From paradise? No, Luton South

[Dave Birch] What a guru I am! It's almost uncanny! On 11th May 2008, I wrote (in an unpublished draft for this blog) that "I It's only a matter of time before some M.P. suggests that one of the many benefits of the government's splendid new identity card scheme is that is that it will help with identifying kids on the web to protect them or stop them from buying knives or something". Well, today I read that

If you can’t prove how old you are, your days of shopping on the internet may be numbered. Fears that young people could be getting hold of knives, adult DVDs and alcohol are all fuelling a campaign by Margaret Moran, MP for Luton South, to make online age verification compulsory in the UK.

[From Online ID checks to limit teen booze and knife purchases | The Register]

I assumed that selling alcohol to someone under 18 was illegal whether you do it in a shop or on the web and so merchants would want to carry out age verification to avoid prosecution. As the reporter says, "Does anyone feel yet another justification for compulsory ID coming on?"

Kim Cameron, Microsoft

[Dave Birch] Kim Cameron is Chief Architect of Identity in the Connected Systems Division at Microsoft, where he works on the evolution of Active Directory, Federation Services, Identity Lifecycle Manager, CardSpace and Microsoft’s other Identity Metasystem products. Kim joined Microsoft in 1999 when it bought the ZOOMIT Corporation. He grew up in Canada, attending King’s College at Dalhousie University and l’Université de Montréal. He has won a number of industry awards, including Digital Identity World’s Innovation Award (2005), Network Computing’s Top 25 Technology Drivers Award (1996) and MVP (Most Valuable Player) Award (2005), Network World’s 50 Most Powerful People in Networking (2005), Microsoft’s Trustworthy Computing Privacy Award (2007) and Silicon.com’s Agenda Setters 2007. Back in 2004, he put together the "laws of identity" and thereby enabled new and constructive thinking about how identity might be constructed. In this podcast, he talks about identity thinking has been evolving at Microsoft and what that might mean for future products.

Digital Identity Forum will be on October 15th/16th in London

[Dave Birch] A date for your diary. We've chosen 15th/16th October for this year's Digital Identity Forum in London. We're looking at a couple of venues and hope to confirm something in the next week or two. The web site will go up tomorrow and I'm looking forward to starting work on the programme soon. As always, constructive suggestions are welcome, but at this time I'm thinking that we should take another look at where the UK is with ID cards (I'm afraid it's the 800lb gorilla), some kind of OpenID/Cardspace "bootcamp" to explain them to a business audience, an update on biometrics and a big session on identity in social networking. And of course, a pub quiz (sponsor please!) and a electronic "Game of Life" for charity, excellent company and conversation.

Interwhat?

[Dave Birch] At the European e-ID conference in Leuven last month, a few basic conclusions were established early on in the proceedings: there is precious little interoperabilty across borders and it's not obvious what to do about it, although the general idea of moving away from interoperable infrastructure and towards gateways to the "magic bus" seemed to have some currency. Not everyone was as downbeat as me. Perhaps the whole idea of pan-European interoperability is simply too big too take on and it might be better to refocus on more limited but more practical goals. The idea of a few national gateways that could interoperate may be more manageable and I did get involved in a couple of discussions about the layers that would be needed to make this happen. But on reflection, it was another idea that might have more success (because of a more decentralised nature): instead of trying to construct a system for interoperability, try to construct a market.

Yoof

[Dave Birch] Dealing with the government online is precisely the kind of activity that is subverted by bad identity management. Case in point:

 

Ambitious plans to switch the majority of provisional licences from postal to online could not be taken up by one of the largest group of customers - teenagers - because they couldn't prove their identity. Only 40,000 out of the 1 million people seeking a provisional licence were able to complete an online application. The remaining 960,000 had to stick to postal applications. One of the main reasons, according to the NAO, was that online applicants had to have either a new digital passport or a credit record to prove their identity.

[From DVLA plan fails ID test | Special Reports | Guardian Unlimited Politics]

The government has portal for accessing public services -- DirectGov -- but it's of limited usefulness, precisely because of this issue. And I'd lay a pound to a penny that the new ID card won't make the slightest difference, since I've not heard a single minister or official say anything about using it in this way. Speaking of which, young people won't have to worry about this problem for much longer because they'll soon be able to get a splendid new identity card that will solve that problem for them. As the Home Secretary said recently

 

We will start to make identity cards available to young people on a purely voluntary basis in 2010. I believe there are clear attractions in the scheme. It will make it easier to enrol on a course, apply for a student loan, open a bank account, or prove your age - especially as we get tougher on sales of alcohol to those under-age.

[From BBC NEWS | Politics | In full: Smith ID card speech]

Anyone familiar with the U.K. will recognise the wisdom of making it more difficult for children to buy alcohol.

e-Dictum meum pactum

[Dave Birch] There's a story about identity in The Economist magazine that I read on the plane to Washington ("My bow is my bond", p.98, 26th April 2008) that connects directly with something I'm working on for a client at the moment. Naturally, neither the client or the assignment will be discussed here, except to note that I've been playing around with some ideas on value-adding identity services for the mass market. I'd also recently received an e-mail from an august body, which won't be discussed here either, asking if I'd like to provide (for free!) some ideas on how to get private companies to use the U.K. identity card: I ignored the request, of course, but I did jot down a few notes. For both of these reasons, the story caught my eye.

The story concerns a fraud against Lehman Brothers in Japan. They lent a Japanese company $350 million, The load was guaranteed by a well-established Japanese trading house. Bankers from Lehman met an executvie from the trading house -- at the trading house's office -- to sign the contract. When the firm in question defaulted, Lehman went to the trading house to get their money, but the trading house claimed no knowledge of the deal. The executive had been an imposter and the contract was fake. When someone gives you their business card, you assume that it is true (by custom and practice -- you don't explicitly validate it) and when they put a letterhead in front of you, you take it to be real. Oops.

Engineering principles

[Dave Birch] Privacy and security aren't additional extras, costly options for new system. They are (or should be) part of the fabric. You can choose how to implement systems in either a privacy-enhancing or privacy-reducing way. Take, for example, congestion charging. There are a couple of ways to do this: you could do it the way they do in Singapore, where you have a prepaid card that communicates via RF with an overhead gantry. When you go through a gantry, the system attempts to take a fee from the card. If the transaction goes through (it's an offline purse transaction) then you're on your way. If you borrow a mate's car, you can take your card and put it in his car, no problem. But if you don't have a card, or you don't have any money on your card, then you get photographed. Alternatively, you can do it the British way. In London, all cars get photographed and then automatic numberplate recognition is used to try and work out who to charge. In many cases, it works and the correct account of a poor person is charged. I say poor person, because rich people register their Lambourghinis as taxis and avoid the charge

 

Cleangreencars has discovered that there are an unusually high number of luxury cars that have been granted the private hire designation, including two Maserati Quattroportes, three Maybach 62 and eight Rolls Royce Phantoms.

[From Taxi!? London luxury car owners register Maseratis, Rolls Royces as C-charge-free private hire vehicles - AutoblogGreen]

Incidentally, if you can't be bothered to send your chauffeur round to register the Porsche as a private hire, you can always just leave the Belgian plates on it, because the supercomputer running the system is not connected to other supercomputers in other European countries...

 

I drove for 4 years in london with a german plate, many times in the zone (once it was introduced), never paying and my ex never got a ticket sent to her place in HH where the car was registered.

[From London congestion charge for foreign cars]

In fact, as that tax-avoiders' handbook The Independent notes,

 

there are a number of ways to exploit the loopholes in this system as a private, law-abiding motorist if you are willing to be a little inventive.

[From Congestion charge loopholes: Now just learn the Knowlege... - Features, Motoring - The Independent]

Bit I digress. My point is that we have choices, and not building privacy-enhancing technology into a system is making a positive choice to have a data catastrophe at some point downstream.

Fasten your seat belt

[Dave Birch] I was so bored in my hotel room while I was waiting for Microsoft Office to re-build my mail database that I picked up a copy of Newsweek and started leafing through it. To my surprise, I came across an interesting piece about privacy.

The economics of privacy is, like anything else, a matter of trade-offs... The problem is that people can't make informed decisions if they don't know exactly what the trade-offs are. And they've proven that they don't.

[From Protect the Willfully Ignorant | Newsweek International Edition | Newsweek.com]

I couldn't agree more. As it happens, Consult Hyperion is part of a consortium that has just been chosen by the U.K.'s Technology Strategy Board to carry out a research project in this field, trying to find better ways to describe and display privacy so that the consumers and citizens can make informed choices, can negotiate around privacy in a constructive way and can deal more effectively with both corporate and government organisations. The article goes on to make a comparison that I'm not sure is entirely valid: the comparison is between privacy and safety, and the reason I'm unsure about it is because it uses the example of cars, seat belts and accidents -- all of which are things that consumers understand and can experience in a way that they cannot with privacy (at least, they cannot until our research project bears fruit!). Anyway, the article says

Car manufacturers let consumers pick engine sizes, color and the fabric on the seats, but not the design of the seat belt. "Consumers lack expertise about seat-belt design and don't want to invest time learning about it,"... Rather than let people figure out the optimal seat belt for themselves, experts pick a standard.

[From Protect the Willfully Ignorant | Newsweek International Edition | Newsweek.com]

Ok, so let's pick a standard. I vote for... er... hmmm... wait, I'll get back to you on this.

identity, management, privacy

Ulrich Senderslachts,

[Dave Birch] Ulrich Seldeslachts is the CEO of LSEC, an independent not-for-profit nerwork organisation of IT security experts, hardware vendors, service and knowledge providers, advisors, research institutions and government and business on IT security issues and to provide a portal to Belgian exepertise in the field. This is rather interesting, as these companies are creating an ecosystem around the Belgian smart ID card. In this podcast, I chatted to Ulrich about that ecosystem and how it is evolving.

ID cards, podcast, smart cards

Hard cases

[Dave Birch] I was at a discussion on privacy a while back, kindly organised by Robin Wilton under the Liberty Alliance banner. As always, I found that I learned more in a few minutes of argument with people like Caspar Bowden, Edgar Whitely, Phil Booth, William Heath and others than I would in weeks of reading Powerpoint presentations and vendor white papers. The discussion was under Chatham House rules, so I won't saying anything about who said what, but I do want to pick up one point that was made because, on reflection, I've been thinking that it's more of a barrier to a comprehensive identity management infrastructure than it first appears. The point is this: I am, in essence, a technology optimist who thinks that clever shenanigans with smart cards and digital certificates can improve society by delivering more secure and more privacy to the general public. The problem is in order to understand why these things might be possible, you have to have some basic understanding of technology, which I think that politicians and policy makers do not. Stalemate.

government, identity, management, privacy, security