Confronting the issue

There’s an interesting choice of words in the O’Reilly Radar publication on “ePayments 2010“. The report’s subtitle is “Emerging Platforms, Embracing Mobile and Confronting Identity”. I thought that this is expressive: the payments industry is “confronting” identity.

…even as consumers come to expect online systems to know more about them in order to facilitate transactions and reduce friction in accomplishing tasks, they are likely to want to maintain control over which online services have access to distinct aspects of their identity.

Very well put. It illustrates a point that I find myself making in more and more discussions these days: that if the players in the payments industry don’t deal with the identity problem, then someone else will.

Identity is critical in many ways: It ensures the right degree of user personalization, enables the reliable billing of services used across a platform, and provides a strong foundation of trust for any transaction occurring on the platform.

[From Making Sense of Ever-Changing Payment Technologies: The Year of APIs and the Reshaping of the Payment Ecosystem – pymnts.com]

Patrick is right to highlight the key role of identity in constructing the future payments infrastructure, although I would draw a slightly different diagram to illustrate the relationship. He has drawn identity on top of payment services, whereas as I would draw them side-by-side to show that some commerce applications will use identity and some will not, some commerce applications will use payments and some will not. This isn’t just a payments issue, of course. It’s rapidly becoming a major block on the development of the online economy. There’s a Chernobyl coming, and the recent fuss about Sony and Sega will appear utterly trivial in comparison. I’m not smart enough to know where or when it will happen, but it will happen. If I had to take a wild guess, I might be tempted to predict the epicentre if not the cause or symptoms.

I trust Facebook to give the messages that I type to my ‘friends’. I trust Facebook with the login details to my Yahoo email account… Even in the last week at least four of my friends have been link-jacked in Facebook – whereby their accounts start spewing malicious links onto the walls of their friends.

[From Trust co-opetition is the key to avoiding disintermediation « in2payments]

It’s the interlinking via social networking that is precisely the danger, because that means when something goes wrong is goes connectedly wrong and gets out of control in unpredictable ways. Something has got to be done to make identity mischief substantially more difficult. But how?

We need online identities anchored in hardware cryptography. Everybody who does financial cryptography understands that for anything of value, you can’t store the keys in software. You need hardware protected keys, with a cryptoprocessor to operate on them, and very importantly, a trusted UI to the human that doesn’t involve hackable software. EMV is a good basis for this

[From The Case for EMV Chip Cards in the US? — Payments Views from Glenbrook Partners]

Hear hear. I’d say that it was the chip with a crypto co-processor that is the basis (EMV is just an application running on such a chip) but the point holds. So where are these chips today? Well, they exist in your chip and PIN card is a sort of autistic form, with limited communication and narrow bandwidth through which we can reach the smart core. And they exist in your mobile phone, in the form of the UICC, where they have high bandwidth, constant connectivity, a UI, huge memory and an ecosystem beyond the device. And they will soon exist in your mobile phone, set-top box and elsewhere in the Secure Element (SE). (As an aside, in some models the SE will be resident in the UICC, so there may only be one physical chip.)

Therefore, there is an opportunity to roll-out an SE-based infrastructure, perhaps in the NSTIC architecture, that sets us down the path to identity security. I’m surprised that, in Europe at least, the mobile operators haven’t already got together to develop their joint response to NSTIC and begun work on the business models that it spawns. The mobile operator is a naturally identity and attribute provider and they already have the tamper-resistant hardware (ie, UICCs) out in the market. They know the customer, they know the network, they know the device. I should be logging on to everything using my handset already, not messing about with passwords and secret phrases and mother’s maiden name.

From the point of view of the UK, where the national identity card scheme has just been scrapped and there is no alternative identity infrastructure in place, there is much to be admired in the US approach.

[From Digital Identity: USTIC]

This may be another area where the ease of use afforded by NFC makes for a big difference in the shape of the marketplace and the trajectory of the stakeholders. There were some early experiments in SIM-based secure PKI, but they were very, very clunky because they needed SMS or Bluetooth to connect the handset to the target device, like a PC or a kiosk (or a POS). But in the new world of NFC, what could be simpler: use menu on phone to select identity, tap and go online. And since the SE can handle the proper cryptography, my phone can tell whether it is talking to the real Barclays as well as Barclays working out whether it is talking to my phone. The NSTIC framework, when combined with the security and ease-of-use of NFC in mobile phones, may not be whole solution, but it’s certainly a plausible hypothesis about what that solution may grow from.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

It’s all fun and games, until… no, wait, it is all fun and games

Consult Hyperion has been working on a project called VOME with the UK Technology Strategy Board. The idea of the project is to help people who are specifying and designing new, mass-market products and services (eg, Consult Hyperion’s clients) to understand privacy issues and make better decisions on architecture.

VOME, a research project that will reveal and utilise end users’ ideas and concepts regarding privacy and consent, facilitating a clearer requirement of the hardware and software required to meet end users’ expectations.

[From Technology Strategy Board | News | Latest News | New research projects help to ensure privacy of data]

Part of the project is about finding different ways to communicate with the public about privacy and factor their concerns into the requirements and design processes. Some of these ways involve various kinds of artistic experiments and it’s been fun to be involved with these. We’ve already taken part in a couple of unusual experiments, such as getting amateur writers to produce work about privacy from different perspectives.

More recently we have been working with Woking Writers’ Circle on the production of a collection of short stories and poems entitled ‘Privacy Perspectives’.

[From Media – Consult Hyperion]

As one of the technical team, I have to say that it’s very useful to be forced to try to think about things like privacy-enhanced technology, data protection and risk in these different contexts. One the artistic experiments underway at the moment, primarily aimed at educating teenagers and young people about the value of their personal data, is the development of a card game that explores the concept. The card game experiment, lead by Dr. David Barnard-Wills from Cranfield University, has reached the point where the game needs playtesting. So… we all met up in London to play a couple of games of it.

Turned out that not only had the chaps developed the game way further than I had imagined, but they’ve invented a pretty good game. Think the constant trading of “Settlers of Catan” with the power structures of “Illuminati” mixed with game play of “Crunch”. I liked it.

You get cards representing personal data of different kinds. Depending on who you are (each player is a different kind of business: bank, dating agency, insurance company etc) you want different datasets and you want to link them together into your corporate database. A dataset is a line of three or more data items of the same kind. Here’s a corporate database with two datasets in it: the green biographical data 2-2-3 and the orange financial data 3-3-3, these will score at the end of the game.

There are event cards, that pop up each round to affect the play, and some special cards that the players get from time to time. Check out the database I ended up with in the game that my colleague and I won! I was the bank, so I was trying to collect financial data in my database but I was also trying to collect social data (purple) in my hand.

We had great fun, and we all contributed a ton of ideas. The game is being refined for a new version in a month or two, so we’ll try it again then and I’ll let you know how it’s going! I don’t know if the guys are actually going to turn it into a commercial product (that isn’t really the point of it) but I’d say they are on to a winner. My tip: instead of calling it “Privacy”, call it “Super Injunction”.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

It all comes back to liability

I posted about the silo-style identity and authentication schemes we have in place at the moment and complained that we are making no progress on federation. Steve Wilson posted a thoughtful reply and picked me up on a few points, such as my “idea” (that’s a bit strong – more of a notion, really) of developing an equivalent of creative commons licences, a sort of open source framework. He says

CC licenses wouldn’t ever be enough. Absent new laws to make this kind of grand identity federation happen, we will still need new contracts — brand new contracts of an unusual form — struck between all the parties.

[From comment on Digital Identity: The sorry state of id and authentication]

But isn’t that what CC licences solve?

It’s complicated by the fact that banks & telcos don’t naturally see themselves as “identity providers”, not in the open anyway

[From comment on Digital Identity: The sorry state of id and authentication]

Well, I’m doing what I can to change that (see, for example, the Visa/CSFI Research Fellowship), but on the main point I happened to be reading the notes from the EURIM Identity Governance Subgroup meeting on 23 February 2011, talking about business cases for population scale identity management systems. The notes say that

It is alleged that the only body with the remit, power and capability needed for assuring and recording a root identity through a secure and reliable registration process is Government.

The notes then go on to talk about case studies such as the Nordic bank-issued eIDs though. These arguments are to some extent circular, of course, because the e-government applications in the Nordics are using bank-issued eIDs, but the only reason that the banks can issue these eIDs is because they are using government ID as the basis for KYC. In the discussion about this at a recent roundtable in that Visa/CSFI “Identity and Financial Services” series, someone made a comment in passing (and I’m embarrassed to say that I can’t remember who said this, because I noted the comment but forgot the commenter) that all of this takes places in a model absent liability. That is, as far as I understand what was said, the government accepts no liability from the banks, and vice versa. So if the bank opens an account for me Sven Birch, using a government “Sven Birch” identity, but it subsequently transpires that I am actually Theogenes de Montford, then the bank cannot claim against the government. Similarly, if I used my bank eID “Sven Birch” to access government services, but it subsequently transpires that I am actually Theogenes, then the government has no claim against the bank. (If this isn’t true, by the way, I would appreciate clarification from a knowledgeable correspondent.)

So what is the situation? Must we have a liability model, or can we all agree to get along without one. Or do you have to a have a more consensual society, or perhaps one with fewer lawyers per head of population?

The sorry state of id and authentication

I had a problem with my PayPal account: I used it in China, and it got blocked as the result of some kind of fraud screening.

I ended up having to promise the guys at Bike Beijing that I will sort this out when I get back to the UK and then send them their money.

[From Digital Money: Holding court]

They still haven’t got their money. In order to unblock the account, you had to log in to your account and then have a code sent via your home telephone number. I clicked, the phone rang, I punched in the number and hung up. Nothing. I clicked again, the phone rang, I punched in the number and waited. Nothing. I clicked again, the phone rang, I punched in the number. After a while, I got an e-mail telling me that the authentication process had failed and so PayPal would send a letter containing some kind of code to my home address and that I could then use this code to unblock my account. It mentioned that the letter might takes six weeks to arrive.

So the nice guys at Bike Beijing still don’t have their money and I’m still embarrassed.

Now, all the time that this nonsense about codes and letters was going on, I had on my desk a Barclays’ PINSentry (which I can’t even use to log on to Barclaycard, let alone PayPal) and a O2 mobile phone (I’ve been with O2 for two decades and have a billing relationship with them – their system knew that I was in China) and a keyring OTP generator that we used for our corporate VPN. Any one of these could provide a better solution then messing about typing in code numbers, but they all sit in their own silos and don’t provide the kind of general-purpose services that they should.

What should have happened, of course, is that I should have been able to log in to PayPal using OpenID and then logged in to a 2FA OpenID using my (say) PINSentry. So now PayPal knows that I have been 2FA logged in from an “acceptable” source (ie, Barclays Bank) and we could move on. So why doesn’t this happen? Is it because OpenID has failed?

But if OpenID is a failure, it’s one of the web’s most successful failures. OpenID is available on more than 50,000 websites. There are over a billion OpenID enabled URLs on the web thanks to providers like Google, Yahoo and AOL. Yet, for most people, trying to log in to every website using OpenID remains a difficult task, which means that while thousands of websites support it, hardly anyone uses OpenID.

[From OpenID: The Web’s Most Successful Failure | Webmonkey | Wired.com]

It can’t be that. OpenID has plenty of support, and even the US government got behind it.

Who would have predicted say, 5 years ago, that you would some day be able to use commercial identities on government websites? Evidently, this raises questions about privacy and security but if these initiatives can garner enough public support, government validation of open identity frameworks could be a boon for the ecosystem of the open, distributed web. Plus, it can make dealing with the government a lot easier for you, too.

[From US Government To Embrace OpenID, Courtesy Of Google, Yahoo, PayPal Et Al.]

It’s not about the technology. I make no judgement as to whether OpenID is the best technology or not (although it does actually exist, which is a good start), but the truth is that it simply doesn’t matter whether it is or it isn’t.

The unresolved business and legal challenges implicit in federated identity are to blame for the under-delivery of OpenID

[From OpenID, Successful Failures And New Federated Identity Options | Forrester Blogs]

Indeed they are. So the problem isn’t really anything to do with OpenID, or any other framework that might come along in cyberspace, but the legal framework that it has to sit inside. This is where we need the breakthrough. We need potential identity providers (eg, Barclays, O2) to be able to set up OpenID responders for their customers inside a well-known and well-understood legal framework. Now, you can do this contractually (as IdenTrust has done), but to scale to the open web, we need something more than that, perhaps an equivalent of the “creative commons” licences that are used for content but for credentials.

Even then, would someone like PayPal rely on them? Or would it only rely on identities from regulated financial institutions in the EU? Or only such institutions that met some minimum authentication standard? We’re a long way from fixing my Chinese problem, despite having all of the technology needed to do so.

Not magic bullets, but bullets nonetheless

How do you identify people? This is a difficult problem. Let’s set aside what you need to identify people for, and just concentrate on large scale solutions.

The Indian government is trying to give all 1.2 billion Indians something like an American Social Security number, but more secure. Because each “universal identity number” (UID) will be tied to biometric markers, it will prove beyond reasonable doubt that anyone who has one is who he says he is. In a country where hundreds of millions of people lack documents, addresses or even surnames, this will be rather useful. It should also boost a wide range of businesses.

[From India: Identifying a billion Indians | The Economist]

The “but more secure” is obvious, because otherwise “something like” a US SSN will be as disastrous as a UK National Insurance number as a viable means of identifying individuals.

The study found that rather than serving as a unique identifier, more than 40 million SSNs are associated with multiple people. 6% of Americans have at least two SSNs associated with their name. More than 100,000 Americans have five or more SSNs associated with their name.

[From One In Seven Social Security Numbers Are Shared]

So what do we mean by “more secure”? How do you go about uniquely identifying people? In the case of India, it means a biometric universal ID (UID). Once the word “biometric” appears, people seem to think there is now a magic bullet against identity theft and fraud and they want to use it for everything (which is why I have previously argued that – given convenience – the market will automatically shift to demand the highest level of assurance of identity for every transaction, whether it requires it or not).

Securities and Exchange Board of India (SEBI)… has constituted an internal group with members from various departments to examine the modalities for making UID applicable for KYC norms and to formulate their views. This information was given by the Minister of State for Finance, Shri Namo Narain Meena in written reply to a question raised in Rajya Sabha today.

[From Press Information Bureau English Releases]

This kind of behaviour builds a tower on shifting sand, introducing a single point of failure into all systems. In fact, it introduces exactly the same single point of failure into all systems, which is why I like the NSTIC approach of multiple identity providers (of which the government in merely one, and a non-priviledged one at that). In India, biometrics have not had a good start. The first attempts to register people for the UID saw only a fifth of the attempts succeed.

Though the department conducted proof-of-concept (pilot project) on over 266,000 people in Mysore and Tumkur districts, only 52,238 UIDs could be generated.

[From Pilot project yielded few UIDs – The Times of India]

Is there something unusual about Indian biometrics? I suspect not. I suspect that biometrics are being used in systems designed by management consultants who have been watching Hollywood movies rather than by technologists who understand the appropriate modalities and bounds. You wouldn’t get that sort of thing here in the UK. No, wait…

Biometric face scanners at Manchester Airport have been switched off after a couple walked through one after swapping passports.

[From Aircargo Asia Pacific – Face scanners switched off at Manchester]

I’ve been through the e-passport face scanners at LHR a few times (I don’t use the IRIS scheme after it rejected me three trips in a row) and I can’t say I haven’t wondered whether it is real or not. We all know that iris scanning is more secure.

A woman from eastern Europe who was deported from the UAE re-entered weeks after her departure using a new identity… To prevent her from returning, her eyes were scanned before she left. But, according to her testimony in court this week, she returned to the UAE through Dubai International Airport using a forged passport and a different name. She said her eyes were scanned upon entry.

[From Iris scan fails to stop returning deportee – The National Newspaper]

Hhhmmm. It seems as if building big databases of biometrics may not be the way forward for the time being. Is there any other way to make biometrics more practical at a large scale? I’m sure there is. Perhaps a good place to start would be to marry some capability and convenience. One thing that we know from examples around the world is that customers like biometrics because of convenience. So what else is convenient? I know: contactless, wireless and RIFD technology.

Standard Chartered is issuing RFID chips to select customers at its newest Korean location, eliminating the need for affluent individuals to wait in lines at the branch. When a customer holding an RFID tag enters the facility, the system immediately notifies the branch manager and a relationship manager who can greet the customer personally at the door.

[From RFID Chips Spell End to Branch Lines for High-Value Customers | The Financial Brand: Marketing Insights for Banks & Credit Unions]

Ah, but when you get to the counter, how does the bank know that you are indeed the valued customer and not an imposter, intent on transferring funds off to Uzbekistan? Well, you could ask the customer to put their finger on a pad, or look at a camera, or speak into a microphone, or what ever, and then send the captured biometric to the RFID device for matching. Instead of rummaging through a giant database, the system can now do an efficient 1-1 comparison offline. If the device returns the correct, digitally-signed response, then the customer is verified. No PINs, no passwords: the combination of biometrics, contactless and tamper-resistant chips can deliver a workable solution to a lot of problems.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.