The Digital ID & Authentication Council of Canada (“DIACC”) announced the launch of the Pan-Canadian Trust FrameworkTM (“PCTF”) this week, a set of digital ID and authentication industry standards that will define how digital ID will roll out across Canada. Its launch marks the shift from the framework’s development into official operation and will begin alpha testing by public and private sector members in Canada. The alpha testing will inform the launch of DIACC’s PCTF Voila Verified Trustmark Assurance Program (“Voila Verified”), set to launch next year.
At the Imperial College (packed) discussion on “Distributed Ledgers – Future Research Challenges“, chaired by Professor Bernard Silverman FRS, the Home Office Chief Scientific Adviser (and a mathematician), a series of speakers (including yours truly) sparked a valuable and fascinating series of discussions around the topic and, in my case at least, left me feeling as if I’d actually learned something.
In the morning, Iain Stewart from Imperial College introduced us to his “Nonsense Watch”. It turned out that his nonsense watch only had two things on it:
- We hate Bitcoin but we love the blockchain.
- The blockchain is efficient.
In a memorable presentation, elaborating on these topics, he told the assembled group that the a good way to think about the blockchain is to compare it to somebody swallowing condoms full of heroin and carrying them through customs in your stomach. It’s a really inefficient way to transport heroin around but you have to do it because “powerful forces” (as Iain called them) are trying to stop you from doing it!
I will never forget that example! Anyway, just to explain the background. Consult Hyperion were asked to become part of a consortium bidding to examine the potential for Bitcoin, the blockchain and suchlike across a variety of sectors in response to the Treasury’s decision to allocate £10m in funding for the topic. In this context I (along with a couple of my colleagues) took part in discussion at Imperial that brought together academics, technologists, government and a number of different businesses (including banks), which is why we were listening to Iain.
I thought it would be helpful, with such a mixed group, to use a narrative that would help people to communicate effectively and share ideas. This is why I used the “glass bank” example that I’ve used before and built on the presentation that I gave to the Dutch National Bitcoin Congress in June. As it turned out, it worked very well on the day and after discussing it with a couple of other people I’ve decided to expand it as clients might find it a helpful way to think about the new technology (as they get a bit bogged down in Bitcoin and cryptography). I have to say that it worked largely because Richard Brown from IBM had set things up so nicely for me with his discussion about “Creation Myths and Shared Ledgers” that immediately preceded my talk.
The actual purpose of my talk, narrative aside, was to put forward three solid ideas for research threads that could form part of the project. I’ll blog about this, but I was looking for examples of areas for genuine research, areas where the answers aren’t known, that could complement shared ledger technology in some way to deliver something special or different groundbreaking.
In the end the three examples I settled on were:
Homomorphic encryption. Although I wouldn’t say I was absolutely up to speed on the state-of-the-art in this field I do understand the rudiments and it strikes me as an area where any small improvements could lead to pretty significant benefits. This is an area where pure mathematics is needed and I would’ve thought that most businesses and even technology companies just do not have that kind of research going on.
Publicly-private records. This builds on the idea of “translucent” databases to use homomorphic encryption encryption to put data on public blockchains that can be audited in necessary ways but remain private. I don’t think it’s enough just to store encrypted data on public blockchains. If we can agree on the use of the word translucent to mean data that can be audited while remaining encrypted, then I genuinely do feel that a new kind of financial services industry could be on the horizon.
Bottom-up identity. It occurs to me that if it was possible to use homomorphic encryption to store publicly private records about an individual then the cryptographic techniques that are currently used to demonstrate attributes without revealing them (e.g., interval proofs) might be transformed to help creates a shared infrastructure for identity built on very different foundations (e.g., testing that an age is >18 without decrypting the age).
As I say, these are areas for research. I don’t know what might be discovered in these fields any more than anyone else does, but I have a feeling that it might be both important and of immediate practical application. Now imagine that we bring those technologies together to create “glass institutions” in the financial services world. This would be utterly transformational, in a way that making payments cheaper and quicker (even if this were true) is simply not.
The idea of glass institutions may seem paradoxical but with the advances in technology and our evolving understanding of how replicated shared ledgers might transform a variety of different kinds of systems, I think we can begin to explore their impact. I rather like the language of translucent transactions and I think it works well with the glass bank narrative to open up sensible discussions at the business (and regulatory) level.
So where does this take us? Well, as Richard said in his talk, a replicated shared ledger in financial services is unlikely to be “permissionless” in the censorship-resistant sense that Iain was talking about at the start of the day. However, it is entirely possible and highly desirable to construct replicated shared ledgers that allow for permission and innovation in the use of the ledger even if the ability to create transactions on the ledger is permissioned. Of course, this is not to say that both permissioned and permissionless ledgers cannot co-exist. Michael Mainelli provides an excellent narrative for this perspective, talking about the “Temple of Financial Services” in comparison to the “Souk of Sharing Economies”.
While my heart is with the Souk of Sharing Economies, my head recognises that there may be room for both. A sensible union would be a few, competing, ‘blockchain-type’ services encircling the globe providing end-of-day validation and recording of transactions, while thousands of mutual distributed ledgers do the busy work of serving thousands of shared economies. In effect, the merchants of the Souk bring their ledgers up to the Temple to be validated and timestamped by whichever priests occupy the Temple of Financial Services. It may not be orthodoxy, but it’s not heresy either.
The permission, distributed shared ledger of the Temple will mean disruptive change. I can show this by giving a couple of obvious examples: what if a company chose from a group of regulator-certified auditing applications instead of from a competing group of auditors? Auditing banks’ books would become a continual process and you might even have multiple different applications constantly auditing the same bank on behalf of regulators, shareholders, customers, pressure groups and even rival banks. Anti-money-laundering processes would shift from expensive and rather useless gatekeeping combined with floods of suspicious transaction monitoring to being a variety of different anti-money-laundering applications combing through the shared ledger entries to find transactions indicative of misbehaviour (at which point, law enforcement agencies could apply for warranted access to the unencrypted ledger entry or relevant meta data).
This is why I don’t think it is an exaggeration to say that the shift to shared ledger technologies might be one of the most important innovations of our image of our age, and I will close by making another historical analogy to support that point.
In Victorian Britain, the collapse of railway companies led to a colossal crash in 1866. It was caused (and here’s a surprise) by the banking sector, but in that case it was because they had been lending money to railways companies who couldn’t pay it back rather than American homeowners who couldn’t pay it back. The British government then, as in 2008, had to respond. It suspended the Bank Act of 1844 to allow banks to pay out in paper money rather than gold, which kept them going, but they were not too big to fail and the famous Overend & Gurney went down. When it suspended payments after a run on 10th May 1866 (as frequently noted, the last run on a British bank until the Northern Rock debacle), it not only ruined its own shareholders but caused the collapse of about 200 other companies (including other banks). The directors were, incidentally, charged with fraud but got off as the judge said that they were merely idiots, not criminals.
The reason I choose this example is that railway companies then held the same commanding position in the economy as banks do today, so the impact on UK plc was substantial. Bear in mind that the first railway service in the world started running between Liverpool and Manchester in 1830 and less than two decades later (by 1849), the London & North Western railway was already the biggest company in the world. When the Directors of these gigantic enterprises went to see the Prime Minister in 1867 to ask for the nationalisation of the railway companies to stop them from collapsing (with dread consequences for the whole of the British economy) because they couldn’t pay back their loans or attract new capital, they didn’t get the Gordon Brown, investment bank advisers, suspension of competition law and the tea and sympathy of 2008. Disreali sent them packing as he didn’t see why the public should bail out badly run businesses, no matter how big they might be.
Needless to say, the economy didn’t collapse. As you may have noticed, we still have trains and tracks. A new railway industry was born from the ruins, the services kept running and the economy kept growing. And there was another impact. Andrew Odlyzko’s paper The collapse of railway mania, the development of capital markets, and Robert Lucas Nash, a forgotten pioneer of financial analysis argues that the introduction of basic corporate accounting standards following the collapse of the railway companies was a significant benefit to Britain and aided the development of Victorian capitalism.
So, with the well-worn maxim about not letting a good crisis go to waste in mind, I would like to advance this hypothesis: the long-term impact of the financial crash of 2008 will be a shift to the replicated shared ledger as the central organising principal for financial services. An entirely new way, as Richard Brown notes, of building financial institutions based on common ledgers and APIs.
Francis Keally’s vision will be realised and to the great benefit of society as a whole. After all, you can’t rob a glass bank, even if you work for it.
Down at CHYP End we work on a pretty wide variety of new payment systems and schemes around the world and we understand that consumer trust is seen to be an important factor in determining which of them might succeed or fail. But is it really true? Is trust really a determining factor or are there other ways to sway consumers?
A recent survey has revealed that consumer trust in newer payment methods has declined significantly in 2014. The survey, in which 650 UK residents answered questions about their banking and payments habits, also indicates that, for the third consecutive year, cash was seen as the most secure (73%)
This is, of course, mad. Cash is the least secure way for consumers to pay for anything, no matter how you look at it. Getting your cash back from a retailer who does not deliver or a holiday company that goes bust or a tradesman who does a shoddy job can be very difficult. And cash is what gets lost and stolen. And if I end up with counterfeit cash it’s my problem and there’s nothing I can do about it. The idea that cash is in any way secure is laughable and I am genuinely baffled as to how anyone who has been through a minimum of 11 years of compulsory education might think otherwise.
Nearly 71% of respondents believed mobile payments to be the least secure payment method. The results show that whilst the number of people making mobile payments has increased, nearly double the amount of people perceive the mobile device to be the least secure when compared to the 2013 survey results (38%).
Ludicrous, of course. But remember that one in four of those people think dodos still exist, so you should take anything they say on any topic whatsoever with a big pinch of salt. Mobile payments are far more secure than a great many alternatives (including cards – I’ll blog about this again soon). And in any case it may not matter what people say about new payment systems as compared to what they do with new payments systems. The figures seem to show that while three-quarters of Brits think that mobile payments are insecure, more than half of Brits want to use them.
A survey from payments and loyalty specialists Logic Group has found that UK consumers are embracing new technologies such as contactless and mobile payments… Being able to pay through a mobile device is a popular request from survey respondents (54 %), while one in five consumers is also interested in paying for goods through wearable technology.
In fact, Brits are pretty bullish about this apparently insecure technology because not only do half of them think that they would like to use mobile payments themselves, a third of them think that mobile payments will become the preferred method of payment in a relatively short time! So the general public appear to simultaneously believe that mobile payments are insecure and they will become our main way of paying for things.
A new study published by Experian reveals that a third of the UK population (33%) believes credit and debit cards will no longer be the preferred method of payment in 2020, as paying with a smartphone will take over.
I think that the key to understanding peoples’ responses to surveys like this is to remember that they don’t understand the slightest thing about the security of electronic transactions and therefore their opinions are based only on prejudice. Why American consumers, for example, would imagine that paying with a trivially-counterfeitable magnetic stripe is better than paying with a secure mobile alternative is completely beyond me. But they do.
Only one percent of respondents believe using a third party mobile payment provider such as Apple Pay or Google Wallet is a safe way to pay for in-store purchases.
So, broadly speaking, people think that mobile payments are not secure, but since they don’t care about security and value convenience more highly, they will use mobile anyway. At least I think that’s what it all means. Look at the early figures coming out of Apple Pay, which apparently now accounts for the substantial majority of all contactless payments in the US. Whatever people might think about the security, they tap and pay with it. This is why mobile payments will succeed: because they are convenient. I always have my phone in my hand when I’m (for example) getting on the Tube so I might as well use it.
What these results might also mean is that it is important not to listen to the general public about anything at all. This is not my curmudgeonly take on the general ignorance of our barely-literate hordes but in itself a statistically well-founded observation.
British public wrong about nearly everything, survey shows
They’re wrong about nearly everything, and mobile payments are no exception. Whatever they say about trust, they will do what’s easiest.
OK, at the extreme risk of boring everyone to tears, let’s ask the same old question again: should you be allowed to do things on the Internet without giving away your “real” identity? Remember this was something that was discussed here a little while back, using the simple case of newspaper comments as an example. Someone has come up with an interesting way of solving for two problems simultaneously: paying for news online and making people responsible for their comments…
However, he recently went back and was surprised that, in order to comment you need to hand over your credit card, and the paper will charge you $0.99. Obviously, this is more to prove that you are who you say you are, but it does seem a bit distorted when the newspaper wants to charge people just to comment. Also, once charged, your name and hometown are automatically associated with your comments.
Interesting. I think the idea of paying to comment is very interesting. I might be tempted to do that in some cases. But paying to give up your real name? I’m not so sure. I might well want to comment on something without that kind of disclosure. Back to “real names” again. The discussion goes on and on.
Why does a comment with a real name have so much more value?
This isn’t always true. A nurse at a hospital, forced to comment with her real name, is highly unlikely to post anything critical of a doctor. There’s a difference between an authenticated persona (so that the web site can be sure she really is a nurse at the hospital) that may be based on a pseduonym (or even a cryptographically strong unconditionally unlinkable anonym) and an authenticated identity. There may be many reasons why the latter is undesirable.
Mexico announced a plan Monday to reward people who report suspected money laundering, under a program that will allow them to get up to one-quarter of any illicit funds or property seized. Under the new plan, people can file reports in person, by telephone or by e-mail. The exact percentage of individual rewards will be determined case by case by a special committee.
Would you e-mail in a tip about a suspected money launderer and expect to pick up the reward? It seems to me that this is a good example of system that demands real names for integrity but real names mean it can never work. (Although, and it’s outside the scope of this piece, it is entirely cryptographically possible to enable the payment of rewards to anonymous people).
Public servants, law enforcement and banking system employees will not be eligible for the rewards, in part because it is already their duty to report suspicious transactions.
Good luck to anyone who decides to report in person, or by telephone. SIM registration is mandatory in Mexico, which means that the money launderers will find you before the police do — don’t forget, they have more money than the police do. Come to that, they have more money than anyone does.
More shocking, and more important, the bank was sanctioned for failing to apply the proper anti-laundering strictures to the transfer of $378.4bn – a sum equivalent to one-third of Mexico’s gross national product – into dollar accounts from so-called casas de cambio (CDCs) in Mexico, currency exchange houses with which the bank did business.
Given the stringent anti-money laundering (AML) regulations in place around the globe — which meant it took me 15 minutes to put a few quid on my Travelex prepaid card at Heathrow, something I will never do again — I’m surprised that this could have happened, but there you go. Perhaps instead of hassling people trying to load low-value prepaid payment accounts, the authorities could focus on the counterparties in larger electronic transfers. Hence the discussions about Legal Entity Identifiers (LEIs) that have been going on recently. Many interbank payment messages have account identifiers only — you could send money to my account with the name Carlos Tevez and it would still get to me because it’s only the account stuff that matters — and the some law enforcement agencies want to stop this and have banks validate the names as well (it will help to track funds to and from suspects I guess).
LEI will be assigned at the over all corporate entity level and also at subsidiary levels. Its usage will be standardized Internationally. My immediate thought was, never mind systemic risk, this is the perfect means to route B2B transactions across a myriad of financial systems and payment schemes worldwide!
I’m sure I’d heard somewhere before, possibly at IPS 2010, that the plan was to use the SWIFT business identifier codes (BICs), but apparently that’s no longer the case.
Vandenreydt said SWIFT is changing its tune due to a recent meeting of the International Standardization Organization’s Technical Committee 68, where SWIFT has a seat. At the meeting, participants concluded that developing a new code would help avoid ambiguities that might be involved if existing codes are used. “[The committee] wants a pure number without country or other information,” Vandenreydt added. The BIC is made up of eight to 11 alphanumeric characters with four letters for the bank, two letters for the country, two digits for the location, and three digits for the specific branch.
The utility is still working with ISO on what the identifier would look like. Vandenreydt said that process could take up to three months, though he expects a decision to be made sooner. He noted the proposal also depends on other details about the initiative that haven’t been specified by OFR, such as how long the registration authority would have to ramp up the system, whether IDs will be assigned or requested, and how many codes are expected.
So here’s a positive suggestion. Forget about the 1960s notion of an identifier as a unique alphanumeric code and instead make the identifier a pseudonym attested by a bank. So we become consult.hyperion!barclays.co.uk or something similar. It doesn’t matter whether the sender, or anyone else, knows who Consult Hyperon is, because the identifier tells them that Barclays does. And for 99% of real-world transactions, that’s enough. What’s important is that we are always consult.hyperion!barclays.co.uk in all relevant linked transactions. Then, if consult.hyperion!barclays.co.uk is found to be sending money to Osama bin Laden on a regular basis, the appropriate law enforcement agencies can provide Barclays with a warrant and Barclays will disclose. For general commerce, the persistence is the critical foundation. The always-accurate Eve Maler pointed this out a while back:
The neat thing is, we do this all the time already. When you meet someone face-to-face and they say their Skype handle is KoolDood, and later a KoolDood asks to connect with you on Skype and describes the circumstances of your meeting, you have a reasonable expectation it’s the right guy ever after. And it’s precisely the way persistent pseudonyms work in federated identity: as I’ve pointed out before, a relying-party website might not know you’re a dog, but it usually needs to know you’re the same dog as last time.
Quite. But there’s another point. You don’t need to be a “real” persistent identity to have a reputation, as should be obvious. A useful reminder of this came at the end of 2010, when an anonymous critic was named the Village Voice’s “Music Critic of the Year”.
Twitter spokesperson Matt Graves called it a “milestone”; whether he’s serious or not, (“dead serious,” he later said) @discographies certainly carries a certain seriousness throughout today’s interview in the Village Voice. “Twitter,” the account holder says, “may be the first mass communications system that also functions as a meritocracy: it actively promotes good ideas and good content, regardless of where they come from.”
I’m not sure that meritocracy is the right word, but I think the sentiment is accurate: you have to earn reputation to attach to your identifier, and once it’s been earned it’s hard to replicate (unlike intellectual property). So I might want to send money to @discographies without knowing or caring whether @discographies is a roomful of students or an internationally-known music critic. (And, over on Digital Money, I will point out that I want to send money to @dgwbirch — which is an entirely unique Twitter identifier — by MasterCard, PayPal, WebMoney, M-PESA or anything else, but that’s another point entirely.) Why can’t @discographies be mutated into discographics!wellsfargo.com or whatever?
It’s an entirely plausible model: banks managing reputation, because it’s more important than money. The presence of banks legitimises the market, so knowing that a bank has carried out some KYC on @discographies means that other players can treat the reputation attached to it seriously without being concerned about the “real” identity.
When I’m talking about identity, I sometimes joke that our ill-thought out perspectives on the topic have led to the bizarre situation that in the UK it is much easier to get a job with a bank than an account. In The Daily Telegraph for 29th January 2011, I read under the headline “False CV Fooled Bank” that:
A fraudster used a false CV [claiming degrees from Oxford and Harvard] to gain a £165,000 per annum job at a City investment bank.
I assumed that everybody made up stuff on their resumes, but it turns out that it’s against the law, so the culprit, Mr. Peter Gwinnell, was prosecuted and given a suspended sentence (I assume he’ll skip over this on his next CV). We keep being told that employers use Facebook profiles nowdays (I hope they use mine: it says that I am the most intelligent person alive today and that Nelson Mandela queued for my autograph) so perhaps CVs will soon be a thing of the past. Just out of curiosity I googled Mr. Gwinnell and found that as well as his empty LinkedIn profile, the bald fact of his departure is there on the web.
PETER GWINNELL Appointment terminated as director on 15 Feb 2010 (Document)
To be honest, if an employer wanted proof of my A-Level in Mathematics or O-Level in British Constitution or the Degree I scraped through with in 1980, I’d be hard pressed to provide it. I don’t have the faintest idea where the relevant certificates are. I suppose I could ring the University and ask them to send me a letter, but how would the employer know I hadn’t forged the letter. And how would Southampton University know that it is me calling? Or, for that matter, how would they know that I hadn’t forged the O-Level in British Constitution certificate?
When I started my first job after university, I don’t remember being asked to provide any such proof. Come to that, I don’t remember being asked to prove who I was either. In those days, all you needed was a national insurance number. But if employers are going want proof, like the actual certificates, then there will be a bit of a premium on the certificates. Once the certificates are worth something, they will be stolen. This is what happens in China.
Local officials said the files were lost when state workers moved them from the first to the second floor of a government building. But the graduates say they believe officials stole the files and sold them to underachievers seeking new identities and better job prospects — a claim bolstered by a string of similar cases across China.
How are we going to deal with this digitally? It shouldn’t be that complicated for Harvard to create a digital certificate to attest to the fact that the owner of a particular identity did, in fact, graduate. If there were some sort of device or token, perhaps some form of card, that contained my educational identity (ie, key pair) then Harvard could simply sign the public key with their private key and the whole problem is fixed (glossing over, of course, where this device or token might come from, and so on).
Something does have to be done though. The current system is simply a joke. It’s quite funny when someone cons a bank into giving them a senior position despite knowing nothing about banking (imagine!) but one of the areas that really bothers me, and probably should bother you too, is the ease with which medical credentials are forged.
A conman from Lancashire who posed as a vet and nearly killed a pony by botching its castration has been jailed for two years. Russell Oakes also masqueraded as a doctor, carried out an intimate examination and charged for false diagnoses, Liverpool Crown Court heard. The 43-year-old, of Hesketh Bank, admitted 41 charges of fraud, forgery and perverting the course of justice.
How did he do this? Was he a master forger, capable of producing an authentic-looking medical school diploma using specially-aged paper, his engraving skills and authentic ink procured from the correct German manufacturer? No, of course not: this is a post-modern crime.
He bought a fake university certificate off the internet, the court heard.
Now imagine an alternative infrastructure. I am asked to prove that I have a degree from Southampton University. I log on to the university using my OpenID id.dave.com and answer some questions, provide some data, to satisfy the university that I am, indeed, the relevant dave. My OpenID profile includes a public key, so the university creates a public key certificates, signing that key and some standard data that they provide. I can now give this certificate to anyone, and they can check it by verifying the signature using the published Southampton University public key, resolving the certificate chain in the usual way.
the BBC suffered another embarrassment today after a man interviewed on Radio 4’s World at One who claimed to be a Liberal Democrat MP was revealed to be an imposter.
How would the proposed infrastructure help here? The system has to be so easy to use that a harassed BBC researcher can use it. Come to that it has to be so easy that military installations, the police and other can use it too.
During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD’s military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area
Step forward the mobile phone. Every single one of the people who were “verifying” IDs in these stories has a mobile phone, so there’s no need to look any further. The military policeman’s mobile phone should be able to check your ID. And your mobile phone should be able to check his ID. And if you’re both using mobile phones, both IDs can be checked simultaneously. We already know that symmetry is an important property of an identity infrastructure: the bank needs to be able to check it’s me, but I need to be able check it’s the bank. And the mobile phone can do both. So next time Peter shows up for an interview, the interviewer can simply tap Peter’s NFC phone against their NFC phone and see a full list of his credentials.
(Law enforcement has special additional issue though: sometimes, the policeman doesn’t want to reveal that he’s a policeman, but that’s a topic for another day.)