Confronting the issue

There’s an interesting choice of words in the O’Reilly Radar publication on “ePayments 2010“. The report’s subtitle is “Emerging Platforms, Embracing Mobile and Confronting Identity”. I thought that this is expressive: the payments industry is “confronting” identity.

…even as consumers come to expect online systems to know more about them in order to facilitate transactions and reduce friction in accomplishing tasks, they are likely to want to maintain control over which online services have access to distinct aspects of their identity.

Very well put. It illustrates a point that I find myself making in more and more discussions these days: that if the players in the payments industry don’t deal with the identity problem, then someone else will.

Identity is critical in many ways: It ensures the right degree of user personalization, enables the reliable billing of services used across a platform, and provides a strong foundation of trust for any transaction occurring on the platform.

[From Making Sense of Ever-Changing Payment Technologies: The Year of APIs and the Reshaping of the Payment Ecosystem – pymnts.com]

Patrick is right to highlight the key role of identity in constructing the future payments infrastructure, although I would draw a slightly different diagram to illustrate the relationship. He has drawn identity on top of payment services, whereas as I would draw them side-by-side to show that some commerce applications will use identity and some will not, some commerce applications will use payments and some will not. This isn’t just a payments issue, of course. It’s rapidly becoming a major block on the development of the online economy. There’s a Chernobyl coming, and the recent fuss about Sony and Sega will appear utterly trivial in comparison. I’m not smart enough to know where or when it will happen, but it will happen. If I had to take a wild guess, I might be tempted to predict the epicentre if not the cause or symptoms.

I trust Facebook to give the messages that I type to my ‘friends’. I trust Facebook with the login details to my Yahoo email account… Even in the last week at least four of my friends have been link-jacked in Facebook – whereby their accounts start spewing malicious links onto the walls of their friends.

[From Trust co-opetition is the key to avoiding disintermediation « in2payments]

It’s the interlinking via social networking that is precisely the danger, because that means when something goes wrong is goes connectedly wrong and gets out of control in unpredictable ways. Something has got to be done to make identity mischief substantially more difficult. But how?

We need online identities anchored in hardware cryptography. Everybody who does financial cryptography understands that for anything of value, you can’t store the keys in software. You need hardware protected keys, with a cryptoprocessor to operate on them, and very importantly, a trusted UI to the human that doesn’t involve hackable software. EMV is a good basis for this

[From The Case for EMV Chip Cards in the US? — Payments Views from Glenbrook Partners]

Hear hear. I’d say that it was the chip with a crypto co-processor that is the basis (EMV is just an application running on such a chip) but the point holds. So where are these chips today? Well, they exist in your chip and PIN card is a sort of autistic form, with limited communication and narrow bandwidth through which we can reach the smart core. And they exist in your mobile phone, in the form of the UICC, where they have high bandwidth, constant connectivity, a UI, huge memory and an ecosystem beyond the device. And they will soon exist in your mobile phone, set-top box and elsewhere in the Secure Element (SE). (As an aside, in some models the SE will be resident in the UICC, so there may only be one physical chip.)

Therefore, there is an opportunity to roll-out an SE-based infrastructure, perhaps in the NSTIC architecture, that sets us down the path to identity security. I’m surprised that, in Europe at least, the mobile operators haven’t already got together to develop their joint response to NSTIC and begun work on the business models that it spawns. The mobile operator is a naturally identity and attribute provider and they already have the tamper-resistant hardware (ie, UICCs) out in the market. They know the customer, they know the network, they know the device. I should be logging on to everything using my handset already, not messing about with passwords and secret phrases and mother’s maiden name.

From the point of view of the UK, where the national identity card scheme has just been scrapped and there is no alternative identity infrastructure in place, there is much to be admired in the US approach.

[From Digital Identity: USTIC]

This may be another area where the ease of use afforded by NFC makes for a big difference in the shape of the marketplace and the trajectory of the stakeholders. There were some early experiments in SIM-based secure PKI, but they were very, very clunky because they needed SMS or Bluetooth to connect the handset to the target device, like a PC or a kiosk (or a POS). But in the new world of NFC, what could be simpler: use menu on phone to select identity, tap and go online. And since the SE can handle the proper cryptography, my phone can tell whether it is talking to the real Barclays as well as Barclays working out whether it is talking to my phone. The NSTIC framework, when combined with the security and ease-of-use of NFC in mobile phones, may not be whole solution, but it’s certainly a plausible hypothesis about what that solution may grow from.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Ageing problem

The simple and prosaic case of age verification has always been a litmus test for digital identity infrastructure and it’s taken on new dimensions because of social networking. We need some clear thinking to see through fog of moral panic, made worse by the turbocharging impact of the mobile phone, because it is such an individual and personal device. The spectre of legions of perverts luring children via their mobile phones is, indeed, disturbing. If only there were some way to know whether your new social networking friend is actually a child of your age and not an adult masquerading as such.

A mobile phone application which claims to identify adults posing as children is to be released. The team behind Child Defence says the app can analyse language to generate an age profile, identifying potential paedophiles.

[From BBC News – Researchers launch mobile device ‘to spot paedophiles’]

Of course, it ought to work the other way round as well. One of my son’s friends told me that members of his World of Warcraft Guild (all 13- and 14-year olds) enjoy pretending to be “grown ups” online (by pretending to have jobs and wives). But this seems an odd way to move forward, as well as something that will surely be gamed by determined perverts.

Why on Earth can’t we just do this properly, at the infrastructural level. If we had a half-decent digital identity infrastructure, there would be no need for this sort of thing. Look, here’s a simple of example of this, in Japan. If you want to use social networks via your mobile phone then it is the operator who verifies your age to the social network service (SNS) provider. Since the operator has the billing relationship, this makes sense.

KDDI announces age verification service for mobile SNS platforms; Gree, Mixi and MobaGa to start at the end of Jan

[From Mobile SNS Age Verification Service by Wireless Watch Japan]

Note that this has no implications for privacy. The operator could require you to come to one of their outlets and prove that you are, say, 18. Then they set a flag for service providers to tell them that you are over 18. It doesn’t tell them your age, or your name or where you are. Just that you are over 18. Note that this system hasn’t been invented for social networking: it is already used to prove age at vending machines (you can’t buy cigarettes or sake or whatever unless your phone says that you are old enough). It ought to be simple enough to do the same thing but using proper technology. Suppose that your Facebook page came with a red border if you have not provided proof of age? Then you could provide that proof of age and have your border changed to blue for under 18 or green for over 18 – then make the rule that anyone with a red border is only allowed to connect to people with green borders.

You see what I mean. Have something that is understandable at the user level and implement it using certificates, digital signatures and keys in tamper-resistant storage (in, for example, mobile phones). There would be no need to try and explain to people how PKI actually works (which killed it in the mass consumer market last time), just show them how to log in to things using their phones. There’s a waiting mass market for this sort of thing if you can be clear to consumers that it will protect their privacy and that market is adult services: porn and gambling, primarily, either of which should generate a decent income stream for the successful service provider. Simple. As a complete aside, there’s another connection between the adult world and social networking.

The surprise relationship between social networking and adult-themed sites came last September, when total page visits for social networking sites for the first time eclipsed that of adult sites.

[From BBC NEWS | Technology | Porn putting on its Sunday best]

So the internet isn’t all about porn after all!

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Internet driver’s license?

Last year I said that I thought that the US National Strategy for Trusted Identities in Cyberspace (NSTIC) was heading in the right direction. I’m very much in favour of the private sector providing multiple identities into a framework that it used by the public sector and vice versa. I’m in favour of choice: if I choose to use my Barclays identity to access the DVLA or my DWP identity to access O2 it shouldn’t matter to the effective and efficient use of online transactions. There was one area where I felt it could have presented a slightly different vision, and that’s in the use of pseudonyms, which I think should be the norm rather than the exception.

People should consider it normal to get a virtual identity from their bank or their mobile phone operator in a pseudonymous name so that they can browse, transact and comment without revealing anything about themselves other than the facts relevant to a transaction.

[From Digital Identity: USTIC]

James Van Dyke, when discussing NSTIC (which seems have become known unofficially as “Obama’s Internet Identity System”) warned about

Apocalyptic fear-mongers. Yes I’m ending with the crazies here, but hear me out. The extreme cable networks and televangelists will surely jump on this as the digital incarnation of the Mark of either the Beast or “(gasp!) Obama liberals. Historians will recall that social security numbers were supposed to be an apocalyptic conspiracy.

[From Obama’s Internet Identity System: Could This Change Everything? – Javelin Strategy & Research Blog]

I don’t think the danger is the crazies — although I feel a little sheepish writing this a couple of days after a crazy did, in fact, murder several people and seriously injure a congresswoman — but the journalists, politicians, commentators and observers who don’t really understand the rather complex topic of digital identity. Or, as “Identity Woman” Kailya Hamlin (who some of you may remember from the first European Internet Identity Workshop that Consult Hyperion sponsored with our friends from Innopay and Mydex back in October) said about NSTIC:

I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative

[From National! Identity! Cyberspace!: Why we shouldn’t freak out about NSTIC. | Fast Company]

She’s bang on with this. Here’s a couple of typical examples from the blogosphere:

CNET reported on January 7, 2011 that Obama has signed authority over to U.S. Commerce Department to create new privacy laws that require American citizens to hold an Internet ID card.

[From Internet Anonymity: Obama Pushes for an American Internet ID]

And

President Obama has signaled that he will give the United States Commerce Department the authority over a proposed national cybersecurity measure that would involve giving each American a unique online identity

[From Obama administration moves forward with unique internet ID for all Americans, Commerce Department to head system up — Engadget]

As far as I can see, NSTIC being managed by the Commerce Department has nothing to do with “privacy laws” and the idea that it will require Americans to have an “Internet ID” is a journalistic invention. The actual situation is that NSTIC is to go from being an idea to an actual system:

The Obama administration plans to announce today plans for an Internet identity system that will limit fraud and streamline online transactions, leading to a surge in Web commerce, officials said. While the White House has spearheaded development of the framework for secure online identities, the system led by the U.S. Commerce Department will be voluntary and maintained by private companies,

[From Internet Identity System Said Readied by Obama Administration – BusinessWeek]

What this means is not that Americans will get an “Internet Driver’s License” but that they will be able to log in to their bank, the Veteran’s Administration, the DMV and their favourite blogs using a variety of IDs provided by their bank, their mobile phone operators and others.

[White House Cybersecurity Coordinator] Howard Schmidt stressed today that anonymity and pseudonymity will remain possible on the Internet. “I don’t have to get a credential, if I don’t want to,” he said.

[From Obama to hand Commerce Dept. authority over cybersecurity ID | Privacy Inc. – CNET News]

As long as it’s a matter of choice, I really don’t see a problem with this. The idea of NSTIC is that it is the infrastructure that is standardised, and this is good. We need standards for credentials and such like so that I can use my Woking Council ID to log in central government services and my Barclays Bank ID so that I can log in to do my taxes online: but I might pay Barclays for an additional ID that has some key credentials (IS_A_PERSON, IS_OVER_18, IS_NOT_BANKRUPT, that sort of thing) but does not reveal my identity. This sort of Joe Bloggs (or, for our cousins over the water, John Doe) identity would be more than adequate for the vast majority of web browsing and if other people want to wander the highways and byways of the interweb with a Manchester United, Prince or BBC ID, then it’s up to them. Let a thousand flowers bloom, as they say (well, as Chairman Mao said).

If the crazies want to be concerned about a single ID mark of the e-beast infocalypse, they’re perfectly entitled to, but I don’t understand why they are convinced it will come from the government in general or Obama in particular – there are half-a-billion people out there (including me) who have already handed over their personal information to a single unaccountable entity.

Facebook Login lets any website on the planet use its identity infrastructure—and underlying security safeguards. It’s easy to implement Facebook Login, simply by adding few lines of code to a web server. Once that change is made, the site’s users will see a “Connect with Facebook” button. If they’re already logged into Facebook (having recently visited the site), they can just click on it and they’re in. If they haven’t logged in recently, they are prompted for their Facebook user name and password.

[From Facebook Wants to Supply Your Internet Driver’s License – Technology Review]

Now, at the moment Facebook Connect just uses a password, so it’s no more secure than banks or government agencies, but it could move to a 2FA implementation implementation in the future. Widespread 2FA access to online services really should have become a business for banks or mobile operators already (think how long Identrus has been around) but it just hasn’t happened: I can’t use my Barclays PINSentry to log on to Barclaycard, let alone the government or an insurance company. But suppose my Facebook login required access to my mobile phone so it was much more secure: you know the sort of thing, enter e-mail address, wait for code to arrive on mobile phone, enter code (a proper UICC-based digital signature solution would be much better, but that’s another topic). Then I could use Facebook Connect for serious business. This would have an interesting side-effect: Facebook would know where I go on the web, which seems to me to be much more like the mark of the e-beast.

An interesting side benefit for website operators is that Facebook Login provides the site with users’ real names (in most cases) and optionally a variety of other information, such as the users’ “friends” and “likes.”

[From Facebook Wants to Supply Your Internet Driver’s License – Technology Review]

Which is, of course, why I don’t use it. On the other hand, if Facebook decided to use cryptography to secure and protect this sort of information, they could at a stroke create a desirable internet passport: by “blinding” the passport to prevent service providers from tracking the identity across web sites Facebook could significantly improve both convenience and privacy for the average users.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

In your Facebook

Facebook itself has been playing with this kind of thing – personal location – for a while. We’re all familiar with the various “check in” services, but the internet of things is something much more.

All attendees of the f8 developer conference are receiving special RFID tags that enable them to check-in to various locations throughout the conference venue. The service lets you tag yourself in photos, become a fan of various Facebook Pages, and share activity to your Facebook profile. While it’s still a concept service, it’s interesting to see some of the things that Facebook developers are currently testing

[From Facebook Tests Location Through RFID AT f8]

Is this just the same as messing about with FourSquare or Facebook Places? I think not. Bernhard Warner, editor of Social Media Influencer puts it very nicely.

Location-based services take either a lot of time — you have to manually check in everywhere you go — or take a lot of liberties — you open up your personal information to businesses.

If RFID checks you in and out automatically, then the web will certainly “take a lot of liberties” (although this may well be what people want). But this is just about the location of people. What will happen when the location of things becomes part of the natural order?

I happened to be chairing a panel at IIR’s M2M Business Exchange event in London recently, and I have to say that I was surprised by the range of organisations that came along. I’d assumed that it would be mainly hardware guys and telcos, but the sessions that they had on smart metering, remote healthcare, retail and so forth were actually discussing some quite diverse applications. Naturally, I was on the lookout for things that might make a business for our customers, so I was focused on the applications that demand more security, such as payments.

ETSI, the telecoms standards body, has been working on what they call SES, which stands for “Service Enablement Services” to form a standard layer between the internet of things and the value-added services to sit above them. Joachim Koss, the TC M2M Vice Chairman said that the standard would include security “tools”, which obviously I would like to see as including fully-functional digital money and digital identity elements because this connects to my somewhat simplistic definition: smart pipe = dumb pipe + digital identity + digital money.

I think this is the right approach, provided that the SES layer contains rich enough services to provide for a proper spectrum of identity types (that is, it does not require the full disclosure of “real identity” or allow uncontrolled anonymity). Another advantage that I can see is that if mobile operators were to get their act together, they might be able to use the SES in combination with a secure token (in the UICC) to make a business from it: for example, I might want to choose an option on my phone which means that my location is visible to anyone on LinkedIn provided they work for Consult Hyperion, and then temporarily extend this to a client for a month in connection with a project, but allow my wife to see it via Facebook at all times, that sort of thing. It would be another example of a value-added service that could, when built in to the infrastructure of other more sophisticated value-added services, generate much more income than raw data.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.