Air side

[Dave Birch] The whole business of air travel is a laboratory for experimenting at the boundary between public and private identities, where national and international agreements interact with corporate alliances, outsourcing and value chains to produce a complex environment that needs and benefits from change. Speaking as a frequent traveller, and happy near-weekly user of Heathrow's Terminal 5, it seems to me that air travel has got considerably quicker, more efficient and simpler in the last couple of years. I print my boarding pass out at home, jump in a cab or on the train, nip through T5 to the lounge and then on to the plane -- the only hold-up in the whole process is the queue for security on the way out (sometimes this can be 10-15 minutes even at T5) and the queue for passport control on the way in.

However, the need to print a physical boarding pass, even using 2D barcodes rather than a magnetic stripe, and the lack of an efficient bag drop system means that despite the universal electronic ticket for air travel, more than two-thirds of passengers still went to a check-in desk. Where to look for the next improvement? Well, I'm sure like most people I think that the key technology that will change this is the mobile phone. If the mobile phone allows you to check in and obtain a boarding pass, and a kiosk at the airport allows you to self-tag (clearly there are some security issues around this) then the flow through airports would increase significantly and the costs would reduce accordingly.

In fact I saw a presentation for one of the companies that supplies infrastructure to airports recently an they were talking about their experiences with the mBCBP (mobile bar code boarding pass) -- they said that "we only care about Blackberry, iPhone and high-end smartphones", which means we can assume big, clear screens -- but still the current 2D barcode solutions don't carry enough data for the airlines to store more than three legs plus frequent-flier and other data.

So why am I looking at this space? One of the biggest players in the industry, IER, is advocating the "pass & fly" sticker solution and I saw them present on the Air New Zealand and Air France case studies which, I have to say, was rather impressive.

Close enough for jazz

[Dave Birch] I had a typical fascinating and productive discussion with Hazel Lacohee and Piotr Cofta when we last got together. We were kicking around some ideas for finding practical ways to improve privacy, security and other good stuff while simultaneously worrying about the government's approach to the interweb, broadband and ID cards. With the right combination of technology and vision we can take an entirely different view of the "identity problem" and how to solve it. In a decentralised fashion we can see identity develop as an emergent property of trust networks, shaped by evolution to be fit for purpose or, as Piotr Cofta puts it, "good enough identity". Good enough identity (GEI). I love it.

I'm certain that there is merit in this approach. There is a real difference between between trying to create a kind of "gold standard" identity that delivers the highest possible levels of authentication and identification in all circumstances and trying to create an identity that is useful (defined by: reduces total transaction costs and, in my world, aligns social costs with private costs). Therefore, a utilitarian approach of trying to do something, anything to make the identity situation improve for individuals and organisations, we might be better off starting with some simple building blocks and building up rather than by starting with a national ID card (I mean, a 21st-century national ID card of the psychic ID kind, not electronic cardboard) and driving that down. Go from the personal to the enterprise, from the enterprise to government.

Biometrics 200n

[Dave Birch] I actually rather enjoyed my day out at Biometrics 2009 because it was an opportunity to catch up with old friends and see what the buzz is. Yes, you can have LinkedIn and Twitter, but there's still no substitute for hanging out in the coffee area at a big conference. Some of the content was, though, somewhat reminiscent of Biometrics 2008, 7, 6... we're still not at a mass market, and part of the reason is that no-one seems to know what that mass market is. Is it fingerprint scanners in every laptop? I doubt it. Is it logging in to your bank using voice authentication? Maybe. Is it using your National ID Card to get served in a pub? Doesn't look like it at the moment.

Personally, based on a couple of sessions I sat in on, I thought there was some confusion about the proposition -- not from everyone -- and I suspect that at least part of the problem is that the major integrators come from the government and defence space, so their approach to the market and their product set reflects that. If you've made a living selling large-scale automatic fingerprint identification systems to law enforcement agencies, then it may be difficult to make the transition to selling improved authentication to banks. And there's no reason to suspect that that improved authentication will be achieved using the same technologies anyway.

I happened to be sitting next to Forum friend Maxine Most from Acuity Inc, one of the world's leading analysts of the international biometrics market, and she made a key point early on in the day: the mass market is about mobile phones, not PCs. This was a central element of my presentation on biometrics in the event space and was further amplified by the Precise Biometrics presentation advocating match-on-SIM going forwards. This, as an aside, suggests to me that there is a premium on biometric technologies that synergise with mobile phones -- we're talking about the mass commercial market here, not law enforcement and national security -- so that really means voice recognition and voice authentication (I don't buy the fingerprint-scanner-in-handset model in the mass market). A couple of people remarked that these biometrics didn't seem to be getting much coverage compared to fingerprints, iris and the like, which I imagine is also a reflection on the government and law enforcement focus of the show.

What a cunning stunt

[Dave Birch] I am, very literally, green with envy. I count myself as a reasonably good speaker, and I try to use narrative and historical examples to explain key principles. But nothing beats a good demo, and I saw an excellent one today, one that I wish I'd thought of!

At the Intellect conference on Identity & Information in London today, Edgar Whitely from the LSE gave a terrific presentation. He was pointing out that the principle of data minimisation in identity systems is important, but he did it in a particularly arresting way.

Here's what he did.

He showed this recent newspaper photograph of the British Home Secretary, Alan Johnson, showing off his new ID card and holding it up to the camera. This version comes from The Guardian....

Alan Johnson reveals the design of the British national identity card. Photograph: Stefan Rousseau/PA

As you can see in the picture, for reasons that will be not fully explained in a moment, the UK ID card has the holder's full name, date of birth and place of birth on it. These three data points are sufficient to uniquely identify the overwhelming majority of the population. So Edgar went to the Identity & Passport Service birth certificate ordering service and put in the details from the Home Secretary's card. He then paid his £10 and... with a suitably theatrical flourish, Edgar produced the copy of the Home Secretary's birth certificate that he had been sent in the post. Note that Edgar hadn't done anything wrong. As James Hall, the head of IPS who was on the same panel, pointed out, in the UK anyone can order a copy of anyone's birth certificate. He said that if you are a celebrity then hundreds of people will order copies of your birth certificate every year, which had never occurred to me. I'm sure James is right, but it does seem a little odd that people who want to commit identity theft will simply have to look at their mark's ID card to get started.

Edgar hadn't used the birth certificate to open a bank account or get a driving licence or anything, he was just making the point that if we don't adopt the right principles (eg, data minimisation) for identity systems, then we run the risk of making identity theft worse. It was a great presentation and a super stunt. Well done.

Anyone familiar with my deranged rantings about psychic ID (ie, virtually nobody) will be familiar with the general point: a characteristic of a 21st-century ID scheme is that it should only give up information necessary to enable a transactions, nothing more or less. So, if you are authorised to ask my ID card whether I am over 18 or not, that's all it should tell you. Not my name, not my address, not my age or date of birth. Just whether I am over 18 or not and that's it.

The current ID card scheme does not have this key characteristic, not for any functional reason but because the ID card and passport were jumbled up for a political purpose -- the purpose being, as far as I know, to make it harder for an incoming administration to scrap the scheme -- that constrains the design and implementation. Since the government wants the ID card to be used as a travel document within in the EU, it has to have certain human-readable information on it. That's why it gives away the key data points that make it tempting for criminals to kick-start their identity theft antics.

Balancing security and privacy, part 97

[Dave Birch] I popped along to a City Forum round table on the Information Intensive Society. I was late, because of public transport, so I didn't hear the chairman say that we were to stick to the Chatham House rule. As a consequence I started twittering what people were saying, as well as posting a picture! I apologise unreservedly -- but the medium really is the message, isn't it? Anyway, the subtitle for the meeting was "balancing security and privacy", which I think framed the whole discussion the wrong way: the subtitle should have been "obtaining security and privacy". I don't want them balanced, I want them both: this is what, to me, marks the difference between these debates in the "old" context and the "new" context.

I think this is why I found the discussion unsatisfying -- and I don't mean this as a criticism of the event, or of the organisers, even though one of the speakers actually did say "the Internet is the future". The problem is that there is a kind of assumption that privacy is an enemy of security and anyone who advocates more privacy is mutant commie scum (didn't you used to play Paranoia?). If you put forward any alternative view, then it is answered with the old "well, if you knew what I knew blah blah" and the debate goes nowhere.

The DNS of the industrial bourgeoisie

[Dave Birch] I have a vague memory -- which five minutes googling cannot substantiate and I'm too lazy to go and find the book in the other room -- that somewhere in the Gulag Archipeligo by Aleksandr Isaevich Solzhenitsyn there is mention of Stalin's desire to have a more revolutionary telephone system where all calls had to go through a central exchange and be encrypted so that Stalin could listen to everyone else's calls but his would be encrypted to remain secret. The prisoners with relevant skills were supposed to be designing this while in the gulag. It never worked, of course, and the Soviet Union had appalling telecommunications infrastructure as a consequence because the communications revolution was halted by the dictatorship of the proletariat: there's some deep incompatibility between innovation and centralisation. I couldn't help thinking of this when I read about the calls by Eugene Kaspersky to have a more Stalinist internet:

The CEO of Russia's No. 1 anti-virus package has said that the internet's biggest security vulnerability is anonymity, calling for mandatory internet passports that would work much like driver licenses do in the offline world.

[From Security boss calls for end to net anonymity • The Register]

What he means by this is that he wants a technologically complicated and expensive solution to be implemented so that ordinary people are inconvenienced to the maximum while criminals can roam free (which is what would happen). Creating such an asymmetric solution is not the way forwards: for one thing, who would decide what to censor?

A little local controversy involving the Church of Scientology and its critics could lead to curbs on the right to anonymity of anyone using the web.

[From Scientology seeks to squash anonymity • The Register]

We already have experience of this "solution" in the UK. Laws giving a wide variety of bodies the ability to monitor CCTV, the internet, phone calls and everything else which were supposed to save us from international terrorism are used by local councils to stop people from trying to get their children into better schools and to check that people are recycling enough of their rubbish. I'm sorry, but creating a world in which anyone can read anyone else's e-mail, track anyone else's web browsing, see what anyone is reading is not the way stop Russian virus writers from taking over everyone's PCs. We need an identity infrastructure.

Another model that the UK could try

[Dave Birch] I'm going provide a case study on the use of multi-application smart cards with EMV "chip and PIN" software on them that I think contains some useful nuggets for us in the UK to ponder over, because the case study is about combining payment (EMV) and digital signature (PKI) applications on the same card.

Identity folks will have to understand a little about the payment folks' EMV standard to understand the dynamics. There are actually three flavours of EMV, the international card scheme standard for chip transactions. These are Static Data Authentication (SDA), Dynamic Data Authentication (DDA) and Combined Data and Application Cryptogram (CDA). Most of the cards out on the streets in the UK are SDA cards without enciphered PIN (the PIN is not encrypted from the PIN pad into the card).

SDA cards are cheapest, which is why our banks issue them, but they can be cloned and used in terminals that are offline, so they are a security risk. DDA cards are not vulnerable in this way, but they are more expensive, both because the cards are more sophisticated -- they have a cryptographic co-processor to handle asymmetric cryptography and take longer to "personalise" -- but UK banks will have to replace SDA with DDA by end of 2010 (indeed, Consult Hyperion work with banks to help them to migrate in a cost-effective way). CDA cards cost the same as DDA, but still need to be planned for.

For technical reasons, CDA cards are more secure than DDA cards. Why? Because CDA protects against the "wedge attack". It is possible to insert a device that would let a genuine DDA card generate a legitimate digital signature but then intercept the request for an application cryptogram and return a bogus one for a different amount to the terminal. The terminal would carry on regardless. This is not possible with CDA since both the DDA signature and cryptogram are delivered by the card at the same time.

OK, so all this is well-known, but why does it matter to the digital ID world? Well, if a bank goes to the expense of issuing DDA or CDA cards, then the presence of re-usable cryptographic software and the cryptographic co-processor mean that it is a minimum of cost and complexity for the card to carry an additional PKI application as well as the EMV application. Almost all of the PKI application's "guts" are already on the card because they are used by the EMV application. What's more, the card can generate its own key pairs (which is very good for security) and then, provided you have the infrastructure, third parties can sign the card's public key(s) to create a wide variety of public key certificates to deliver interesting services. The card can store these certificates if it has enough memory or store pointers to the certificates online somewhere if it doesn't.

Here's a real example.

What is a "suitable" ID for banking?

[Dave Birch] There was a really interesting letter in The Daily Telegraph "Money" section (2nd October). I can't find it online to link to, so I hope they don't mind me quoting a couple of chunks here. The letter comes from someone who tried to open a bank account with HSBC, but who didn't have a current passport or driving licence.

When I explained this at a branch, it was suggested that I ask the police station for proof of identity. The police officers said they had never heard of such a thing unless I had a criminal record.

[From The Daily Telegraph "Jessica Investigates", 2nd October 2009]

That can't be right: you can only have a bank account at HSBC if you have a criminal record? The disappointed would-be bank account holder went back to their branch to ask for alternatives.

The counter person showed me a list of possible documents, but, as I am not a pensioner, nor in receipt of benefits, the only item on the list she could suggest I try was to get a letter from HMRC. I duly went to the local tax office, where the assistant said she wished banks would stop sending people there... they would not waste public money providing such letters for banks.

[From The Daily Telegraph "Jessica Investigates", 2nd October 2009]

The letter goes on to list the documents that the wannabe-HSBCer had presented, and had had rejected by the bank: an out-of-date passport, a birth certificate, a current payslip from an employer (the local council, for whom the person had worked for more than two decades), a work ID card (complete with microchip), utility bills, statements from another bank, house deeds and a voting card. Any one of these would have got you a job with the bank, but not, it seems, an account. Identity is broken, and the Conservative plan to scrap the national ID card scheme is a bad as the government's plan to keep it. What this country needs is a working national identity infrastructure.

Lizzie Coles-Kemp, Royal Holloway

[Dave Birch] Dr. Lizzie Coles-Kemp, of the Information Security Group at Royal Holloway, is a Primary Investigator on the Visualisation and Other Methods of Expression (VOME) project which is joint research between Cranfield University, Salford University, Royal Holloway (University of London), Sunderland City Council and Consult Hyperion. The project is funded by The Technology Strategy Board, Engineering and Physical Sciences Research Council (EPSRC) and Economic and Social Research Council (ESRC). In this podcast she talks about the VOME project and explains how the visualisation of privacy is fundamental to informed consent and therefore e-government and e-business.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

"Identity" theft and identity theft

[Dave Birch] There's a fascinating, but slightly creepy, category of issue that makes for a good acid test of proposals for population-scale identity management. How does the "system" recover when an identity really is stolen? If there's another you out there, if you have an evil doppelganger, if an ex-partner is taking revenge... if there's someone out there who is pretending to be you (in fact, in virtual terms, is you) then who do you call? And when you call them, what are they going to do? This is a complicated issue. How do you establish that you really are you? And once you have established this, what do you do with the compromised virtual identity?