The Identity of Things: Products and Provenance

blue and yellow phone modules

If we think about the idea of digital identity in the internet of things then luxury goods such as watches make for an interesting example. How would you tell a fake Rolex from a real one in an always-on, interconnected world? You might say just put a hologram in it, or a chip that can’t be forged or something. And these might be good starting points but it’s a much more complicated problem than it seems at first.

Let’s think about secure microchips. Suppose contactless technology is used to implement some kinds of ID for the Internet of Things (IDIoT) for luxury goods. If I see a Gucci handbag on sale in a shop, I will be able to wave my mobile phone over it and read the IDIoT. My mobile phone can decode the IDIoT and then tell me that the handbag is Gucci product 999, serial number 888. This information is, by itself, of little use to me. I could go onto the Gucci-lovers website and find out that product 999 is a particular kind of handbag, but nothing more: I may know that the chip in the handbag label is ‘valid’, but that doesn’t tell much about the bag. For all I know, a bunch of tags might have been taken off of real products and attached to fake products.

To know if something is real or not, I need more data. If I wanted to know if the handbag were real or fake, then I would need know about the provenance as well as the product. The provenance might be distributed quite widely between different organisations with different drivers (this is why many people are keen on the using the blockchain as a means to co-ordinate and obtain consensus in such an environment). The retailer’s system would know from which distributor the bag came; the distributor’s system would know from which factory the bag came and Gucci’s system would know who stitched and where the components came from, a supplier system would know that the material came from sustainable hippos or whatever else it is they make handbags from. I would need access to these data to get the data I would need to decide whether the bag is real or fake. (Of course, I might want access to other data to give me more information to support my purchases decisions too. Such as ethical data for example: Who guarantees that my new jeans were not made by children and so on?)

This is a critical point. The key to all of this is not the product itself but the provenance. A secure system of provenance (for example) is the core of a system to tell real from fake at scale.

Provenance

Who should control the provenance of a product, and who should have access to the all or part of that provenance, is rather complicated. Even if I could read some identifier from the product, why would the retailer, the distributor or Gucci tell me anything about the provenance? How would they know whether I am a retailer, one of their best customers, one of their own ‘brand police’, a counterfeiter (who would love to know which tags are in which shops and so on) or a law enforcement officer with a warrant?

This is where the need for a digital identity comes into the picture. A Gucci brand policeman might wave their phone over a bag and fire off a query: the query would have a digital signature attached (from secure hardware in the mobile phone, as in iPhones, for example) and the provenance system could check that signature before processing the query. It could then send a digitally signed and encrypted query to the distributor’s system which would then send back a digitally signed and encrypted response to be passed back to the brand policeman: ‘No we’ve never heard of this bag’ or ‘We shipped this bag to retailer X on this date’ or ‘We’ve just been queried on this bag in Australia’ or something similar.

(And, of course, each time an IDIoT is created, interrogated, amended or removed from the system, the vent will be recorded on a shared ledger to guarantee the integrity.)

The central security issue for brand protection is therefore the protection of (and access to) the provenance data. Who exactly is allowed to scan my pants and under what circumstances? If I give my designer shirt to a charity shop, what information should they learn about the idea? An approach to this issues that uses the right combination of tools (ie, using secure chips to link the provenance on a shared ledger to the physical objects) will deliver a powerful new platform for a wide variety of potential services.

What might these services be? I don’t know, because I’m only a consultant and can’t afford luxury goods but perhaps if such a system adds £20 to the price of a Rolex to implement this infrastructure, so what? The kind of people who pay £5,000 for a Rolex wouldn’t hesitate to pay £5,020 for a Rolex that can prove that it is real.

In fact, such a provenance premium might be rather popular with people who like brands. Imagine the horror of being the host of a dinner party when one of the guests glances at their phone and says “you know those jeans aren’t real Calvin Klein, don’t you?”. Wouldn’t you pay an extra £5 for the satisfaction of knowing that your snooping guest’s app is steadfastly attesting to all concerned that your jeans, watch and sunglasses are all real? Of course you would.

This international identity day, remember that identity is not just for people. It is for droogs and droids, pants and pets. The digital identity infrastructure that we need for the future is for everything. Everything.

#IDIoT, Part 97: Wearables again

In the July 2000 edition of Harper’s Magazine, Dennis Cass wrote about Silicon Valley:

Let’s go Silicon Valley! Wherein the author stalks the flighty, green-backed webhead in his natural habitat

From Let’s go | Harper’s Magazine

He wrote about “the kinds of things you’ve heard bores like Nicholas Negroponte drone on about in Wired magazine, like shoes that can send e–mail to other shoes”. I wrote this down at the time, because I remember thinking it was an interesting perspective from a non-technologist looking at what technologists were doing. And it was a funny example. Shoes that can send e-mail to other shoes!

Yesterday, through the miracle of Twitter, I noticed that this dystopia is almost upon us.

Smart Shoes You Can Control With Your Smartphone.

From Smart Shoes You Can Control With Your Smartphone

It’s only taken a couple of decades to get this point, but it’s something to celebrate. Even our shoes will be getting hacked from now on.

The internet of blockchains, or something

I’ve said a few times that I think the Internet of Things is where mobile was a couple of decades back. Some of us had mobile phones, and we loved them, but we really didn’t see what they were going to turn in to. I mean, I was always bullish about mobile payments, but even so… the iPhone 6s that’s next to me right now playing “Get Out Of Denver” by Eddie & the Hot Rods out through a Bluetooth speaker is far beyond anything that I might have imagined when dreaming of texting a Coke machine to get a drink. We’re in the same position now: some of us have rudimentary Internet of Things bits and bobs, but the Internet of Things itself will be utterly beyond current comprehension.

Specialized elements of hardware and software, connected by wires, radio waves and infrared, will be so ubiquitous that no one will notice their presence

From The Computer for the 21st Century – Scientific American

That was Mark Weiser’s prediction of the Internet of Things from 1991. It seems pretty accurate, and a pretty good description of where we are headed, with computers and communications vanishing from view, embedded in the warp and weft of everyday life. What I’m not sure Mark would have spent much time thinking about is what a total mess it is. Whether it’s wireless kettles or children’s toys, it’s all being hacked. This is a point that was made by Ken Munro during his epic presentation of smart TVs that spy on you, doorbells that give access to your home network and connected vibrators with the default password of “0000”  at Consult Hyperion’s 19th annual Tomorrow’s Transactions Forum back in April. I’d listen to Ken about this sort thing if I were you.

Speaking during a Q&A session for the upcoming CRN Security Summit, Ken Munro, founder of Pen Test Partners, claimed that security standards are being forgotten in the stampede to get IoT devices to market.

From Security standards being forgotten in IoT stampede, says expert | CRN

We’ve gone mad connecting stuff up, just because we can, and we don’t seem concerned about the nightmare in the making. I gave a talk about this at Cards & Payments Australia. The point of my talk was that I’m not sure how financial services can begin to exploit the new technology properly until something gets done about security. There’s no security infrastructure there for us to build on, and until there is I can’t see how financial services organisations can do real business in this new space: allowing my car to buy its own fuel seems a long way away when hackers can p0wn cars through the interweb tubes. I finished my talk with some optimism about new solutions by touching on the world of shared ledgers. I’m not the only one who thinks that there may be a connection between these two categories of new, unexplored and yet to be fully understood technology.

Although I’m a little skeptical of the oft-cited connection between blockchains and the Internet of Things, I think this might be where a strong such synergy lies.

From Four genuine blockchain use cases | MultiChain

The reason for the suspicion that there may be a relationship here is that one of the characteristics of shared ledger technology is that in an interesting way it makes the virtual world more like the mundane world. In the mundane world, there is only one of something. There’s only one of the laptops but I’m writing this post on and there’s only one of the chairs that I’m sitting on and there is only one of the hotel rooms that I’m sitting in. In the mundane world you can’t clone things. But in the virtual world, you can. If you have a virtual object, it’s just some data and you can make as many copies of it as you want. A shared ledger technology, however, can emulate the mundane in the sense that if there is a ledger entry recording that I have some data, then if I transfer the data to you, it’s now yours and no longer mine. The obvious example of this in practice is of course bitcoin where this issue of replication is the “double spending problem” well known to electronic money mavens.

The idea of applying the blockchain technology to the IoT domain has been around for a while. In fact, blockchain seems to be a suitable solution in at least three aspects of the IoT: Big Data management, security and transparency, as well as facilitation of micro-transactions based on the exchange of services between interconnected smart devices.  

From IoT and blockchain: a match made in heaven? | Coinfox

 The idea of shared ledgers as a mechanism to manage the data associated with the thingternet, provide a security infrastructure for the the thingternet and to provide “translucent” access for auditing, regulation, control and inspection of the thingternet strikes me as an idea worth exploring. That’s not to say that I know which shared ledger technology might be best for this job, nor that I have any brilliant insight into the attendant business models. It’s just to say that shared ledgers might prove to be a solution a class of problems a long way away from uncensorable value transfer.

On the internet, no-one knows you’re a fridge

Remember all those years ago (about 20 in fact) when there was that cartoon in the New Yorker “no one knows you’re a dog“? I got so sick of seeing that cartoon lazily reproduced by anyone who wanted to make a point about identity in the virtual world and the relationship between virtual and mundane identities, which to my mind remains poorly understood (even by me) and in desperate need of exploration. Well, on Twitter a couple of days ago I laughed out loud when someone posted the updated version: on the Internet, no one knows you’re a fridge. Maybe I’ll steal it to use for my talk at the University of Surrey Centre for the Digital Economy “ID for the Internet things” workshop this afternoon. You’ll remember that ID for the Internet of Things (with the hashtag #IDIoT) was one of Consult Hyperion’s “live five” transaction technology trends for 2015. At the start of the year, when we were talking to clients about what to keep an eye on this year, we said that the thingternet (as I prefer to call it) lacked security infrastructure and that this would be a natural focus for activity. As it turned out, this was correct.

ARM’s acquisition of Dutch company Offspark shows how chip vendors intend to integrate more security features in their software and hardware to help keep the Internet of Things safe. There are a few things vendors have to get right for IoT to take off on a larger scale, and security is one of them.

[From ARM acqusition highlights quest to embed IoT security | PCWorld]

Of course, ARM wasn’t the only chip company looking to evolve IoT security. While they announced they would add their trusted execution environment “Trustzone” to their newest designs, others were doing the same, which is of course good news for those of us concerned about security on the thingternet. 

Intel is going down the same route with features such as Enhanced Privacy ID, which Intel made available for other chip makers to implement in December.

[From ARM acqusition highlights quest to embed IoT security | PCWorld]

You can have security without privacy, as they say, but you can’t have privacy without security. Anyway, the fridge thing caught my eye because I happened to be reading the Economist Intelligence Unit’s recent report on “The Economics of Digital Identity“, in which Stephen Bonner, former head of Information Risk Management of Barclays, makes the important observation that while most of the focus today is on individuals and their personal data, increasingly digital identity will need to be closely tied to the use and ownership of smart products. Since I’d read Jerry Kaplan’s “Humans Need Not Apply” on my last plane ride, I’d been thinking about the issue of personhood (including the ability to own assets) for synthetic intelligence, I’d been thinking about issues around reputation management (and management of reputation in the context of punishing synthetic intellects). And then I saw a tweet from my former colleague and ethical thinker, Vic:

So. Should what Jerry Kaplan calls “forged labourers” need digital identities through legal personhood, or are they the property (in some way I can’t think through, because I’m not a lawyer) of governments, companies, individuals with an identity that is derived from their owner? I rather think that they will have to have some kind of digital identity and my reasoning is that interactions in the virtual world are interactions between virtual identities and in my specific worldview, virtual identities need underlying digital identities. Whether the underlying digital identities of robots need to be bound to real-world legal entities, as in the case of digital identities as we understand them today, is a different issue so let’s put it to one side for the time being. Let’s for a moment focus on security.

When my fridge negotiates with Waitrose to buy some more milk, what is really happening is that the virtual identity of my fridge is interacting with the virtual identity of Waitrose. That seems perfectly reasonable to me, and working out ways for the these virtual identities to transact is going to be part of the business strategy for a fair few of our clients over the next couple of years. The virtual identity of the fridge may have a number of attributes associated with its identifier, such as a credit limit for a delivery address or whatever, but the one attribute that it will not have is “IS_A_PERSON”. As I have claimed many times before, this might well turn out to be the most valuable attribute of all. More on this soon.

#IDIoT is a serious business

The Gartner hype cycle is jolly bullish on autonomous vehicles, which I’m really looking forward to. According to Jerry Kaplan’s fascinating “Humans need not apply”, switching to autonomous vehicles in the US will save thousands of lives and billions of dollars every year. Personally, I couldn’t care less if I never drive a car for myself ever again, and I hope that Woking will become an autonomous vehicle only zone as soon as possible. Sadly, this won’t be for a while.

While autonomous vehicles are still embryonic, this movement still represents a significant advancement, with all major automotive companies putting autonomous vehicles on their near-term roadmaps.

[From Gartner’s 2015 Hype Cycle for Emerging Technologies Identifies the Computing Innovations That Organizations Should Monitor]

Gartner are even more bullish on what they call autonomous field vehicles (which I think means drones, combine harvesters and such like) and predict that these will be around in 2-5 years time, just like enterprise 3D printing and cryptocurrency exchanges. I couldn’t help but notice, though, that their very same hype cycle puts digital security at least 5-10 years out. So they are forecasting that there will be vehicles running around for some years before we are able to secure them, 3D printers inside organisations printing things for years before we are able to protect them and people trading money years before we can stop hackers from looting them. Actually, I agree with Gartner’s prediction, as it’s entirely congruent with my own #IDIoT line of thinking, which is that our developments in connection technologies are accelerating past our developments in disconnection technologies. And if you don’t care what I think about it, you probably do care what Vint Cerf thinks about it.

“Sometimes I’m terrified by it,” he said in a news briefing Monday at the Heidelberg Laureate Forum in Germany. “It’s a combination of appliances and software, and I’m always nervous about software — software has bugs.”

[From Vint Cerf: ‘Sometimes I’m terrified’ by the IoT | ITworld]

We’re busy going round connecting vehicles, equipment and money to the internet with having any sort of strategy in place for disconnecting them, which is much more difficult (doors are easy, locks are hard, basically). And with chips that we don’t even understand being built into everyday devices, the complexity of managing security is escalating daily. Look at the recently-launched “21” idea.

Its core business plan it turns out will be embedding ASIC bitcoin mining chips into everyday devices like USB battery chargers, routers, printers, gaming consoles, set-top boxes and — the piece de resistance — chipsets to be used by internet of things devices.

[From Meet the company that wants to put a bitcoin miner in your toaster | FT Alphaville]

Really? Chips in everything? What could possibly go wrong? Oh wait, it already has. There’s something missing here: an identity layer. Hardly a new idea and I’m not the only person going on about it.

Everyone and everything will have an identity… We can’t scale a world that we can’t talk to, can’t control and can’t secure. Everything, including your toaster, you fridge and your car, will have an identity.

[From Facing the new Big Bang: The IoT’s identity onslaught — Tech News and Analysis]

Yet nothing much is getting done, despite that fact that we already have plenty of case studies as to how bad the situation is already. Never mind smart fridges that give away your personal details or televisions that spy on you there are issues about the maintenance and upkeep of things in the field that create an identity management environment utterly different to anything are used to dealing with in the worlds of OIX, Mobile Connect, SAML and so on. 

Did you buy a smart TV or set-top box or tablet any time before January 2013? Do you watch YouTube on it, perhaps through an app? Bad news: Google has shut down the feed that pushed content into the app.

[From You buy the TV, Google ‘upgrades’ its software and then YouTube doesn’t work … | Technology | The Guardian]

It’s issues like this that make me want to focus on identity in the internet of things (or #IDIoT, as I call it) in the near term, so I was really flattered to be asked along by the good people at ForgeRock to talk about this at their London Identity Summit tomorrow. Really looking forward to exploring some of these ideas and getting feedback from people who know what they’re talking about. What’s more, Consult Hyperion and the Surrey Centre for the Digital Economy (CoDE) will be delivering a highly interactive workshop session designed specifically for the University of Surrey’s 5G Innovation Centre SME Technology Pioneer Members on 30th November 2015. This will include “business lab sessions” interleaved with presentations and discussion. We’ll be putting forward the #IDIoT structure to explore identity, privacy and security issues using our ‘3 Rs’ of Recognition, Relationship and Reputation. The event will be an opportunity to establish contacts with companies interested in the IoT space, as well as connecting with the broader University community and a select group of large enterprises so I’m really looking forward to it and, as you might imagine, you’ll read all about it here!


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights