to have CDs of personal data sent through the post, of whatever.

I can see that for many organisations this kind of controlled transparency (ie, translucency) will be a competitive advantage: as an investor, as customer, as a citizen, I would trust these organsations far more than “closed” ones. Why wait for quarterly filings to see how a public company is doing when you could go on the web at any time to see their sales ledger? Why rely on management assurances of cost control when you can see how their purchase ledger is looking (without necessarily seeing what they’re buying or who they are buying it from) when you can see it on their web page? Why not check staffing levels and qualifications by accessing the personnel database? Is this any crazier than Blippy?

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

Masters key

23rd November 2010by Consult HyperionLeave a comment

[Dave Birch] This whole internet thing is getting more and more complicated. I’m trying to work out what government policies toward the internet are, so that I can help our clients to develop sound long-term strategies with respect to digital identity. To do this, we need to understand how the security environment will evolve and what the government’s attitude to security is. Should people be allowed to send data over the internet without interference? The US government thinks so.

Since 2007, Congress has inserted a total of $50 million of earmarks into the State Department’s budget to fund organizations dedicated to fighting Internet censorship.
[From Rebecca MacKinnon: No quick Fixes for Internet Freedom – WSJ.com]

Uh oh. This cannot be popular with people in favour of internet censorship, such as U2’s boss.

U2 manager Paul McGuinness said that the only reason the music industry had tanked over recent years was not because outfits like U2 peddled the same boring crap that they did in the 1980s, but because of the introduction of broadband.
[From Comment: Broadband only useful for pirates – U2 manager screams blue murder | TechEye]

Setting aside the fact that the British music industry earned more money than ever before last year, U2 are totally wrong to expect the rest of society to pay to uphold their business model in face of all technological change. Bono is wasting his time calling for Chinese-style internet censorship in order to maximise record company profits, or at least he is if the US government is going to continue funding the opposition.

Continue reading “Masters key”

China syndrome

17th November 2010by Consult HyperionLeave a comment

[Dave Birch] What should government policy on identity be? Not specifically our government, or EU governments, or any other government, but governments in general. Or, let’s say, governments in democratic countries. OK, that’s a very big question to tackle. Let’s narrow it down to make a point: what should government policy on the internet be? No, that’s still too big and perhaps to vague. Let’s focus down further on a simple internet question: should the government be allowed to see what is going through the internet tubes. Of course! One of their jobs is to keep me safe from drug-dealing Nazi terrorist child pornographers who formulate devilish plots with the aid of the web.

According to reports, the FBI is asking for the authority to require all Internet communications platforms build in a “backdoor” allowing law enforcement easy wiretapping access
[From Should Government Mandate “Backdoors” for Snooping on the Internet? | Center for Democracy & Technology]

In parallel, the FBI is talking to technology companies about how they could be making it easier for criminals to see your credit card details and for the government to read to your e-mail.

Robert S. Mueller III, the director of the Federal Bureau of Investigation, traveled to Silicon Valley on Tuesday to meet with top executives of several technology firms [including Google and Facebook] about a proposal to make it easier to wiretap Internet users.
[From F.B.I. Seeks Wider Wiretap Law for Web – NYTimes.com]

This, superficially, sounds likes a good idea. Who could object? We don’t want the aforementioned Nazi drug-dealing child pornographers plotting terrorist acts using the interweb tubes with impunity. No right-thinking citizen could hold another view. But hold on…

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.
[From U.S. enables Chinese hacking of Google – CNN.com]

It’s not that simple, is it? If you create a stable door, then sooner or later you will find yourself bolting it long after the horse has had it’s identity stolen. What I can’t help but wonder about in this context is whether the content actually matters: suppose you can’t read my e-mail, but you can see that a lot of mail addressed to Osama bin Laden is coming from my house? Surely that would be enough to put me under suspicion and trigger some other law enforcement and intelligence activity?

Continue reading “China syndrome”

My multiples

4th November 2010by Consult HyperionLeave a comment

[Dave Birch] I watched a strange TV show on a plane back from the US. I was about a woman with “Multiple Personality Disorder” (remember that book Sybil — not the one by Benjamin Disraeli — from years ago). I make no comment about whether the disorder is real or not (the TV show wasn’t that interesting) but there’s no doubt in my mind that when it comes to the virtual world, multiple personalities are not only real, but desirable.

Here’s a good reason for not having your Facebook account in your real name (as I don’t):

Five interviewees who traveled to Iran in recent months said they were forced by police at Tehran’s airport to log in to their Facebook accounts. Several reported having their passports confiscated because of harsh criticism they had posted online about the way the Iranian government had handled its controversial elections earlier this year.
[From Emergent Chaos: Fingerprinted and Facebooked at the Border]

I’ve already created a new Facebook identity and posted a paen to Iran’s spiritual leaders just in case I am ever detained by revolutionary guards and forced to log in. But will this be enough? Remember what happened to film maker David Bond when he made his documentary about trying to disappear? The private detectives that he had hired to try and find him simply went through Facebook:

Pretending to be Bond, they set up a new Facebook page, using the alias Phileas Fogg, and sent messages to his friends, suggesting that this was a way to keep in touch now that he was on the run. Two thirds of them got in contact.
[From Can you disappear in surveillance Britain? – Times Online]

So even if you are careful with your Facebook personalities, your friends will blab. As far as I can tell, there’s no technological way around this: so long as someone knows which pseudonym is connect to which real identity, the link may be uncovered. Probably the best we can do is to make sure that the link is held by someone who will demand a warrant before opening the box.

Continue reading “My multiples”

Recognising the problem

1st November 201020th August 2020by David G.W. Birch1 Comment

[Dave Birch] An interesting series of talks at Biometrics 2010 reminded me how quickly face recognition software is improving. The current state of the art can be illustrated with some of the examples given by NIST in their presentation on testing.

A 1:1.6m search on 16-core 192Gb blade (about $40k machine) takes less than one second, and the speed of search continues to improve. So if you have a database of a million people, and you’re checking a picture against that database, you can do it in less than second.
The false non-match rate (in other words, what proportion of searches return the wrong picture) best performance is accelerating: in 2002 it was 20%, by 2006 it was 3% and by 2010 it had fallen to 0.3%. This is an order of magnitude fall every four years and there’s no reason to suspect that it will not continue.
The results seem to degrade by the log of population size (so that a 10 times bigger database delivers only twice the miss rate). Rather fascinatingly, no-one seems to know why, but I suppose it must be some inherent property of the algorithms used.

We’re still some way from Hollywood-style biometrics where the FBI security camera can spot the assassin in the Superbowl crowd.

What is often overlooked is that biometric systems used to regulate access of one form or another do not provide binary yes/no answers like conventional data systems. Instead, by their very nature, they generate results that are “probabilistic”. That is what makes them inherently fallible. The chance of producing an error can be made small but never eliminated. Therefore, confidence in the results has to be tempered by a proper appreciation of the uncertainties in the system.
[From Biometrics: The Difference Engine: Dubious security | The Economist]

So when you put all of this together, you can see that we are heading into some new territory. Even consumer software such as iPhoto has this stuff built in to it.

It’s not perfect, but it’s pretty good. Consumers (and suppliers) do, though, have an unrealistic idea about what biometrics can do as components of a bigger system.

But Microsoft’s new gaming weapon uses “facial and biometric recognition” that creates a 3D model of a player. “It recognises a 3D model that has walked into the room and automatically logs that player in,” Mr Hinton said… “It knows when they are sneakily trying to log into their older brother’s account and trying to cheat the system… You can’t do it. Your face is the ultimate detection for the device.”
[From Game console ‘rejects’ under-age players | Herald Sun]

This sounds sort of fun. Why doesn’t my bank build this into its branches so that when I walk in?

Continue reading “Recognising the problem”

Criminal inconvenience

27th October 2010by Consult HyperionLeave a comment

[Dave Birch] It was identity theft week, or something like that, and since I’m about to start the CSFI’s 2010/2011 Research Programme into “Identity in Financial Services”, with support from Visa Europe, I’ve been thinking about the key aspects of the problem. For example: how well are current know-your-customer procedures working? After all, they are pretty stringent. To the point where the typical customer finds dealing with financial services organisations an absolute nightmare.

The ID banks require is getting beyond a joke. I’ve just been locked out of one of my online accounts, through no fault of my own, and they’re demanding I send them a certified document plus a utility/bank bill, but they won’t accept one printed online. Yet like many people, both for the environment and ease, I opt for paperless billing wherever I can, so I simply don’t get any printed statements anymore, leaving me at an ID disadvantage when banks refuse to count those as ID.
[From Martin Lewis’ Blog… | The bank ID farce: online accounts don’t accept online statements]

Still, I’m sure we’d all agree that it’s worth the massive imposition on customers, and the massive costs to companies, in order to crack down on ne’er-do-wells who are trying to defraud our banking system (at least, the ones who don’t work for banks). But since identity fraud appears to be at record levels, either these stringent controls are counter-productive (because only criminals will bother jumping through the hoops) or a total waste of money.

Drawing upon victim and impostor data now accessible because of updates to the Fair Credit Reporting Act, the data shows that identity theft impostors supply obviously erroneous information on applications that is accepted as valid by credit grantors. Thus, the problem does not necessarily lie in control nor in more availability of personal information, but rather in the risk tolerances of credit grantors. An analysis of incentives in credit granting elucidates the problem: identity theft remains so prevalent because it is less costly to tolerate fraud. Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts.
[From SSRN-Internalizing Identity Theft by Chris Hoofnagle]

Given the amount of trouble I find in accessing my own accounts — I tried to log in to my John Lewis card account this week and it asked me a password that I’d forgotten and when I followed the “forgotten password” link it asked me for a secret word or something that I didn’t even know I’d set — I can only assume that the total amount of time, effort and money wasted on this sort of thing across the financial services sector as a whole is enormous.

Continue reading “Criminal inconvenience”

Share and share alike

26th October 2010by Consult Hyperion1 Comment

[Dave Birch] I’m not sure if it was a good idea to have National Get Online Week at the same time as National Identity Fraud Prevention Week and at the same time as announcing record identity fraud figures!

The National Fraud Authority (NFA) said fraudsters who stole identities had gained £1.9bn in the past year. Their frauds had affected 1.8 million people, the NFA estimated.
[From BBC News – Identity fraud now costs £1.9bn, says fraud authority]

As Philip Virgo notes, there appear to be some conflicting messages here and there may be some danger of a lack of strategic co-ordination.

Just after Martha had described her plans to the “Parliament and the Internet” conference last week, those at the session on “On-line Safety” discussed the need to bring the two sets of messages together lest they cancel each other out.
[From Mixed messages: “Get Online Week” v. “National Identity Fraud Prevention Week” – When IT Meets Politics]

I’ve scoured the coverage to find out exactly what it is that the “Get Online” campaign and the “Fraud Prevention” campaign plan to do about identity infrastructure and I’ve looked through the Cabinet Office “Manifesto for a Network Nation” (which does not mention identity or authentication even once) to find out what the British equivalent of the US National Strategy for Trusted Identities in Cyberspace is but I’m afraid I’ve come up with a bit of a blank (although a search of the Get Online Week website did turn up one article that mentioned identity theft in 2008). Perhaps I’m looking in the wrong places and a correspondent can point me in the right direction.

The UK national security strategy that was released last week does at least mention identity theft as a problem (it says that “Government, the private sector and citizens are under sustained cyber attack today, from both hostile states and criminals. They are stealing our intellectual property, sensitive commercial and government information, and even our identities in order to defraud individuals, organisations and the Government”) but doesn’t actually mention identity or authentication, nor does it put forward any suggestion as to what might be done about the problem.

Continue reading “Share and share alike”

Tripped up

11th October 2010by Consult Hyperion4 Comments

[Dave Birch] Many people have a real problem with the apparently anonymous nature of the interweb. I say “apparently” because, of course, unless you work really hard at it and really understand how the internet works, and really understand how your PC works, and really plan it carefully, you’re not really anonymous in the proper sense of the word.

Our sense of anonymity is largely an illusion. Pretty much everything we do online, down to individual keystrokes and clicks, is recorded, stored in cookies and corporate databases, and connected to our identities, either explicitly through our user names, credit-card numbers and the IP addresses assigned to our computers, or implicitly through our searching, surfing and purchasing histories.
[From The Great Privacy Debate: The Dangers of Web Tracking – WSJ.com]

I’m surprised that politicians, in particular, who keep going on about how terrible internet anonymity is, don’t understand a little more about the dynamics of the problem. If they did, they would realise that anonymity isn’t what it seems.

You might think, after enough major stories about “IP addresses” hit the news wires, everyone in political life would be aware that “anonymity” on the Internet is limited.

But someone in Sen. Saxby Chambliss’ (R-GA) office didn’t get the memo. In the aftermath of this week’s failed vote on the military’s “don’t ask, don’t tell” policy, someone named “Jimmy” registered an account at the gay news blog Joe.My.God. just to say, “All Faggots must die.”
[From Outed! Senate staffers, anti-gay slurs, and IP addresses]

In the general case, you are not anonymous on the interweb, but economically-anonymous, which I propose to label “enonymous”, and that’s not the same thing at all. If you threaten to kill the President, you will be tracked down, and the state will spend the money it takes on it. But if you call Lily Allen a a hereditary celebrity and copyright hypocrite (not my own views, naturally) then it’s not worth the state’s money to track you down. If Lily wants to spend her own money on tracking you down and taking a civil action for libel, then fair enough, that’s the English way of limiting free speech. If the newspapers want to spend their own money on it, fine. For issues of great national interest, such as spurious death threats to the nation’s sweetheart, Cheryl Cole, The Sun can step in.

Yesterday The Sun traced the sender of a chilling anti-Cheryl message that blasted her over Zimbabwean Gamu’s TV exit. Wannabe rapper Sanussi Ngoy Ebonda, 20, admitted penning the sinister rant, which accused Cheryl of “da biggest mistake of your life” and included a threat to attack other girls sharing her name.
[From Cheryl Cole boosts security at mansion | The Sun |Showbiz|TV|X Factor]

So even though there’s precious little anonymity, should we allow enonymity to be the norm? There are plenty of people who think not, and they’re not all English libel lawyers. Surely common sense is on their side? Isn’t it wrong to let people hide behind pretend names?

Let’s focus on a specific and straightforward example. The comment pages on newspaper, magazine and other media web sites. Many such sites require registration but are still essentially enonymous. Is it right that enonymous commenters can say bad things about celebrities, politicians, business leaders? Would people be as horrible about public figures if they were forced to identify themselves?

Would the online debate among commenters be stifled by requiring commenters to sign their real names?
[From What did you say your name was? | Analysis & Opinion |]

The Chinese government certainly hope so.

China is considering measures to force all its 400m internet users to register their real names before making comments on the country’s myriad chat-rooms and discussion forums, in a further sign of tightening controls on freedom of speech.
[From China to force internet users to register real names – Telegraph]

We already know this doesn’t work, incidentally, because the Chinese already tried this for Internet cafes, supposedly to deal with the problem of young people spending too much time in virtual worlds. The only result was an instant, and profitable, black market in ID card numbers, whereby kids would get the ID numbers of people who weren’t going to play in cybercafes (eg, their grandparents) and used them to log in instead of using their own. There was an alignment of economic incentives here, because the cybercafes would not make money by turning people away.

Cafés that did not ask for identification often still had a registration book at the front desk, in which staff members were seen to write apparently random identification numbers and names during their free time.
[From HRIC | 中国人权]

Incidentally, another large and well-known country closely associated with our economic future (albeit a virtual one) has just abandoned plans to try and force Chinese-style real-name registration after a revolt by citizens (well, subscribers):

Blizzard has reversed a controversial decision that would have forced thousands of Starcraft and World of Warcraft (WoW) players to use their real names on the company’s online forums
[From Blizzard stands down over forum controversy | TG Daily]

I simply would not allow my kids to log in with their real names. I’m happy for them to log in using one of their multiple e-mail addresses. They’ve had pseudonymous e-mail addresses since they were old enough to go online. This isn’t just paranoia about people grooming children for sexual exploitation (the UK takes this kind of thing very seriously) and such like. There are lots of really good reasons for not wanting to use your identity in online debate and comment. I wrote once before about being shocked by some hate e-mails I received when I once posted some comments in a discussion about interest rates (“interest is the work of the devil”, “we know how you are” etc etc). Now, I still enjoy participating in online debates, but do so pseudonymously: my friends know who I am.

That, incidentally, may not be much of a protection, because the mapping of social graphs can soon locate you within a group of friends even if none of those friends disclose who you are. A determined third-party can learn very interesting things from those graphs and, unless everyone is anonymous or pseudonymous under certain conditions, figure out who you are.

Iran appears to be in two minds about whether to embrace or stymie technological progress. On the one hand, Twitter accounts helped the opposition mobilise demonstrations in the wake of last year’s contested presidential election… On the other hand, by monitoring Twitter traffic, Tehran was able to identify who was organising the protests.
[From FT.com / FT Magazine – Who controls the internet?]

As I’ve said before, in cyberspace no-one knows you’re a dog, but no-one knows you’re from the FBI either. Thus our government, the US government and many others are caught in two minds, just as the Iranians are. On the one hand, they are supposed to be in favour of free speech, but on the other hand, well, you know Danish cartoonists, criminals, child pornographers, terrorists, enemies of the state, dissidents, apostates etc.

Now, maybe you don’t care. You’re “not doing anything wrong.” Well, Hoder wasn’t doing anything wrong when he went to Israel and blogged about it in Farsi. But he’s serving 20 years in jail in Iran.
[From Emergent Chaos » Blog Archive » AT&T, Voice Encryption and Trust]

But back to online commenting in our democracy. It’s not a simple issue, and “common sense” is not a good guide to anything in the virtual world, but it is clearly the case that in that virtual world some people behave inappropriately. You only have to read The Guardian newspapers online “Comment is Free” or Guido Fawkes, the UK’s top political blog, to see how appalling, disgusting, racist, misogynist, anti-semitic and just plain thick the general public can be. I am one of those old-fashioned liberals who thinks that the response to bad free speech should be more free speech, not less. I think we should be wary about limiting the anonymity of people who comment online, even if we could think of a way of doing so.

The Nazareth District Court has upheld the right of the Walla Web portal to refuse to hand over the IP addresses of commenters accused of defaming a journalist.

“The good of online anonymity outweighs the bad, and it must be seen as a byproduct of freedom of speech and the right to privacy,” Judge Avraham Avraham wrote in his ruling last week.

The court also said the critical remarks concerning Yedioth Ahronoth reporter Israel Moskovitz, posted online in 2008, were unlikely to harm his reputation since they were poorly written and appeared only once, and readers were not likely to take them seriously.
[From Uphold talkbacker’s anonymity in defamation trial, court says – Haaretz – Israel News ]

Actually, for journalists to complain about online comments, criticism and even abuse is a tiny bit worrying, since their business depends on such.

It doesn’t take long to find articles on CNN that quote anonymous officials. For them to rage against “cowards” who won’t stand behind what they say, and then to regularly quote “anonymous” sources, seems pretty damn hypocritical. Phillips claims anonymity online is “very unfair.” Phillips also attacks the media for “giving anonymous bloggers credit or credibility.” But again, CNN quotes all kinds of anonymous sources all the time.
[From CNN Claims ‘Something Must Be Done’ About Anonymous Bloggers | Techdirt]

On balance, then, I think a free society not only permits certain kinds of anonymity but actually depends on them, because we need informed and honest public debate to function properly. This was well-put in the Washington Post recently.

For every noxious comment, many more are astute and stimulating. Anonymity provides necessary protection for serious commenters whose jobs or personal circumstances preclude identifying themselves. And even belligerent anonymous comments often reflect genuine passion that should be heard.
[From Andrew Alexander – Online readers need a chance to comment, but not to abuse]

I couldn’t agree more. However, as the Post goes on to note, we have to recognise that people can be pretty horrible and we need a way to deal with that. Not banning anonymity, but managing the anonymousness (if there is such a word) in a better way.

The solution is in moderating — not limiting — comments. In a few months, The Post will implement a system that should help. It’s still being developed, but Straus said the broad outlines envision commenters being assigned to different “tiers” based on their past behavior and other factors. Those with a track record of staying within the guidelines, and those providing their real names, will likely be considered “trusted commenters.” Repeat violators or discourteous agitators will be grouped elsewhere or blocked outright. Comments of first-timers will be screened by a human being.
[From Andrew Alexander – Online readers need a chance to comment, but not to abuse]

This — in essence, baby steps toward a reputation economy — could be toughened up by using better identity infrastructure, but it’s not a bad place to start. But there are areas where the better infrastructure is more of a priority. Newspaper comments are one thing, but there are businesses that depend on online comments, and a good example is the burgeoning group review sector.

Continue reading “Tripped up”

That’ll do nicely

19th December 2008by Consult HyperionLeave a comment

[Dave Birch] Some time ago, I pointed out that aggressive retailers might use ID cards to cut payment schemes out of the transaction loop, by using ID cards as payment tokens and using the ACH network rather than Visa or MasterCard and I subsequently wrote a piece on this for Electronic Finance & Payments Law & Policy. Having been thinking about this and other implications of the introduction of a national ID card scheme, I was surprised to hear from a bank that I was talking to that they had no strategy on the UK ID card (despite the fact that the first cards have already been issued) and no plans to develop a strategy. Now, on the one hand this is understandable, since the UK cards don't do much and there are no readers for them anyway, but on the other hand it may be unwise if other people are developing strategies that may impact banking.

As I have long been advising our clients in the payment space, there will be inevitable implications for retail payments businesses once a national ID card is in place.
[From Digital Identity Forum: Paying for identity]

Retailers want business change, not just lower fees, and has been discussed over on Digital Money, retailers may well be the key stakeholder group when it comes to developing new payment schemes for use at retail POS. Now, a barrier to their competing with existing card schemes themselves has been the cost of issuing and managing secure smart cards or other tokens. But if the government is going to do it for them, then they may as well exploit it. I can easily imagine taking my ID card and a blank cheque down to Tesco, putting them both into a machine and punching in my PIN. Then, next time I go shopping, I punch my PIN into the keypad at the checkout lane, wave my ID card over a reader and then go on my way. This kind of the service has already begun to spring up in the U.S.A., in response to the issuing of “Real ID”drivers’ licences which have machine readable magnetic stripes that can be read at POS terminals. A company called National Payment Card (NPC) has begun to exploit the opportunity, by getting customers to register their bank details and a PIN against their licence. This means that customers can then pay for fuel by swiping their licenses at petrol stations and entering a PIN. A similar national scheme has just launched in Malaysia, where one of the leading banks has begun installing kiosks where customers can use their bank chip card and the MyKad ID card (without biometric authentication) together to link the ID card with the bank account automatically:

Consumers will have to open either a savings or a current account with EON Bank, which is the only bank providing payment transactions through the MyKad at the moment.
[From Buy fuel with your MyKad]

The scheme is targeting the fuel sector in the first instance and has signed up all Caltex and BHP filling stations, so that customers can fill up and they pay at the pump with their ID card. Since the margins on fuel are thin, the sector has every incentive to cut payment schemes out of the loop and move to direct bank transfer via ACH. I wonder if they even bother to authorise the transactions: after all, if you try to cheat them by presenting the ID card when you have no money in the bank, they have your ID details and I imagine you'll be hotlisted pretty quickly.

Continue reading “That’ll do nicely”