Rob Schuurman, Nedap

[Dave Birch] Rob Schuurman is the general manager of Nedap Healthcare, based in the Netherlands. They have developed award-winning products that use mobile phones and NFC to deliver practical, convenient security to a mass market. In this podcast, he talks about his practical experiences getting an NFC-based service into operation and shares some thoughts about the future of the technology in that sector.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

Out of control, up to a point

[Dave Birch] I re-read an excellent post over at Emergent Chaos. It reflected an important discussion between two people, both of whom I take very seriously. To paraphrase and simplify horribly, Bob thinks that the social structures maintain privacy, Adam thinks that technological structures maintain privacy.

In a world where some people say "I've got nothing to hide" and others pay for post office boxes, I don't know how we can settle on a single societal norm. And in a world in which cheesy-looking web sites get more personal data — no really, listen to Alessandro Acquisti, or read the summary of "Online Data Present a Privacy Minefield" on All Things Considered... -- I'm not sure the social frame will save us.

[From Emergent Chaos: Bob Blakley Gets Future Shock Dead Wrong]

The lack of a "norm" is a good point here, and I have to say it made me think. We should be developing tools that allow people to construct their norms (within boundaries, obviously) but not setting out a norm so that the tools can only implement one model. For this reason, amongst others, I tend to come down on the more technological side of this argument, which is why I'm so keen to see privacy as part of customer propositions and privacy-enhancing technologies as part of the systems being built in both public and private sectors.

Thanks, thank you all

[Dave Birch] This blog has been nominated for the Computer Weekly Blog Awards for 2009.

Now, merely being nominated is reward and testament enough, but should you feel moved to voice your support in the traditional way, then please feel free to vote early and vote often.

Air side

[Dave Birch] The whole business of air travel is a laboratory for experimenting at the boundary between public and private identities, where national and international agreements interact with corporate alliances, outsourcing and value chains to produce a complex environment that needs and benefits from change. Speaking as a frequent traveller, and happy near-weekly user of Heathrow's Terminal 5, it seems to me that air travel has got considerably quicker, more efficient and simpler in the last couple of years. I print my boarding pass out at home, jump in a cab or on the train, nip through T5 to the lounge and then on to the plane -- the only hold-up in the whole process is the queue for security on the way out (sometimes this can be 10-15 minutes even at T5) and the queue for passport control on the way in.

However, the need to print a physical boarding pass, even using 2D barcodes rather than a magnetic stripe, and the lack of an efficient bag drop system means that despite the universal electronic ticket for air travel, more than two-thirds of passengers still went to a check-in desk. Where to look for the next improvement? Well, I'm sure like most people I think that the key technology that will change this is the mobile phone. If the mobile phone allows you to check in and obtain a boarding pass, and a kiosk at the airport allows you to self-tag (clearly there are some security issues around this) then the flow through airports would increase significantly and the costs would reduce accordingly.

In fact I saw a presentation for one of the companies that supplies infrastructure to airports recently an they were talking about their experiences with the mBCBP (mobile bar code boarding pass) -- they said that "we only care about Blackberry, iPhone and high-end smartphones", which means we can assume big, clear screens -- but still the current 2D barcode solutions don't carry enough data for the airlines to store more than three legs plus frequent-flier and other data.

So why am I looking at this space? One of the biggest players in the industry, IER, is advocating the "pass & fly" sticker solution and I saw them present on the Air New Zealand and Air France case studies which, I have to say, was rather impressive.

Close enough for jazz

[Dave Birch] I had a typical fascinating and productive discussion with Hazel Lacohee and Piotr Cofta when we last got together. We were kicking around some ideas for finding practical ways to improve privacy, security and other good stuff while simultaneously worrying about the government's approach to the interweb, broadband and ID cards. With the right combination of technology and vision we can take an entirely different view of the "identity problem" and how to solve it. In a decentralised fashion we can see identity develop as an emergent property of trust networks, shaped by evolution to be fit for purpose or, as Piotr Cofta puts it, "good enough identity". Good enough identity (GEI). I love it.

I'm certain that there is merit in this approach. There is a real difference between between trying to create a kind of "gold standard" identity that delivers the highest possible levels of authentication and identification in all circumstances and trying to create an identity that is useful (defined by: reduces total transaction costs and, in my world, aligns social costs with private costs). Therefore, a utilitarian approach of trying to do something, anything to make the identity situation improve for individuals and organisations, we might be better off starting with some simple building blocks and building up rather than by starting with a national ID card (I mean, a 21st-century national ID card of the psychic ID kind, not electronic cardboard) and driving that down. Go from the personal to the enterprise, from the enterprise to government.

Biometrics 200n

[Dave Birch] I actually rather enjoyed my day out at Biometrics 2009 because it was an opportunity to catch up with old friends and see what the buzz is. Yes, you can have LinkedIn and Twitter, but there's still no substitute for hanging out in the coffee area at a big conference. Some of the content was, though, somewhat reminiscent of Biometrics 2008, 7, 6... we're still not at a mass market, and part of the reason is that no-one seems to know what that mass market is. Is it fingerprint scanners in every laptop? I doubt it. Is it logging in to your bank using voice authentication? Maybe. Is it using your National ID Card to get served in a pub? Doesn't look like it at the moment.

Personally, based on a couple of sessions I sat in on, I thought there was some confusion about the proposition -- not from everyone -- and I suspect that at least part of the problem is that the major integrators come from the government and defence space, so their approach to the market and their product set reflects that. If you've made a living selling large-scale automatic fingerprint identification systems to law enforcement agencies, then it may be difficult to make the transition to selling improved authentication to banks. And there's no reason to suspect that that improved authentication will be achieved using the same technologies anyway.

I happened to be sitting next to Forum friend Maxine Most from Acuity Inc, one of the world's leading analysts of the international biometrics market, and she made a key point early on in the day: the mass market is about mobile phones, not PCs. This was a central element of my presentation on biometrics in the event space and was further amplified by the Precise Biometrics presentation advocating match-on-SIM going forwards. This, as an aside, suggests to me that there is a premium on biometric technologies that synergise with mobile phones -- we're talking about the mass commercial market here, not law enforcement and national security -- so that really means voice recognition and voice authentication (I don't buy the fingerprint-scanner-in-handset model in the mass market). A couple of people remarked that these biometrics didn't seem to be getting much coverage compared to fingerprints, iris and the like, which I imagine is also a reflection on the government and law enforcement focus of the show.

What a cunning stunt

[Dave Birch] I am, very literally, green with envy. I count myself as a reasonably good speaker, and I try to use narrative and historical examples to explain key principles. But nothing beats a good demo, and I saw an excellent one today, one that I wish I'd thought of!

At the Intellect conference on Identity & Information in London today, Edgar Whitely from the LSE gave a terrific presentation. He was pointing out that the principle of data minimisation in identity systems is important, but he did it in a particularly arresting way.

Here's what he did.

He showed this recent newspaper photograph of the British Home Secretary, Alan Johnson, showing off his new ID card and holding it up to the camera. This version comes from The Guardian....

Alan Johnson reveals the design of the British national identity card. Photograph: Stefan Rousseau/PA

As you can see in the picture, for reasons that will be not fully explained in a moment, the UK ID card has the holder's full name, date of birth and place of birth on it. These three data points are sufficient to uniquely identify the overwhelming majority of the population. So Edgar went to the Identity & Passport Service birth certificate ordering service and put in the details from the Home Secretary's card. He then paid his £10 and... with a suitably theatrical flourish, Edgar produced the copy of the Home Secretary's birth certificate that he had been sent in the post. Note that Edgar hadn't done anything wrong. As James Hall, the head of IPS who was on the same panel, pointed out, in the UK anyone can order a copy of anyone's birth certificate. He said that if you are a celebrity then hundreds of people will order copies of your birth certificate every year, which had never occurred to me. I'm sure James is right, but it does seem a little odd that people who want to commit identity theft will simply have to look at their mark's ID card to get started.

Edgar hadn't used the birth certificate to open a bank account or get a driving licence or anything, he was just making the point that if we don't adopt the right principles (eg, data minimisation) for identity systems, then we run the risk of making identity theft worse. It was a great presentation and a super stunt. Well done.

Anyone familiar with my deranged rantings about psychic ID (ie, virtually nobody) will be familiar with the general point: a characteristic of a 21st-century ID scheme is that it should only give up information necessary to enable a transactions, nothing more or less. So, if you are authorised to ask my ID card whether I am over 18 or not, that's all it should tell you. Not my name, not my address, not my age or date of birth. Just whether I am over 18 or not and that's it.

The current ID card scheme does not have this key characteristic, not for any functional reason but because the ID card and passport were jumbled up for a political purpose -- the purpose being, as far as I know, to make it harder for an incoming administration to scrap the scheme -- that constrains the design and implementation. Since the government wants the ID card to be used as a travel document within in the EU, it has to have certain human-readable information on it. That's why it gives away the key data points that make it tempting for criminals to kick-start their identity theft antics.

Balancing security and privacy, part 97

[Dave Birch] I popped along to a City Forum round table on the Information Intensive Society. I was late, because of public transport, so I didn't hear the chairman say that we were to stick to the Chatham House rule. As a consequence I started twittering what people were saying, as well as posting a picture! I apologise unreservedly -- but the medium really is the message, isn't it? Anyway, the subtitle for the meeting was "balancing security and privacy", which I think framed the whole discussion the wrong way: the subtitle should have been "obtaining security and privacy". I don't want them balanced, I want them both: this is what, to me, marks the difference between these debates in the "old" context and the "new" context.

I think this is why I found the discussion unsatisfying -- and I don't mean this as a criticism of the event, or of the organisers, even though one of the speakers actually did say "the Internet is the future". The problem is that there is a kind of assumption that privacy is an enemy of security and anyone who advocates more privacy is mutant commie scum (didn't you used to play Paranoia?). If you put forward any alternative view, then it is answered with the old "well, if you knew what I knew blah blah" and the debate goes nowhere.

The DNS of the industrial bourgeoisie

[Dave Birch] I have a vague memory -- which five minutes googling cannot substantiate and I'm too lazy to go and find the book in the other room -- that somewhere in the Gulag Archipeligo by Aleksandr Isaevich Solzhenitsyn there is mention of Stalin's desire to have a more revolutionary telephone system where all calls had to go through a central exchange and be encrypted so that Stalin could listen to everyone else's calls but his would be encrypted to remain secret. The prisoners with relevant skills were supposed to be designing this while in the gulag. It never worked, of course, and the Soviet Union had appalling telecommunications infrastructure as a consequence because the communications revolution was halted by the dictatorship of the proletariat: there's some deep incompatibility between innovation and centralisation. I couldn't help thinking of this when I read about the calls by Eugene Kaspersky to have a more Stalinist internet:

The CEO of Russia's No. 1 anti-virus package has said that the internet's biggest security vulnerability is anonymity, calling for mandatory internet passports that would work much like driver licenses do in the offline world.

[From Security boss calls for end to net anonymity • The Register]

What he means by this is that he wants a technologically complicated and expensive solution to be implemented so that ordinary people are inconvenienced to the maximum while criminals can roam free (which is what would happen). Creating such an asymmetric solution is not the way forwards: for one thing, who would decide what to censor?

A little local controversy involving the Church of Scientology and its critics could lead to curbs on the right to anonymity of anyone using the web.

[From Scientology seeks to squash anonymity • The Register]

We already have experience of this "solution" in the UK. Laws giving a wide variety of bodies the ability to monitor CCTV, the internet, phone calls and everything else which were supposed to save us from international terrorism are used by local councils to stop people from trying to get their children into better schools and to check that people are recycling enough of their rubbish. I'm sorry, but creating a world in which anyone can read anyone else's e-mail, track anyone else's web browsing, see what anyone is reading is not the way stop Russian virus writers from taking over everyone's PCs. We need an identity infrastructure.

Another model that the UK could try

[Dave Birch] I'm going provide a case study on the use of multi-application smart cards with EMV "chip and PIN" software on them that I think contains some useful nuggets for us in the UK to ponder over, because the case study is about combining payment (EMV) and digital signature (PKI) applications on the same card.

Identity folks will have to understand a little about the payment folks' EMV standard to understand the dynamics. There are actually three flavours of EMV, the international card scheme standard for chip transactions. These are Static Data Authentication (SDA), Dynamic Data Authentication (DDA) and Combined Data and Application Cryptogram (CDA). Most of the cards out on the streets in the UK are SDA cards without enciphered PIN (the PIN is not encrypted from the PIN pad into the card).

SDA cards are cheapest, which is why our banks issue them, but they can be cloned and used in terminals that are offline, so they are a security risk. DDA cards are not vulnerable in this way, but they are more expensive, both because the cards are more sophisticated -- they have a cryptographic co-processor to handle asymmetric cryptography and take longer to "personalise" -- but UK banks will have to replace SDA with DDA by end of 2010 (indeed, Consult Hyperion work with banks to help them to migrate in a cost-effective way). CDA cards cost the same as DDA, but still need to be planned for.

For technical reasons, CDA cards are more secure than DDA cards. Why? Because CDA protects against the "wedge attack". It is possible to insert a device that would let a genuine DDA card generate a legitimate digital signature but then intercept the request for an application cryptogram and return a bogus one for a different amount to the terminal. The terminal would carry on regardless. This is not possible with CDA since both the DDA signature and cryptogram are delivered by the card at the same time.

OK, so all this is well-known, but why does it matter to the digital ID world? Well, if a bank goes to the expense of issuing DDA or CDA cards, then the presence of re-usable cryptographic software and the cryptographic co-processor mean that it is a minimum of cost and complexity for the card to carry an additional PKI application as well as the EMV application. Almost all of the PKI application's "guts" are already on the card because they are used by the EMV application. What's more, the card can generate its own key pairs (which is very good for security) and then, provided you have the infrastructure, third parties can sign the card's public key(s) to create a wide variety of public key certificates to deliver interesting services. The card can store these certificates if it has enough memory or store pointers to the certificates online somewhere if it doesn't.

Here's a real example.