Facebook, APIs and cardmageddon

The wonderful people at Payments NZ invited me around the globe to their conference “The Point” in Auckland this year and flattered me by asking me to

    1. give a keynote talk on the topic of “Cardmageddon” (the day when cards are no longer more than half of non-cash payments) and

    2. be the prize in their raffle.

Naturally, I accepted both offers.

Getting The Point (yuk yuk)


It was a terrific event (you can download the presentations from the event here) and I thoroughly enjoyed both roles. I made a big deal about APIs and XS2A in my presentation because I wanted the audience to understand just what a range of organisations consumers are likely to give access to their bank accounts to. In particular, I said that I thought that retailers would be quick to take advantage of the possibilities here, but I also mentioned messaging and social networks. This latter case is one that I have discussed a couple of times before. Here’s where I came back to it a couple of years ago:

I can remember discussing with some clients at the time what sort of services they might be able to offer to Facebook or other social networks that were empowered through an Electronic Money Issuing (ELMI) license and Payments Institution (PI) licence.

From Facebook money is overdue | Consult Hyperion

In work for one of our clients around about the same, I firmly predicted that Facebook would do just this because the advantage of being able to instruct transfers without having the regulatory overhead of being a bank were so great. These were hardly Nostradamus-style prognostications, merely rather obvious interpolations of technology and regulatory trends. And, frankly, the cost of obtaining and maintaining these licences is so trivial to a Facebook or a Google or an Apple that it was a no-brainer to assume that they would apply. Well, guess what…

The Sunday Business Post reports that Facebook has received a licence from the Central Bank to operate a financial payments service, two years after applying for authorisation. A subsidiary of the social media giant can now act as a payments provider and electronic money issuer, as well as provide credit transfers and remittance services across the EU, as a result of the regulatory approval.

From Seen and Heard: Facebook secures payments services licence

Interesting phrasing. They can “provide credit transfers”. So the day when my teenage son’s dreams will at last come true are not far off. I’ll be able to send you a tenner in WhatsApp just as easily as I can send you my location and neither of us will need a bank account to do this. This means real, and real serious, competition coming into the payments space. This is great, because competition will drive new services for consumers. But it does make me wonder whether some more regulatory intervention is on the horizon.

To see why I think this, reflect on the Second Payment Services Directive (PSD2) — the home of the aforementioned XS2A — and why it is going to have a major impact on banks. This has been clear for some time and, indeed, I have been droning on about it for years. Let’s just recap on the principle for a moment. The point is that because banks occupy a privileged place in society they are required to provide some services that are for society’s good rather for their own good. XS2A is an example. In return for their privileges, banks have to deliver on certain responsibilities. So the regulator’s argument is that banks have to open up their APIs to 3rd parties in order to allow those third-parties to create new products and services that otherwise would not exist. The result of all of this is that society as a whole is better off.

Note that the banks themselves are not prevented from creating new products or services using these APIs either. I written before about the “Amazonisation of banking” and on a number of different engagements for financial services clients, my colleagues at Consult Hyperion have looked at the possibilities of opening up in this field. But back to The Point, where the very clear-thinking Victoria Richardson, General Manager Payments Direction at the Australian Payments and Clearing Association (APCA), set the meme of the event when she talked about banks having to shift their perspective from “API horror” to “API opportunity” and I genuinely think that, in the UK at least, some banks have started to do this.

Victoria from APCA

So now the dust has settled, the banks are opening up their APIs and are seeing new opportunities from accessing data. This is not because banks wanted to do this, but because they were given no choice. But if this argument applies to banks, that they are required to open up their APIs because they have a special responsibility to society, then why shouldn’t this principle also apply to Facebook? You may be aware that Facebook recently blocked an insurance company from having access to customers Facebook data, which the insurance company wanted to know in order to provide better quotes and special offers and so on.

Facebook will allow people to use their accounts to log in to the Admiral app, and for verification purposes, but will not allow the insurer to view users’ posts to work out discounts.

From Facebook blocks Admiral’s car insurance discount plan – BBC News

It seems to me that these issues are equivalent. On the one hand we are saying the banks cannot stop other regulated institutions from having access to customers accounts provided that they obtain the customers’ permission first and use strong authentication and so on and so forth, so why on the other hand shouldn’t the same should apply to Facebook. Why shouldn’t a regulated institution such as an insurance company obtain access to customers’ data provided those customers give consent for them to do so? If I want to give GEICO access to my LinkedIn account on the grounds that I think it will get me a better deal on car insurance, why shouldn’t I? If an insurer decides to up my life insurance premium because they see me in a hot dog-eating competition on Facebook why shouldn’t they? After all, the more information insurers have, the more accurately they can price the risks. And if I don’t want to pay a higher premium, then I should stop smoking, bungie-jumping and eating Scotch eggs before breakfast. This is, by the way, hardly a new idea.

Startup Lenddo has launched a ‘social network’ credit card in Colombia that will see applicants approved or declined based on their reputations on Facebook and Twitter.

[From Finextra: Lenddo delves into credit card applicants’ social media data]

You can see the obvious benefits for financial services organisations if they can have access to social media accounts, almost as great as the benefits that social media platforms will obtain from having access to bank accounts. Come to that, why shouldn’t all regulated institutions have access to LinkedIn or Twitter or whatever else given the informed consent of customers? These platforms are crucial to the way that  society functions nowadays so why should they not be required to be open platforms just as banks are? That would be a level playing field, wouldn’t it?


It’s really hard to be James Bond these days. Apart from health & safety restrictions on the use of poison umbrellas and the legal restrictions on the murder of henchmen (even foreign ones), and all the paperwork around the expenses and what is VATable and what isn’t, you’ll be rumbled in an instant by your Facebook account. Because you don’t have one.

It is not simply a question of keeping details offline, either, but the opposite: individuals or identities without deep, broad online presences are precisely those likely to raise suspicion. “The challenge of having a credible digital footprint is significant,” Mr Inkster said. Fake Twitter or Facebook accounts alone do not make the grade.

From The spy who liked me: Britain’s changing secret service – FT.com

If I come across someone in a work context, and they are not on LinkedIn, then I assume that they are either in the witness protection programme or have been in prison. Unfair, possibly, but that’s where we are. And of course if you are not yourself on Facebook, then it’s only a matter of time before some schmuk snaps you and you’re in the system whether you like it or not. You could be out and about with an important business contact having a very important business discussion about important business issues, for example, but because of the camera angle and the perspective a snapshot of this event might be entirely misconstrued.

Blue Hat Red Hat


And once you’re in the system, you are no longer anonymous whatever you might think about being off the grid. Wherever you are and whatever you are doing, you’re in someone’s SnapChat or Instagram feed.

Give Facebook two pictures, and it can tell you with 97 percent accuracy whether they’re the same person, roughly the same accuracy as a human being in the same spot.

[From Why Facebook is beating the FBI at facial recognition | The Verge]

In the good old days, the good old spies had to stake you out and track you down and stalk you and then murder you in a dastardly and complex fashion,  often involving laser beams. Now they just run the face recognition software until you pop up somewhere and then… it’s radioactive sushi time. Until my plan for Facebook-blue burkhas for all is accepted by the mainstream I’m afraid I can see no way round this. The Bond villain of the future isn’t Mr. Big on an island with a pet cheetah and anti-aircraft missiles but a kid in his underwear eating pizza and running face matching algorithms.

By the way, I noticed in the newspapers that while it may be increasingly difficult for spies to convince people that they are not spies, it is apparently much easier for people to convince other people that they are spies.

Mark Acklom convinced her he was a spy and defrauded her of £850,000 

From Gloucestershire woman fell for ‘charismatic’ fraudster who claimed he worked for MI6 | Daily Mail Online

I don’t want to pick on this poor woman, and I know only too well how easily women can fall under the spell of handsome Englishmen, but honestly had she never heard of LinkedIn? If a match.com counterparty was trying to convince me that they are from MI6, I would fully expect to open up their LinkedIn profile and see a convincing employment narrative going back many years. And if they didn’t have a Facebook profile, then I’d naturally assume them to be a fraudster not an undercover agent.

Spies are an interesting use case when you start to think about the series business of population-sale identity they present a problem. If the purpose of a national identity system is to uniquely identity someone, then you don’t want it to ping back “James Bond” when 007 has to use the biometric identification system at the casino entrance. Which means that in the general case, people must be able to have multiple identities. When Bond presents an ID with the alias Dave Birch on it, then the casino system should ping the government (or whoever) to ask “is this Dave Birch” and get back a “yes”, rather than ping them with “who is this” and get back “James Bond”. As I wrote many years ago,

As was well-put on Ideal Government recently, multiple identities are part of the solution, not part of the problem of information age identity.

From Age vs. identities | Consult Hyperion

Population-scale solutions should start with multiple identities, not add them as a special case. The very specific case where the pseudonym and the absonym coincide should be seen as nothing more than one of a spectrum of identity mappings.

The social cost of identity

The police are apparently fed up with Walmart. They cut staff, introduced automated checkout and saw a big increase in shoplifting, which they pass on to the police.

“The constant calls from Walmart are just draining,” says Bill Ferguson, a police captain in Port Richey, Fla. “They recognize the problem and refuse to do anything about it.”

From Walmart’s Out-of-Control Crime Problem Is Driving Police Crazy

You can see the logic from the company’s point of view. They pay for staff but they don’t pay for the police, so they may as well externalise the costs of managing bad behaviour. To some extent, of course, we all do this. We expect the authorities to stop people from hurting us in a variety of ways. But there has to be a balance. It would be crazy for car companies to save money by not fitting car alarms and instead fit a cheaper device to alert the police when the car is stolen.  But never mind Walmart and Ford. Isn’t this what Twitter and Facebook have done?

Scotland Yard will spend £1.7million on a ‘Twitter squad’ to hunt trolls

From Scotland Yard invests £2m into new ‘thought police’ unit to hunt down trolls | Daily Mail Online

The problem of bad behaviour online appears to be out of control. I’m sure that police have considerably better things to do with their time than track down lunatics posting threats on Twitter or bullying bereaved people on Facebook. I’m particularly annoyed about the problem on Twitter because I love it so much. Personally, when someone posts abuse at me (and this – astonishingly – does happen from time to time) then I just mute them and carry on. But for some people, especially those more in the public eye, the abuse makes Twitter unusable. 

I posted a screenshot of the email, and a few lines about how I would not be using Twitter until they figured out how to stop making incidents like this one (gross, but comparatively benign) a less constant component of my Twitter experience.

From Twitter Has Become a Park Filled With Bats — Following: How We Live Online

Over time, this is becoming a very serious problem. The “trolls” are not only annoying to individuals they are undermining the medium.

But it’s biggest problem are those trolls. They’re winning. Too often Twitter’s users are subject to pernicious streams of abuse and harassment. This dissuades new users from wanting to sign up, drives formerly loyal tweeters to close their accounts, and gives advertisers pause as they consider where to place their brand dollars.

From Stopping Trolls Is Now Life and Death for Twitter — Backchannel

Twitter has responded to this well-known and widespread problem in the past. But it is really not clear to me how they can do this in an automated fashion. If you call me names on Twitter, is that trolling? If you tell you – repeatedly – that your idea for a database of transactions hashes is not a blockchain, is that harassment? And if you get me banned for it, what’s to stop me from just creating another account and carrying on? It is undeniably a very difficult problem, made worse by the absence of any suitable identity infrastructure.

Twitter has long come under criticism for not doing enough to police abusive behavior on the often-freewheeling messaging service.

From Twitter announces crackdown after online abuse of ‘Ghostbusters’ actor | Reuters

So. There has been a huge amount of discussion  about the problems of Twitter and falling usage as people abandon the platform because of bullying and trolling. Here’s the big question then. How can we align the social costs of policing anti-social media more effectively so that we can deal with trolls without having to spend gazillions on the police, courts and jails? My argument has always been that it is more cost-effective to support the industry in developing a identity infrastructure that may be used for this purpose (amongst others). And I’ve come around to thinking that banks are probably the right people to get it going. We need to get Twitter to let people create accounts using a Bank Identity (for want of a better word). But not much has happened. Naturally, I’ve written about this before. And as well as moaning about it I’ve made some positive suggestions for things to do about it, largely based on developing strong pseudonymity as the key infrastructure. Other people have put forward similar practical ideas, but they all rest on the ability to authenticate against a “real” identity.

Allow users to not show their tweets to unauthenticated users. 

From Putting out the Twitter trashfire — Medium

Some people think that instead of fixing the problem properly as suggested, we should instead rely on “real” name policies, but I disagree profoundly. There are many issues that people might want to comment on but not use their real names. Again, something I’ve written about extensively. So the basic knee-jerk reaction about names, while understandable, does not work for me. I want people to post their honest opinions and comments about difficult subjects and they need privacy to do this (note, for the one-thousandth time) privacy is not anonymity.

Social media users should be forced to reveal their real names so police can track down jilted lovers who post “revenge porn”, a peer has said.

[From Revenge porn: Peer says Twitter users must reveal real names – Telegraph]

The police do not need people to post their real names to do this. What they need is a route to the real names, which is why the idea of strong pseudonymity (pseudonyms managed by regulated institutions) is so appealing. If Barclays know who I am, then the police can ask Barclays and Barclays will tell them. But Barclays won’t tell anyone else, so I can post in privacy. Why banks do not get together to provide such an obviously beneficial identity services is beyond me. It’s all very well providing a bank identity to let me do my taxes, but I do this once every year, whereas I post abuse on social media almost hourly.

Fixing the “Twitter problem” isn’t that hard

There’s a problem with social media generally and Twitter in particular. The problem is abuse. 

I posted a screenshot of the email, and a few lines about how I would not be using Twitter until they figured out how to stop making incidents like this one (gross, but comparatively benign) a less constant component of my Twitter experience.

From Twitter Has Become a Park Filled With Bats — Following: How We Live Online

What can be done about it? A British example of this was in the press recently when the MP Jess Phillips reported hundreds of Twitter messages containing the depressingly usual sort of rape threats that are sent to women in the public sphere. Twitter said, essentially, tough.

“We reviewed the content and determined that it was not in violation of the Twitter rules.”

From By ignoring the thousands of rape threats sent to me, Twitter is colluding with my abusers

I don’t want to get into the free speech vs. hate speech debate but I will note that a variety of social media platforms have signed up to rules (in Europe) to try to cut down on hate speech.

Google, Facebook, Twitter and Microsoft have signed up to new EU rules on taking down illegal hate speech as lawmakers and internet giants try to cope with violent racist abuse and technically savvy terrorists online. The “code of conduct” will require companies to “review the majority” of flagged hate speech within 24 hours — and remove it, if necessary

From Web giants sign up to EU hate speech rules – FT.com

I couldn’t tell from the article what hate speech is, or what illegal hate speech is, but I imagine it is going to be pretty difficult to automate this. I mean we all know hate speech when we see it, but I don’t know if we’d be able to explain it to a computer and I don’t think it is realistic to expect Twitter or anyone else to have to sort through thousands, millions of boring, derivative and repellent messages in order to determine whether to ban of these pseudonyms (at which point they will simply log in under another pseudonym and continue). The solution is, as I set out a while back, is to give users the option to automatically block messages that do not come from an authenticated account. An authenticated account is an account that is pseudonymous but has been attested to by an acceptable third-party. By attested to, I mean that someone acceptable to the second party has attested that they know the real identity associated with the account.

What we need is a working identity infrastructure that allows for strongly-authenticated pseudonyms so that bullies can be blocked and revealed but public space can remain open for discussion and debate. Then you can default Facebook and Twitter and whatever to block unauthenticated pseudonyms

From We can contribute to childhood e-safety | Consult Hyperion

Here’s an example as to how this might work. I go to Twitter to create an account, @angrywhitemale or whatever. Twitter asks me if would like to authenticate my account. I say yes. Twitter asks me who will attest to my identity. I say Waitrose. Twitter says that Waitrose is not on its list of acceptable authenticators. I say Barclays. Twitter bounces me off to Barclays. At Barclays I use two-factor authentication to strongly authenticate myself and log in. Barclays then send a unique number back to Twitter. Twitter now know that Barclays knows who I am. The account is authenticated.

Jess Phillips has set her account to ignore all but authenticated accounts.

I tweet illegal hate speech to Jess Phillips. She passes it to the police. The police get the unique number from Twitter and go to Barclays with a warrant (all of these processes can be automated) and Barclays tell them that @angrywhitemale is actually Dave Birch and the police come round and arrest me.

Now, of course, I can delete the account @angrywhitemail and create a new identity @victimofsociety. But when I attempt to authenticate it, Barclays will notice that they had a warrant issued against my account and so will refuse to authenticate me until I get out of jail (or maybe never). So now I have to go and get another bank account in order to create another Twitter account in order to create another hate speech outrage in order to be arrested.

Most people in the public eye would, I’m sure, set their accounts to receive tweets from authenticated users only. Tweets from unauthenticated users to authenticated-only accounts would simply be discarded. The bullies could post away as much as they liked. Perhaps it is therapeutic for them

From Anonymity – privilege or right? | Consult Hyperion

Now, none of this infrastructure exists, of course. But suppose one group of authenticators — let’s say the banks, for example — came together to create it. It would generate immediate benefit for relatively little expenditure, since the Strong Customer Authentication (SCA) is already mandated (well, sort of, in the UK) and the kind of APIs that would be need to make this work are going to be in place shortly because of PSD2 (well, sort of, as PSD2 does not mandate any non-payments APIs). And while the infrastructure might become familiar to people because of social media, they might find many other places to use it. Dating web sites, for example. These are good example of meeting places that benefit from strongly-authenticated pseudonymity. When I interact with you on a dating website, I don’t need to know your real name, but I do need to know that you exist and are over 18, and these are both facts about me that are known by my bank.

Would Twitter or Ashley Madison or whoever be prepared to pay the bank 10p for every authentication? I think this might be a reasonable price to pay for maintaining civilised spaces where people come to meet and mingle (and look at advertisements).

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights