Isn't this stuff serious?

[Dave Birch] OK, so I'm in a tiny minority but I think that security and privacy are important. I think that the state of security and privacy in the digital world demand a proper strategy, of which some form of digital identity infrastructure is a critical part. That's why I'm always glad to see the government appointing people to tackle the difficult issues around the technology infrastructure that our future depends on. When I was googling something else, I discovered that Paul Murphy is Britain's "Minister for Digital Inclusion". This is a real post, not something I made up for the blog. In addition to pottering about at UK online centres (of which there are 6,000 in the U.K.!) his brief includes "data security and information assurance". Imagine my surprise, then, when I read that:

Paul Murphy states that he is "not a technical person".

[From Minister for Digital Inclusion gets Strategic - Convergence Conversation]

Shouldn't we get someone who is?

Interdisciplinary ideas

[Dave Birch] Someone mentioned iris biometrics over coffee which reminded me again that, a couple of weeks ago, I had stimulating day out at the 2nd interdisciplinary workshop on Identity in the Information Society at the LSE. Many thanks to James Backhouse and the team for putting together such a great programme. I really enjoyed Kevin Bowyer's keynote on iris biometrics and wanted to highlight one or two of the points that he made. You can read the paper for yourself, but a few key findings were that:

• Pupil dilation has an impact;
• Contact lenses have an impact;
• Sensor changes (ie, someone has been enrolled on one system and is being matched on another) have a significant impact (even when using the same software);
• Irises change over time more than had been anticipated. The effect on false reject rates is small, but measurable,

In all of the cases, it is the match distribution that is changing: in other words, it's "fail safe" in that the system behaviour is such that false rejects go up but false accepts do not. So not too bad. But at population scale, the number of false rejects will still be enough be noticeable and dealing with the false rejects effectively (which might mean different things in different environments) will be central to the success of schemes.

biometrics

Paradigms and pseudonyms

[Dave Birch] I enjoyed listening to Roger Clarke at the 2nd interdisciplinary workshop on Identity in the Information Society at the LSE because I had read his work (particularly on PKI) over many years and wanted to see how his thinking had evolved. Roger made a number of excellent points, one of them being that the barriers that we need to overcome (if we are going to do anything practical about identity management) is that the models that we technologists are using, the implicit mental models of the decision-markers and the reality of the situation are all different (I'm paraphrasing greatly, obviously). Having had the chance to think about this some more, I think that I agree with his diagnosis but disagree with the treatment.

So far as the treatment goes, Roger proposed a way to deal with this some time ago and explained this in his presentation. His model is to have get around the problem of the mappings -- that is, the mappings between real and virtual entities and their attributes -- by separating out elements of the mapping, distinguishing between identity and entity, between identification and entification.

If I've understood what Roger meant, then I think I don't quite agree with him, because I think replacing the N:N mappings between real and virtual identities by 1:N mappings to digital identities is a simpler way to model the complexity of the boundary between real and virtual in the identity space. So I don't think about identity and entity but about the real and digital identities and stuff, and some of that stuff happens to be people, if you see what I mean.

PKI, pseudonyms

Touch and gone

[Dave Birch] I ran a workshop on mobile proximity security day, and one of the things we touched on in the group is the EU's publication of their recommendations on the "identity of stuff" last week. They've published a 14-point action plan.

The European Commission has announced plans for Europe to play a leading part in developing and managing interconnected networks formed from everyday objects with radio frequency identity (RFID) tags embedded in them - the so-called "internet of things".

[From EU lays out plans for the "internet of things" - V3.co.uk - formerly vnunet.com]

These are real issues, and although I'm not making any comment on the value or otherwise of the specific recommendations, there's no doubt that the subject deserves more attention. There's an "identity of things" problem that came up (again) in a meeting I was in last week that I think is worth sharing. It comes from the world of NFC, where the problem revolves around contactless stickers, tags, posters and that kind of thing. It's the same problem that we looked at before, and it's worth reviewing because there's been no industry progress toward a solution.

A little background. The NFC Forum have announced their "N mark" which is a standard symbol to be applied to adverts, magazines, posters and such like. The idea is to show consumers (none of whom have ever even heard of NFC, let alone seen an NFC phone) where they can "tap" their phones to get some kind of service.

The NFC Forum has developed the “N-Mark” trademark so that consumers can easily identify where their NFC-enabled devices can be used. It is a stylized “N” and indicates the spot where an NFC-enabled device can read an NFC tag to establish the connection.

[From NFC Forum : N-Mark]

If you haven't seen it, it looks like this. A simple ecosystem in the offing: you put the N-mark on things, consumers come along and touch them with other things.

Data shrinkage

[Dave Birch] There are a flurry of stories about the British government abandoning the ID card scheme, a course of action to my mind as bad as continuing with it. What we need is a better ID cards scheme, not no ID card scheme. But who knows what might happen now that there is a new Home Secretary, but earlier in the year the Home Office made some more announcements about the introduction of ID cards in the UK. As I've mentioned, they're going to start in Manchester. I was more interested in what the Home Office said about enrollment though, because as we all know this is the critical phase of an ID project from the point of view of security. A number of people expressed concern that the government was going to use high street retailers for the enrollment process, to save the cost of building specialist enrollment stations in suitable premises in major population centres in the UK (otherwise known as Post Offices). One area of concern is security, but here the retailers were quick to reassure:

High Street retailers have rejected security fears about giving them the job of fingerprinting and photographing people applying for identity cards... Trade bodies representing chains such as Boots and Snappy Snaps told the BBC they can be trusted with the data.

[From BBC NEWS | Politics | Retailers reject ID security fear]

Now, I don't want to be the one in the glass house throwing stones, because I don't doubt that I've left the odd memory stick around here and there, but I was sure I could remember seeing Boots' name last year in connection with looking after personal data. A quick bit of web browsing and my imperfect memory was rendered perfect by the World Brain (aka Google):

Major U.K. chemist (drug store) chain Boots has joined the growing list of organizations suffering an embarrassing storage snafu after tapes containing personal details of thousands of customers and employees were stolen... The records reportedly include the bank details of 27,000 customers of Boots’ dental service, which is operated by Medisure, as well as the personal details of some 8,000 Boots employees.

[From Tape Loss Stuns UK Retail Giant - Data Security News Analysis - Byte and Switch]

Whoops! Still, it's not like the tapes had fingerprints on them or anything like that. Hold on a second: tapes? I thought it was puzzling that in the age of SSL and the interweb, HMRC were still posting unencrypted CDs full of personal data around the place. But tapes?

Mark Cross, OpenID UK Ltd

[Dave Birch] Mark Cross is the CEO of OpenID Ltd, an example of a company providing commercial services around the OpenID concept. In this podcast, he talks about his ideas for the evolution of OpenID.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

The Guildford triangle

[Dave Birch] What is it with Britain? Digital or otherwise our degraded realm is an international identity scandal. Europe's no.1 exporters of payment card fraud, we are apparently now the world's worst for identity theft overall.

INTERNET users in Britain are more likely to fall victim to identity theft than their peers elsewhere in Europe and North America. In a recent survey of 6,000 online shoppers in six countries by PayPal and Ipsos Research, 14% of respondents in Britain said that they have had their identities stolen online, compared with only 3% in Germany.

[From Where your identity is more likely to be stolen | Online fraud | The Economist]

There may be a correlation here between "identity theft" and "card-not-present fraud" (Germans rarely use credit cards, least of all on the interweb), but we'll return to that in a future discussion. Now, these statistics don't, I think, mean the Brits are more criminally inclined. After all, fraud is an international business.

The criminals stored much of their data on computer servers in Latvia and Ukraine, and purchased blank debit and credit cards from confederates in China, which they imprinted with some of the stolen numbers for use in cash machines, investigators say.

[From Global Trail of an Online Crime Ring - NYTimes.com]

It's more likely that Britain is a soft touch: high card penetration and use, lots of internet shopping and other factors that lead to identity theft on an industrial scale. But where does this tidal wave of fraud actually originate? I read in The Telegraph that the top 10 identity theft hotspots in the UK are all in south east England. There's an area of white collar fraud between London, Reading and that well-known criminal outpost, Guildford. Odd. In the top 10, only St. Albans falls outside of this theft triangle. Yet the government is going to test ID cards in Manchester... Well, as well all know, ID cards won't have the slightest impact on identity theft for at least the next decade.

ID cards have been touted as the solution to a number of real problems - terrorism, crime and so on - though none of their supporters can ever explain how having an ID card stops a mugger or suicide bomber. But they began as the answer to a classic fake problem, still routinely cited by ministers, the need to "secure our identities" against "identity theft".

[From The ID card is on its last legs - just let it die with dignity | News]

Now, I wouldn't call identity theft a "fake problem". On the contrary, it's a very real problem. But what is generally meant by identity theft, certainly in the Guildford triangle, is largely to do with payment card fraud (which is rampant in the UK) and account takeover. These are specific problems, not general identity problems. Until retailers demand that you present an ID card when you buy anything, or somehow allow them to read your identity card over the interweb, nothing much will change. Fortunately, someone is thinking this through: the UK ID card scheme may well use chip and PIN technology so that it can be accepted at retail POS. Lots of newspapers reported this, so I'll choose to point to the report in that august journal of record from my home town, Swindon (or, "Swindon, city of the future", as have generally called since 4th July 1995):

ID cards could be fitted with chip and pin technology to help combat identity fraud. The head of the Government agency tasked with producing the cards said there were no "technical obstacles" to adding chips to the cards and handing out pin numbers.

[From ID cards 'could use chip and pin' (From Swindon Advertiser)]

I rather imagined that the cards already had chips on them, but putting that to one side, the idea of making ID cards work in chip and PIN terminals isn't totally infeasible, although I'm not completely clear as why you would want to do this. I suppose the thinking is that the shops already have the terminals. But if you are asked to put your ID card into a terminal and punch in your PIN, wouldn't you then get annoyed at having to take it back out again, then put your chip and PIN card in and then punch in another PIN? Why not just link your bank account to your ID card?

Hello? Who's that? Oh wait, let me google you

[Dave Birch] Central to the direction of digital identity is the issue of the connection between real and virtual identities. How is that connection formed, who controls it, who should have access to it, that kind of thing. Now, you can see that one way to make this connection is to demand a one-to-one "hard" correspondence between the physical identity and the virtual identity, constraining the digital identity completely. To do this you would need to register anyone obtaining any kind of virtual identity. I don't just mean on the web. A mobile phone number is a virtual identity. Oh wait...

Everyone who buys a mobile telephone will be forced to register their identity on a national database under government plans to extend massively the powers of state surveillance.

[From Passports will be needed to buy mobile phones - Times Online]

This is hardly an original idea. It's already the case in many countries that law-abiding citizens have to provide identity documentation in order to obtain a mobile phone. Ah, you might say, that's not going to help catch criminals -- which I'm sure isn't true, as such an initiative must necessarily catch some stupid criminals -- because the criminals will just carry on using pre-paid SIMs that have not been registered. Well, yes, but surely if a government makes a law that SIMs must be registered, then it will naturally get the operators to block all of the SIMs that haven't been registered, as they are in the process of doing in Botswana.

The process of registering all prepaid Subscriber Identity Module (SIM) cards in the country will start in September, says the Chief Executive of Botswana Telecommunications Authority (BTA), Mr Thari Pheko. Speaking at a press conference in Gaborone this week... Mr Pheko said the registration process was expected to take 17 months and will be completed on the last day of 2009, adding that unregistered cards will be taken off-air in the beginning of 2010.

[From BOPA Daily News Archive]

Something similar is underway a little closer to home, in Spain.

From November 9, 2007, people who purchased pre-paid mobile phones have been obliged to provide proof of identity, but for those who purchased phones before this date, a two-year period of grace was granted which runs out on November 9, 2009. It is estimated that more than 15 million pay-as-you-go phones are still unregistered in Spain.

[From Costa News - Mobile phone cut-off]

If there is going to be a government database of all mobile phone numbers against registered names, then surely the only way to manage the new identity world that it creates is to just put it on the web and let new businesses spring up to use it. It's the same principal as with initiatives around health and all sorts of other personal data. If people believe that their connection to their mobile phone number is "secure" but it isn't, then the outcomes will be perverse. The bad guys will have access to the data and the good guys won't. Since there is no more possibility of keeping this database secure than keeping, for sake of emotive comparison, the Children's Index secure, isn't it better to make it available for mash-up? And, by the way, I didn't choose this emotive example at random...

Security flaws have halted work on the internet database designed to hold the details of 11 million children and teenagers. The Department for Children, Schools and Families (DCSF) admitted last night that it had uncovered problems in the system for shielding details of an estimated 55,000 vulnerable children.

[From Security flaws halt work on ContactPoint child database - Times Online]

If you can't keep a government database like this secure, what chance is there of keeping a government database of mobile phone IDs secure?

Max von Snijder, European Biometrics Group

[Dave Birch] Max von Snijder is CEO of the European Biometrics Forum and chairman of the International Biometrics Advisory Council (IBAC). He is coordinator of BioTesting Europe. One of the leading independent biometrics experts in Europe, Max is involved in numerous workshops, committees and expert groups, such as the Consortium on Security and Technology of the EastWest Institute, The Porvoo Group, the CEN Working Group on Integrated Border Management, CEN Biometric Focus Group. He is Founding Member of the IFIP Working Group on Identity Management (WG11.6) and member of the ePractice Working Group on eID. He recently became member of ThinkTrust, a European Think Tank on 'Investigating Security, Dependability, Trust, Privacy and Identity from ICT and social perspectives', funded by the European Commission.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

Give us the chance to do better

[Dave Birch] One of the frustrating aspects of being a technologist in the identity space is that I know that the technology can deliver more than customers want. There are a number of reasons for this, but two of them will suffice to make a point. Firstly, people's "common sense" version of identity is simply not sophisticated enough for a modern economy and, secondly, that the people who actually specify and procure systems that hinge on identity do not make privacy part of the proposition because they (incorrectly) view security and privacy as opposites. In fact, the technology can deliver both and some times it's very easy to make it do just that. Look at the basic case study of "no fly" lists, where the problem is to check whether someone's name appears on a list of people to be excluded...

In comparing the contents of two databases, such as an airline-passenger list and a no-fly list, for example, officials should be interested only in the names that appear on both lists. They have no need for the rest of the passengers’ names. Those mutual names can be found by first encrypting both lists using strong encryption.

[From Sharing information while preserving privacy is a technologically trivial challenge, researcher says -- Government Computer News]

Quite. And if the lists are encrypted, and don't need to be decrypted to make them work, then privacy is automatically improved without ombudsmen, best endeavours and the rest of it. A rudimentary understanding of the issues is all that is needed to deliver vastly better solutions.