It doesn’t have to be “The Handmaid’s Tale”

Once again I’ve been involved in a series of Twitter exchanges about the relationship between cash and anonymity. Many in the Bitcoin community see Bitcoin’s sort-of-anonymity as an important characteristic because it defends the individual against state power and they berate me for wanting to replace cash “in circulation” with a digital alternative. Cash, they claim, is freedom. One odd aspect of this argument is that the cash is, of course, a byproduct of the leviathan they affect to despise.

Narayana Kocherlakota, formerly the head of the Federal Reserve Bank of Minneapolis and now a prolific economics blogger, penned a recent article on the abolition of cash. Kocherlakota makes the point that if you don’t like government meddling in the proper functioning of free markets, then you shouldn’t be a big fan of central bank-issued banknotes.

From Moneyness: Kocherlakota on cash

I’m not, as it happens. In fact, I think we should start to consign them to the dustbin of history, beginning with the $100 bill, the £50 note and that affront to law-abiding people everywhere, the Swiss 1,000 franc note. There are an increasing number of people coming around to my way of thinking, including the former chief economist to the International Monetary Fund (IMF) Kenneth Rogoff, who recently published a book entitled “The Curse of Cash” in which he argues that banknotes should be withdrawn not only because of their use in criminal endeavours but because they prevent central banks from using their full range of monetary policy tools.

Kocherlakota doesn’t mention it explicitly, but should cash be abolished in order to remove the lower bound to interest rates, a potential replacement would be a new central bank-issued emoney, either Fedcoin or what Dave Birch has dubbed FedPesa.

From Moneyness: Kocherlakota on cash

But without wishing to be accused of pedantry, what does he mean by “central bank-issued electronic money”? In his presentation on ’The Zero Lower Bound and Anonymity”, Kocherlakota tends toward some form of cryptocurrency to replace fiat currency rather than a central bank digital currency and one of the reasons for this is his (entirely reasonable) concern about anonymity. This point is illustrated by literary reference.

In Atwood’s dystopian Handmaid’s Tale, a theocratic government named the Republic of Gilead has taken away many of the rights that women currently enjoy. One of the tools the Republic uses to control women is a ban on cash, all transactions now being routed digitally through something called the Compubank

From Moneyness: Kocherlakota on cash

It’s been many, many years since I read “The Handmaid’s Tale” so I went to my bookshelf to dig it out and re-read that part. The narrator talks about how the evil junta in charge of future America took over and says that it would have been harder if there had still been paper money. I don’t see how. North Korea has everyone using paper money and virtually no cards. Denmark has virtually no paper money and everyone uses cards (and phones). To be frank, in the modern world, I don’t think cash is that closely related to dictatorship.

 The Handmaid's Tale

The point I wanted to make here, though, is that it is wrong to present the alternatives as total surveillance and anonymity. I simply do not accept that the alternative to the unconditional anonymity of cash and the crime that goes with it is a dystopian, totalitarian nightmare. That’s only one way to design a circulating medium of exchange and it’s not the way that I would design it. I would opt for something along the lines of a universal pseudonymous mechanism capable of supporting an arbitrary number of currencies, a Mondex de nos jours, an M-PESA with go-faster stripes. In a world where there are completely, unconditionally anonymous payment mechanisms in widespread use there’s no way to stop very bad people from using them to do very bad things, so I’d prefer a world in which there are pseudonymous mechanisms that defend against routine surveillance and petty intrusion but allow societies legitimate interests to protect against crime.

Does this mean that anonymous mechanisms should be banned? Probably not, for the good reason that it would be impossible to do so. More likely would be a situation shown in the diagram below where there is an anonymous layer that has a pseudonymous layer on top of it and a absonymous (I made this word up) on top of that. People, governments and businesses would use this pseudonymous layer: the anonymous money would be useless for almost all transactions for almost all people since no-one would accept it. I would love to give this kind of anonymous money the generic name ZeroCash, after the William Gibson novel (“Count Zero”) in which one of my all-time favourite quotes about the future of money appears:

‘He had his cash money, but you couldn’t pay for food with that. It wasn’t actually illegal to have the stuff, it was just that no- body ever did anything legitimate with it.’

Unfortunately, someone else has already beaten me to it and not as a generic name! [See E. Ben-Sasson, A. Chiesa, C. Garman, M. Green,I. Miers, E. Tromer, and M. Virza, “Zerocash: Decentralized anonymous payments from bitcoin” in IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, May 18-21, 2014. IEEE Computer Society, pp.459–474 (2014)]. Well, I’m fighting back by starting use zerocash (with the lower case initial) to mean generic unconditionally anonymous electronic cash. The wallet that this electronic cash is stored in is an anonymous digital identity. It’s just a string of bits.

Now, you could imagine some form of zerocash in circulation as a cash alternative but not accepted in polite society (i.e., any attempt to spend it would be regarded as prima facie evidence of money laundering and exchanges would be barred from handling it). Polite society instead decides to protect privacy through managed conditional anonymity, or pseudonymity. A pseudonymous currency that is managed by a central bank but where transactions take place on a distributed ledger is much more like “RSCoin”, the cryptocurrency proposed by George Danezis and Sarah Meiklejohn at UCL [Danzis, G. and S. Meiklejohn. “Centrally Banked Cryptocurrencies”, NDSS ’16, 21-24 February 2016, San Diego, CA, USA] using Ben Laurie’s “mintettes” concept. By creating a pseudonym that is bound to the zerocash digital identity, we make it useful (provided that the binding is done by someone who trusted in the relevant transactional use cases).

Why bind it in this way? Well, there is the usual privacy paradox to be dealt with here: I want my transactions to be anonymous, but everyone else’s to be not anonymous in case they turn out to be criminals. I cannot see any way round this other than pseudonymity. There are people out there (e.g., my colleagues at Consult Hyperion) that know how to design systems that work like this, so there’s nothing stop the FATF, Bank of England, or Barclays or anyone else from starting to design the future, privacy-enhancing electronic money system that we need.

Let’s  move on. For certain purposes, pseudonymity might be deemed insufficient (e.g., KYC) and so that nym layer is needed too. This means we need to bind the pseudonym to real-world legal entity. A bank is a good place to form this binding, since they’ve already done the KYC and know who I am. So I give present my pseudonym to them and they can bind it to my “real” name to form a nym. In the example below, Barclays know who I really am, and I can present my Barclays nym where needed, but most transactions with counterparties take place at the pseudonymous layer and I can present my Vodafone pseudonym “Neuromancer” there if I want to. My counterparty doesn’t know that I am Dave Birch, only that Vodafone know who (and presumably, where) I am. For the overwhelming majority of day-to-day transactions, this is more than adequate. This layered approach (show below) seems to me a viable vision of a working infrastructure. Few transactions in the top layer (for privacy), most transactions in the middle layer, few transactions at the lower layer.

Anonymity and Levels


So in this made-up example, Barclays know my “real” identity and Vodafone knows a persistent pseudonym tied to my phone number. (Of course, I could go to Barclays and choose to bind my Vodafone identity to my Barclays identity, but we don’t need to think about this sort of thing here.) I’m going to reflect on how these bindings might work in practice more in the future, but for now I want to circle back to that opening concern about losing the anonymity of cash. Here’s another version of that meme that I read I day or two ago.

Cash—the familiar, anonymous paper money and metallic coins that most of us grew up using—isn’t just convenient, it’s also a powerful shield for our autonomy and our privacy.

From Cash Means Freedom, Which Is Why So Many Officials Hate It –

It really isn’t. Your privacy is being taken away because of Facebook, people wearing Snapchat shades and drones, not because of debit cards. And none of this has anything to do with dictatorship. I wouldn’t want to live in the America of the “The Handmaid’s Tale” whether it had anonymous payments or not.  I understand the concerns of those concerned with privacy (as I am) that there might be an inevitable tendency for a government to want to trespass on the pseudonymous infrastructure in the name of money laundering or terrorism, but that’s a problem that needs to be dealt with by society, not by technology. I don’t know what the answer to that is, but I do know that we need to get the conversation started in a more sophisticated way.

The social cost of identity

The police are apparently fed up with Walmart. They cut staff, introduced automated checkout and saw a big increase in shoplifting, which they pass on to the police.

“The constant calls from Walmart are just draining,” says Bill Ferguson, a police captain in Port Richey, Fla. “They recognize the problem and refuse to do anything about it.”

From Walmart’s Out-of-Control Crime Problem Is Driving Police Crazy

You can see the logic from the company’s point of view. They pay for staff but they don’t pay for the police, so they may as well externalise the costs of managing bad behaviour. To some extent, of course, we all do this. We expect the authorities to stop people from hurting us in a variety of ways. But there has to be a balance. It would be crazy for car companies to save money by not fitting car alarms and instead fit a cheaper device to alert the police when the car is stolen.  But never mind Walmart and Ford. Isn’t this what Twitter and Facebook have done?

Scotland Yard will spend £1.7million on a ‘Twitter squad’ to hunt trolls

From Scotland Yard invests £2m into new ‘thought police’ unit to hunt down trolls | Daily Mail Online

The problem of bad behaviour online appears to be out of control. I’m sure that police have considerably better things to do with their time than track down lunatics posting threats on Twitter or bullying bereaved people on Facebook. I’m particularly annoyed about the problem on Twitter because I love it so much. Personally, when someone posts abuse at me (and this – astonishingly – does happen from time to time) then I just mute them and carry on. But for some people, especially those more in the public eye, the abuse makes Twitter unusable. 

I posted a screenshot of the email, and a few lines about how I would not be using Twitter until they figured out how to stop making incidents like this one (gross, but comparatively benign) a less constant component of my Twitter experience.

From Twitter Has Become a Park Filled With Bats — Following: How We Live Online

Over time, this is becoming a very serious problem. The “trolls” are not only annoying to individuals they are undermining the medium.

But it’s biggest problem are those trolls. They’re winning. Too often Twitter’s users are subject to pernicious streams of abuse and harassment. This dissuades new users from wanting to sign up, drives formerly loyal tweeters to close their accounts, and gives advertisers pause as they consider where to place their brand dollars.

From Stopping Trolls Is Now Life and Death for Twitter — Backchannel

Twitter has responded to this well-known and widespread problem in the past. But it is really not clear to me how they can do this in an automated fashion. If you call me names on Twitter, is that trolling? If you tell you – repeatedly – that your idea for a database of transactions hashes is not a blockchain, is that harassment? And if you get me banned for it, what’s to stop me from just creating another account and carrying on? It is undeniably a very difficult problem, made worse by the absence of any suitable identity infrastructure.

Twitter has long come under criticism for not doing enough to police abusive behavior on the often-freewheeling messaging service.

From Twitter announces crackdown after online abuse of ‘Ghostbusters’ actor | Reuters

So. There has been a huge amount of discussion  about the problems of Twitter and falling usage as people abandon the platform because of bullying and trolling. Here’s the big question then. How can we align the social costs of policing anti-social media more effectively so that we can deal with trolls without having to spend gazillions on the police, courts and jails? My argument has always been that it is more cost-effective to support the industry in developing a identity infrastructure that may be used for this purpose (amongst others). And I’ve come around to thinking that banks are probably the right people to get it going. We need to get Twitter to let people create accounts using a Bank Identity (for want of a better word). But not much has happened. Naturally, I’ve written about this before. And as well as moaning about it I’ve made some positive suggestions for things to do about it, largely based on developing strong pseudonymity as the key infrastructure. Other people have put forward similar practical ideas, but they all rest on the ability to authenticate against a “real” identity.

Allow users to not show their tweets to unauthenticated users. 

From Putting out the Twitter trashfire — Medium

Some people think that instead of fixing the problem properly as suggested, we should instead rely on “real” name policies, but I disagree profoundly. There are many issues that people might want to comment on but not use their real names. Again, something I’ve written about extensively. So the basic knee-jerk reaction about names, while understandable, does not work for me. I want people to post their honest opinions and comments about difficult subjects and they need privacy to do this (note, for the one-thousandth time) privacy is not anonymity.

Social media users should be forced to reveal their real names so police can track down jilted lovers who post “revenge porn”, a peer has said.

[From Revenge porn: Peer says Twitter users must reveal real names – Telegraph]

The police do not need people to post their real names to do this. What they need is a route to the real names, which is why the idea of strong pseudonymity (pseudonyms managed by regulated institutions) is so appealing. If Barclays know who I am, then the police can ask Barclays and Barclays will tell them. But Barclays won’t tell anyone else, so I can post in privacy. Why banks do not get together to provide such an obviously beneficial identity services is beyond me. It’s all very well providing a bank identity to let me do my taxes, but I do this once every year, whereas I post abuse on social media almost hourly.

The WEF blueprint for digital identity – the middle way

The World Economic Forum (WEF) has just published their report on “A Blueprint for Digital Identity”. It begins with a disclaimer from “Deloitte”* saying that “This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business”. But what’s the point of reading a report that isn’t going change any decision or action that you make? I think quite the opposite: you should read the document and make the decision to have a strategy towards digital identity and start to explore different scenarios covering how it will affect your business right away.

First, let me admit that I was excited to see that WEF/Deloitte* have finally caught up with Consult Hyperion’s thinking on this kind of thing. Back in 2008, I wrote that:

Banks ought to be looking at both providing and consuming identity services and developing better identity and authentication services not merely for their internal use to reduce phishing and pharming but as a line of business in an online society. They are the obvious category of institution to provide credentials, manage personal information and deliver identity into the marketplace.

From Digital Identity: I’m sure banks have a strategy for this kind of thing

The WEF report says that “There is a strong business case for Financial Institutions to lead the development of digital identity systems” and goes out to categorise these are cost reduction, new revenue opportunities and transformational new models (i.e., outside core banking). I agree that it’s important to look at the saving money and making money opportunities in this way because in any bank that I’ve spoken to about this sort of thing, it’s been clear that the saving money business case has to stack up before there will be any investment.

As for the blueprint, the report suggests three approaches, – the institution, the consortium, the industry – which I paraphrase here:

  • A single institution could create its own system, focusing on cost saving but with limited potential for further adoption (but I think ”ChaseID” would struggle against “AppleID”);

  • A consortium could create a co-opetition infrastructure along the lines of the payment networks (some sort of financial services passport);

  • The financial services sector as a whole could create some form of industry identity utility that could be used to deliver “wholesale” identity services (I could get gas, electricity and identity all from the same retailer);

I’m rather in favour of the middle option as I think it delivers immediate improvements to the day-to-day transactions of modern life and it is, above all, feasible. But what exactly would it implement? The model of identity transactions that the WEF present (page 43), which divides identity transactions into authorisation, attributes and authentication is I think a little too narrow. The model we use at Consult Hyperion (“Three Domain Identity”, or 3DID) provides a better platform for discussion and exploration (but then I would say that wouldn’t I) because it makes the relationships between identities, attributes, credentials and so on more explicit.

3D Domain ID with FIDO

When it comes to discussing archetypes (or “marketectures”)  that will make sense (page 62), the use of the 3DID model makes it easier to understand the different options but considering who will control each of the domains. If, as WEF recommend, it is the financial institutions who control the Digital Identity and they link this to a variety of Mundane Identities from different sources and well as to a potentially large numbers of Virtual Identities (where credentials are held, essentially) it gives them a pivotal role. This might be in a federated structure, where each banks holds its own KYC and makes it available to other banks, or some other options. However it’s done, the authentication (proving you control the digital identity) is another matter.

One of the reason why I have such an interest in the “middle way” WEF blueprint is that I’ve been part of a techUK working group looking at this since 2014.

A ‘financial services passport’ refers to an aspirational digital identity, issued by UK financial services providers, and mutually recognised across the financial services industry.

From Workshop: Towards a Financial Services Passport

Such a passport would not only be used for financial services and for the benefit of financial institutions. It could be used to improve all sorts of services that desperately need a proper identity infrastructure. It could with internet dating, protecting people on twitter from trolls, access to adult services and other “sharp end” applications of digital identity that would be transformational not only for bank revenues but also for consumers in the mass market. The solutions to the big, immediate problems in these areas come not from the digital identity itself but from the virtual identities built on top of it, because the virtual identities are a way to communicate attributes rather than identity.

So what might banks do with your identity once they’ve got it safely locked away in their vaults? Well, one idea, particularly popular with me, is that they might give you a safe, pseudonymous virtual identity to go out an about with.

From Tired: Banks that store money. Wired: Banks that store identity | Consult Hyperion

The idea of strong pseudonymity is particularly appealing: a pseudonymous virtual identity with a bundle of credentials attested to by regulated financial institutions should be more than enough for almost all day-to-day transactions. This would allow for a new tranche of what economists call “incentive functions” to be created by banks, encouraging transactions where none would have taken place otherwise.

But back to the WEF report. In conclusion, despite my preference for our model (!), when it comes down to it, I think that the middle way (the consortium approach) is the place to start and I strongly agree with the principal recommendation of the report, which is that (page 101) “Implementation of a digital identity system should follow a bottom-up approach”. What the WEF calls “natural identity networks” I might be very tempted to label”communities”. So let’s create identity solutions for communities (starting with the financial services passport for the retail financial community of customers, providers and regulators) and find ways to interconnect them rather than trying to think up some kind of top-down “World ID” for the communities to implement.

* “Deloitte” refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients.

Taking the cash out of a pop festival (literally)

A lovely story of Caledonian crime dropped in through the interweb tubes this weekend. It must have taken some balls to do it, so I have sneaking admiration for the ne’erdowells behind this one.

A cash machine has been stolen from the main arena area at the T in the Park festival.

From Cash machine stolen from main arena of T in the Park site

My son went to this pop festival, as I believe they are known, last year. I armed him with Barclaycard bPay wristband to pay for essentials whilst bopping along to the variety of popular beat combos on show. This turned out to be completely pointless because a) no-one of the stall look cards, let along contactless and b) he lost the wristband on the first day. I’ve written before about cashlessnees in these environments (e.g., my expedition to the Roskilde Festival in Denmark) and I don’t want to go over old ground again, but the advantages of getting cash out of these environments are many and varied.



I have been to many of these “festivals” myself

How the braveheart burglars got away with this one I don’t know. You can hardly stick an ATM under your trench coat and I imagine ATMs have some sort of GPS tracing device on board so it’s hard to know how you can make off with one, but there you go. It’s time for action. They should ban cash completely from this sort of event. It is nothing but trouble. From tax-evading criminal gangs running some of the pitches to thefts and losses, to massive queues for ATMs, it is a hassle from beginning to end. The only reason to take cash to pop festivals, at least as far as I can recall from my time at such happenings, was to buy drugs.

Glasonbury when it used to be cool


We didn’t have mobile payments in my day

Nowadays the kids have Venmo and PingIt and debit cards and Bitcoin and iZettle and what not so there’s no need to put them in the vulnerable position of carrying cash. The market seems unable to provide a suitable payment mechanism, like Pop-PESA or something, so perhaps the Scottish authorities should step in and follow the trail blazed in Ohio. Since banks and card companies won’t provide a convenient and safe alternative to cash for the purchase of mind-altering chemicals other than alcohol and Night Nurse, the state should.

Ohio’s new medical marijuana law proposes a new way around the bank problem. The law allows state officials to set up a “closed loop” payment processing system, similar to prepaid debit and gift cards.

From Cashless payment system proposed for Ohio medical marijuana program |

Why not provide prepaid pseudonymous debit cards so that they could be used for the purchase of both legitimate and illegitimate goods (not only at festivals) with a cryptographically protected link to real identity that would be revealed by the issuer only under appropriate legal circumstances (i.e., a warrant). Why is it a byproduct of buying anything at all that your identity is provided to your counterparty when it has nothing to do with the transaction? It’s for a new kind of blank debit card – no name, no number on the front, no CVV, no stripe – that can only be issued to adults.

 Knebworth 1979

We didn’t have mobile phones, so we had to talk to each other at festivals

There was a very good edition of “In Business” on the BBC recently where Peter Day visited Colorado and noted the problems associate with the use of cash (“armoured cars full of cash a common sight”). This is all because of the bizarre situation in the US where marijuana is legal in some states but you can’t use electronic payments to buy it.

But despite the legality of at least medical marijuana in many states, and the Department of Justice’s mostly hands-off approach to state-legal businesses, the federal ban still means that every financial institution serving marijuana businesses is theoretically violating anti-money laundering laws

From Pot Banking 2016: More State Ballots But Continued Unease | Bank Think

This isn’t only about marijuana and pop festivals, of course. There is a general problem around the tension between social and financial inclusion, law enforcement and regulatory environments. John Vardaman, until recently with the Department of Justice, summed this up nicely in American Banker back in April, noting that “We’ve seen large financial institutions exiting what have been deemed high-risk areas categorically. The effect is that whole swaths of legitimate businesses have been frozen out of banking”. If we are going to take the risk-based approach to all of this seriously, it means making low-value, pseudonymous payment accounts available to all.

Fixing the “Twitter problem” isn’t that hard

There’s a problem with social media generally and Twitter in particular. The problem is abuse. 

I posted a screenshot of the email, and a few lines about how I would not be using Twitter until they figured out how to stop making incidents like this one (gross, but comparatively benign) a less constant component of my Twitter experience.

From Twitter Has Become a Park Filled With Bats — Following: How We Live Online

What can be done about it? A British example of this was in the press recently when the MP Jess Phillips reported hundreds of Twitter messages containing the depressingly usual sort of rape threats that are sent to women in the public sphere. Twitter said, essentially, tough.

“We reviewed the content and determined that it was not in violation of the Twitter rules.”

From By ignoring the thousands of rape threats sent to me, Twitter is colluding with my abusers

I don’t want to get into the free speech vs. hate speech debate but I will note that a variety of social media platforms have signed up to rules (in Europe) to try to cut down on hate speech.

Google, Facebook, Twitter and Microsoft have signed up to new EU rules on taking down illegal hate speech as lawmakers and internet giants try to cope with violent racist abuse and technically savvy terrorists online. The “code of conduct” will require companies to “review the majority” of flagged hate speech within 24 hours — and remove it, if necessary

From Web giants sign up to EU hate speech rules –

I couldn’t tell from the article what hate speech is, or what illegal hate speech is, but I imagine it is going to be pretty difficult to automate this. I mean we all know hate speech when we see it, but I don’t know if we’d be able to explain it to a computer and I don’t think it is realistic to expect Twitter or anyone else to have to sort through thousands, millions of boring, derivative and repellent messages in order to determine whether to ban of these pseudonyms (at which point they will simply log in under another pseudonym and continue). The solution is, as I set out a while back, is to give users the option to automatically block messages that do not come from an authenticated account. An authenticated account is an account that is pseudonymous but has been attested to by an acceptable third-party. By attested to, I mean that someone acceptable to the second party has attested that they know the real identity associated with the account.

What we need is a working identity infrastructure that allows for strongly-authenticated pseudonyms so that bullies can be blocked and revealed but public space can remain open for discussion and debate. Then you can default Facebook and Twitter and whatever to block unauthenticated pseudonyms

From We can contribute to childhood e-safety | Consult Hyperion

Here’s an example as to how this might work. I go to Twitter to create an account, @angrywhitemale or whatever. Twitter asks me if would like to authenticate my account. I say yes. Twitter asks me who will attest to my identity. I say Waitrose. Twitter says that Waitrose is not on its list of acceptable authenticators. I say Barclays. Twitter bounces me off to Barclays. At Barclays I use two-factor authentication to strongly authenticate myself and log in. Barclays then send a unique number back to Twitter. Twitter now know that Barclays knows who I am. The account is authenticated.

Jess Phillips has set her account to ignore all but authenticated accounts.

I tweet illegal hate speech to Jess Phillips. She passes it to the police. The police get the unique number from Twitter and go to Barclays with a warrant (all of these processes can be automated) and Barclays tell them that @angrywhitemale is actually Dave Birch and the police come round and arrest me.

Now, of course, I can delete the account @angrywhitemail and create a new identity @victimofsociety. But when I attempt to authenticate it, Barclays will notice that they had a warrant issued against my account and so will refuse to authenticate me until I get out of jail (or maybe never). So now I have to go and get another bank account in order to create another Twitter account in order to create another hate speech outrage in order to be arrested.

Most people in the public eye would, I’m sure, set their accounts to receive tweets from authenticated users only. Tweets from unauthenticated users to authenticated-only accounts would simply be discarded. The bullies could post away as much as they liked. Perhaps it is therapeutic for them

From Anonymity – privilege or right? | Consult Hyperion

Now, none of this infrastructure exists, of course. But suppose one group of authenticators — let’s say the banks, for example — came together to create it. It would generate immediate benefit for relatively little expenditure, since the Strong Customer Authentication (SCA) is already mandated (well, sort of, in the UK) and the kind of APIs that would be need to make this work are going to be in place shortly because of PSD2 (well, sort of, as PSD2 does not mandate any non-payments APIs). And while the infrastructure might become familiar to people because of social media, they might find many other places to use it. Dating web sites, for example. These are good example of meeting places that benefit from strongly-authenticated pseudonymity. When I interact with you on a dating website, I don’t need to know your real name, but I do need to know that you exist and are over 18, and these are both facts about me that are known by my bank.

Would Twitter or Ashley Madison or whoever be prepared to pay the bank 10p for every authentication? I think this might be a reasonable price to pay for maintaining civilised spaces where people come to meet and mingle (and look at advertisements).

A mix-up around what is new in identity

Quite a few people tweeted or posted about the announcement of IBM’s “new” technology in the identity space, now available to developers on its Bluemix cloud platform. Here’s a typical example.

Back in January — on Data Privacy Day, no less — IBM announced Identity Mixer, a new technology for protecting users’ personal data during authentication.

[From New IBM tech lets apps authenticate you without personal data | Computerworld]

If this new “Identity Mixer” technology sounds familiar to you, it may be because five years ago it won a well-deserved prize.

Munich, Germany, 5 May 2010—IBM Research was honored with the Best Innovation European Identity Award 2010 from Kuppinger Cole, an analyst firm focused on information security, identity, and IT governance. IBM’s Identity Mixer technology was recognized for its pioneering work that offers simultaneously both strong authentication and privacy.

[From IBM Research – Zurich | News]

Now, don’t get me wrong. I think Identity Mixer is a great technology, and IBM’s Zurich research laboratory has done some great work in this space, and I wholeheartedly agree with the idea of using pseudonymity as a means to deliver both security and privacy into the mass market in an effective way.

In its simplest form, Identity Mixer works similar to traditional attribute-based credentials with a few crucial differences. Each user has a single secret key but can have multiple public keys that correspond to it. In a way, this secret key is the user’s secret identity, and users can derive as many public identities from it as necessary.

[From Identity Security and Privacy for Electronic User Authentication]

This is a good model for identity. If it sounds familiar, it’s because you will have read something similar in “A Model for Digital Identity” by Neil McEvoy and me in that seminal tome “Digital Identity Management: Technological, Business and Social Implications“, edited by yours truly (Gower: 2007). It’s on pages 95-104, for ready reference. In that chapter, Neil and I put forward the idea that digital identity as a bridge between mundane and virtual identities makes sense in many different ways, one of them being that the use of multiple pseudonymous virtual identities (what the above article means by “many public identities”) is a great way to move forward and a great way to think about identity in an online world. Now, back in 2007, we weren’t the only people thinking this way, because IBM announced a great new technology that was built on the same lines. 

Armonk, NY, and Zurich, Switzerland, 26 Jan 2007—IBM (NYSE:IBM) today announced software that allows people to hide or anonymize their personal information on the Web, ensuring protection from identity theft and other misuse. Developed by researchers at IBM’s research laboratory in Zurich, Switzerland, the software—called Identity Mixer—will enable consumers to purchase goods and services on the Internet without disclosing personal information.

[From IBM Research – Zurich | News]

Note that when this announcement was made in 2007 the IBM version of the concept was already more than five years old. You can read about it in Camenisch, J. and E. V. Herreweghen (IBM Research, Zurich), “Design and implementation of the idemix anonymous credential system” in the Proceedings of the 9th ACM conference on Computer and communications security (Washington DC, 2002). The new technology that people were telling me about this week has been around for at least 14 years and probably longer.

So, whatever Identity Mixer is, the one thing it is not is new. Hence one is forced to ask the question that if it is such a good idea, how come we’re not using it? Why doesn’t my iPhone allow me to log in to apps and services while selecting dynamically between Dave Birch (my personal ID), David G.W. Birch (my work ID), Leadbelly Gutbucket (my games ID) and Lord Tantamount Horseposture (my ID for arguing with people in newspaper comment sections)? Is the concept of multiple identities and pseudonymity just too difficult for the mass market? I’m genuinely curious to hear what you think!

Trusted tryst tokens

Well. I can’t not write something about the Ashley Madison hack. Massive data breaches that spew people’s credit card information all over the Internet are one thing and I’d sort of given up paying any attention to them. After all, if someone gets hold of my credit card information and uses it to make unauthorised charges against my account, then it’s the bank’s problem and not mine so I don’t really care. That’s the whole point of using credit cards, that it’s not your problem.

But this is different. We’ve all had fun with the story on Twitter, but it’s really no laughing matter. Some people’s lives are going to be made a misery because of this. It’s all very well to take the moral high ground and say that people shouldn’t have registered for the site in the first place but that misses the point. The 28 million men and five million women who registered their sensitive personal details at the site were acting legally and I imagine that they thought they had a reasonable expectation of privacy. It doesn’t seem to be hyperbole to say that someone might well die because of this personal data Chernobyl.

So what should be done? There are really two quite distinct problems here. There is the problem of online payment and then there is the problem of online identity. I haven’t actually registered for Ashley Madison (although somebody else did, using my email address, which is why I periodically get emails asking me if I’m interested in women in Birmingham – see below) but I imagine that they use the credit card information for two purposes: one of which is to establish who you are and that you are over 18, and the other of which is to collect money from you. Note the pernicious interrelationship between the two use cases: using the credit card information to prove who you are means that you are giving Ashley Madison your name and address, which is really none of their business, and that if anything happens to breach their undoubtedly impressive security procedures, your real name and address could be disclosed.


Is there some insurmountable technological barrier to delivering security and privacy to people? I don’t think so. Emma Lindley, who knows what she is talking about (you can hear my podcast with her here) says that we know what the solution to this problem is, and she is right.

We’re finding that cryptography enabled personal digital identities will increasingly become the answer to this endemic data breach problem

[From Hacked Off? | Emma Lindley | LinkedIn]

You can do things with digital identities that you can’t do with physical identities. One such thing is to partially-disclose: you can prove that you are over 18, for example, without disclosing your age. There are well-known and well-understood techniques that mean that I can prove to Ashley Madison that I am male, resident in the UK, over 18, solvent and known to the authorities without having to give Ashley Madison my name and address. So why don’t we use them? This is a really interesting case of a problem that we know how to fix but don’t because the co-ordination problems are too great. Other than the Apple sheepdog coming along to corrall the stakeholders, I’m out of ideas.

I did see a tweet from Marc Andressen, who you have to take pretty seriously on this stuff, saying that the Ashley Madison hack would stimulate the use of Bitcoin in order to reduce the privacy consequences of such a hack, but I disagree. You could pay Ashley Madison using Bitcoin but you would still have to give them your credit card details in order to prove that you are a real person and over 18. Or give them a photo of your driver’s license or whatever. Solving the payment problem doesn’t solve the identity problem.

Wait. Maybe the Apple sheepdog is going to fix it.

Now, think what will happen at Ashley Madison in an Apple Pay world. You pay online at Ashley Madison using Apple Pay on the web. So you enter your pseudonymous Apple e-mail address and your Apple Wallet pops up on the phone and you put your thumb on the scanner and… done. Instead of getting your real credit card number, Ashley Madison get a token. The bank has implicitly tokenised certain of your personal details in the same way that they tokenised your credit card details. So, Barclaycard can give me a token that says I have a Barclaycard in the UK, and therefore must be over 18, and therefore Barclaycard know who I am, and therefore Ashley Madison don’t need to know who I am, and therefore provided that I can strongly authenticate to prove ownership of the token, there is no need for any of my personal details to be stored at Ashley Madison. All they need is pseudonymous email address and that’s that.


Well, sort of. I happened to be leafing through the new MasterCard “Card on File Tokenisation Specification Enhancement” details and I was reminded that the EMV tokenisation standard is being amended to include a unique ID that will be the same for all of the tokens relating to a particular account. So I may not know who you are from your token details saved at Ashley Madison, but if I can see that same Payment Account Reference (PAR) is used at another retailer where it is matched against your name (or something that could lead to your name) then you could still be compromised.


A clever solution (and value-added service) for banks to offer would be a Stealth Token as an Apple Pay option so that I can load a token that only the bank can connect to my actual credit card. A Stealth Token could be issued for debit cards too, but only for over-18s. The Stealth Token would zero out the last four digits of the actual PAN and also zero out the PAR. With a Stealth Token, consumers could use Apple Pay or Samsung Pay or Google Pay to purchase adult services (or any other services that they would not want to be linked with – a subscription to the Daily Mail, for example, or online Bingo) safely and securely, in the knowledge that even the merchant would have no idea of their “real” identity (i.e., the account behind the Stealth Token).


Most importantly, the legal liability for non-disclosure of the the account behind the Stealth Token (except under presentation of a valid warrant) would rest fairly and squarely with the regulated entity actually able to actually protect the data: the bank. Would I pay a little extra for a Stealth Token? I certainly would, and I bet a lot of other people would too.
The Ashley Madison example shows how interrelated innovation in money and identity could be (but currently isn’t) used to deliver both more security and more privacy online.

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights