Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion
This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.
Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.
I've been reading Emily Nagel's book "Anywhere". She's the CEO of Yankee Group and the book is about global connectivity revolutionising business. I hope she won't be offended if I say that it's an "airport book", but it's an accurate description, at least for me, because I read it on the plane. There's something that bothers me about it, though. It has lots of stories and examples and narrative about ways in which business is transformed as it goes online, but it doesn't have "identity" or "authentication" in the index and says nothing about the identity problems that will need to be solved in order to realise the full potential of connectivity. As I've often observed before, using my favourite Kevin Kelly classification, connection isn't the problem: it's the disconnection technologies that will shape the medium-term roadmap for transforming new technology into business models: once everything is connected to everything else, the business model shifts to the creation and management of subgroups within that single, giant internet of everything.
Here, things aren't going so well. By coincidence, the Saturday newspaper that I picked up after putting down Emily's book had a technology advice column, and there was a letter from a typical consumer in it. I paraphrase:
I have a long list of passwords for home banking, shopping, social networks, magazines and so on. I've put them all in a Word document. How can I encrypt it?
This is, in a nutshell, the state of the mass market today. We all have masses of passwords, we've been complaining about it since 1994, and nothing much seems to happen, largely (I think) because the costs of our time don't factor into business models. And yet... we don't seem to be evolving any better business models and we don't seem any closer to better identity infrastructure. Should we give up? No! I say we should remember William Samuel Henson.
It is sad that the name of William Samuel Henson is largely unknown today. A man of great vision, he petitioned Parliament for permission to set up an airline -- with a business model largely based on post -- flying to Egypt, India and China. Parliament turned his proposal down on the grounds that it was 1843 and no-one had invented airplanes yet. Henson knew this, obviously, but could see which way technology was evolving and correctly reasoned that just because he didn’t know how to get an airplane off the ground (he had been involved in numerous experiments around powered flight), that didn’t mean that no-one else would. And when they did, there would be a new business to build on aviation technology. So he started thinking about the businesses that would make sense and, since the post had just been invented in the UK, he looked at how that might work in the future.
This is a parable of our identity space now. We can't get the technology to work, but we know that someone will, so we're trying to think of business models (I should be clear in our case: we're trying to think of business models for our clients) that will make sense when the technology works. But we're thinking about web browsing and e-mail because these have just been invented and they're our equivalent of the post service. Maybe we should challenge ourselves harder to look at wider possibilities, start from the perspective of social networking, virtual worlds and Twitter rather than Alice sending her credit card details to Bob.
Facebook is better understood, not as a country, but as a refugee camp for people who feel today’s lack of identity-forging social experience.[From Facebook: the heart in a heartless world | spiked]
I think many organisations should be focusing on the next phase of evolution of online business, and phase that will be fundamentally shaped by the emerging identity infrastructure. But we must be careful not to take what has just been invented (in this case, say, Facebook) and project it into the future as the key to new business models. We have to think more broadly to develop strategic roadmaps for business that can react to the general trends to exploit the technology downstream. An example? Well, it doesn't matter which social network we'll be using in five years time, we'll still need to authenticate ourselves in a more effective way that a Word file full of passwords. It isn't only me that thinks this.
The president wants consumers to use strong authentication, something more than user name and password, which will most likely add another security factor, say officials familiar with the project.
For example, user name and password is one-factor security, something you know. But additional factors can be added. A token or digital certificate can be a second factor, something you have, resulting in stronger two-factor authentication. If you add a fingerprint or other biometric, something you are, it’s increased to three-factor security.[From NFCNews | Potential technologies that consumers may use for online ID]
There follows an interesting, but confused, list of options. I'd like to suggest a more straightforward taxonomy, based on a digital identity infrastructure (which doesn't exist, of course). The article, to my mind, confuses the distinct bindings between the virtual identities that exist in the Net and the real identities that are connected to. This is why it is useful to introduce the notion of digital identity in the middle. So then we get the two categories of things that might be used to solve the
Each of these will be a separate business that operates according to difference scale factors (scale in the first case, scope in the second). I don't know how to make them work, but someone will.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
The UK's last attempt to introduce a national identity infrastructure, the national ID card, failed pretty badly and left everyone involved under a cloud (except for the management consultancies who billed tens of millions of pounds to the project).
The Home Office slipped out the final report of the Independent Scheme Advisory Panel (ISAP) this week, more than a year after it was written. The ostensibly independent report, which reveals how the ID system had been compromised by poor design and management, was submitted to the Home Office in December 2009.[From Henry Porter - Home Office suppressed embarrassing ID cards report]
The report says that there are no specifications for usage or verification (which we knew - this was one of my constant complaints at the time) and, revealingly, that (in section 3.3) that "it is likely that European travel" will emerge as the key consumer benefit. This, I think, is an interesting comment. As I have pointed before in tedious detail, what the Identity & Passport Service (IPS) built was, well, a passport. It had no other functionality and, given the heritage, was never going to have. Hence my idea of renaming it "Passport Plus" and selling it to frequent travellers (eg, me) as a convenience.
As an aside, the report also says (in section 5.5) the "significant" number of change requests after the contracts had been awarded would likely increase risk, cost and timescale. Again, while this is a predictable comment, it is a reflection on the outdated consultation, specification and procurement processes used. Instead of a flagship government project heralding a new economy, we ended up with the usual fare: incomplete specifications, huge management consultant bills, massive and inflexible supply contracts.
The report repeated the same warnings ISAP had given the Home Office every year since the system blueprint was published in December 2006 by Liam Byrne and Joan Ryan, then Home Office Ministers, and James Hall, then head of the Identity and Passport Service (IPS).[From Home Office suppressed embarrassing ID cards report - 1/7/2011 - Computer Weekly]
How did it all go do wrong? Liam Byrne should have known something about IT as he used to work for Accenture, as did James Hall (Joan Ryan was a sociology teacher who later became famous for having claimed for more than £1,000,000 in MP's expenses). Yet somehow the "vision" that emerged was profoundly untechnological, backward-looking and lacking in inspiration. What's different now?
Well, a key change is that the new administration is heading more along the lines of the US (with USTIC) and the Nordics, where people use their bank IDs to access public services. We're working on a project with Visa Europe and our good friend Fred Piper at Royal Holloway to develop a pilot implementation right now.
Consult Hyperion, working with Visa Europe and Codes & Ciphers, is the industry lead for a Technology Strategy Board funded research project; Sure Identity, for Secure Authentication of Online Government Services. This innovative pilot scheme will investigate the security and cost benefits of consumers using new bank-issued electronic Visa debit cards to securely access online government services[From Digital Systems - DS KTN Member receives funding from Trusted Services Competition for research into the secure authentication of online Government Services - Articles - Technology Strategy Board]
It's possible to at least imagine some form of "UKTIC" that is interoperable with the US version, certainly to the extent that an American with a US bank account might be able to open a UK bank account, things like that. And it's possible to imagine a kind of EUTIC that sets certain minimums in place so that UKTIC can interoperate with France TIC and Germany TIC and so on. I already have one or two ideas about where UKTIC may differ from USTIC. Let's go back to the EFF's comments on USTIC.
A National Academies study, Who Goes There?: Authentication Through the Lens of Privacy, warned that multiple, separate, unlinkable credentials are better for both security and privacy. Yet the draft NSTIC doesn’t discuss in any depth how to prevent or minimize linkage of our online IDs, which would seem much easier online than offline, and fails to discuss or refer to academic work on unlinkable credentials (such as that of Stefan Brands, or Jan Camenisch and Anna Lysyanskaya).[From Real ID Online? New Federal Online Identity Plan Raises Privacy and Free Speech Concerns | Electronic Frontier Foundation]
If we were to make UKTIC something like USTIC but with the addition of a class of unlinkable credentials that might be mandated for certain uses, then we could take a really important step forward: instead of a physical national identity card, the administration could trumpet and virtual national privacy card. (Actually, I'd be tempted call it a Big Society Card in order to get funding!)
When I'm talking about identity, I sometimes joke that our ill-thought out perspectives on the topic have led to the bizarre situation that in the UK it is much easier to get a job with a bank than an account. In The Daily Telegraph for 29th January 2011, I read under the headline "False CV Fooled Bank" that:
A fraudster used a false CV [claiming degrees from Oxford and Harvard] to gain a £165,000 per annum job at a City investment bank.
I assumed that everybody made up stuff on their resumes, but it turns out that it's against the law, so the culprit, Mr. Peter Gwinnell, was prosecuted and given a suspended sentence (I assume he'll skip over this on his next CV). We keep being told that employers use Facebook profiles nowdays (I hope they use mine: it says that I am the most intelligent person alive today and that Nelson Mandela queued for my autograph) so perhaps CVs will soon be a thing of the past. Just out of curiosity I googled Mr. Gwinnell and found that as well as his empty LinkedIn profile, the bald fact of his departure is there on the web.
PETER GWINNELL Appointment terminated as director on 15 Feb 2010 (Document)[From AHLI UNITED BANK (UK) PLC of W1H 6LR in LONDON UNITED KINGDOM]
To be honest, if an employer wanted proof of my A-Level in Mathematics or O-Level in British Constitution or the Degree I scraped through with in 1980, I'd be hard pressed to provide it. I don't have the faintest idea where the relevant certificates are. I suppose I could ring the University and ask them to send me a letter, but how would the employer know I hadn't forged the letter. And how would Southampton University know that it is me calling? Or, for that matter, how would they know that I hadn't forged the O-Level in British Constitution certificate?
When I started my first job after university, I don't remember being asked to provide any such proof. Come to that, I don't remember being asked to prove who I was either. In those days, all you needed was a national insurance number. But if employers are going want proof, like the actual certificates, then there will be a bit of a premium on the certificates. Once the certificates are worth something, they will be stolen. This is what happens in China.
Local officials said the files were lost when state workers moved them from the first to the second floor of a government building. But the graduates say they believe officials stole the files and sold them to underachievers seeking new identities and better job prospects — a claim bolstered by a string of similar cases across China.[From Files Vanished, Young Chinese Lose the Future - NYTimes.com]
How are we going to deal with this digitally? It shouldn't be that complicated for Harvard to create a digital certificate to attest to the fact that the owner of a particular identity did, in fact, graduate. If there were some sort of device or token, perhaps some form of card, that contained my educational identity (ie, key pair) then Harvard could simply sign the public key with their private key and the whole problem is fixed (glossing over, of course, where this device or token might come from, and so on).
Something does have to be done though. The current system is simply a joke. It's quite funny when someone cons a bank into giving them a senior position despite knowing nothing about banking (imagine!) but one of the areas that really bothers me, and probably should bother you too, is the ease with which medical credentials are forged.
A conman from Lancashire who posed as a vet and nearly killed a pony by botching its castration has been jailed for two years. Russell Oakes also masqueraded as a doctor, carried out an intimate examination and charged for false diagnoses, Liverpool Crown Court heard. The 43-year-old, of Hesketh Bank, admitted 41 charges of fraud, forgery and perverting the course of justice.[From BBC News - Bogus Lancashire vet jailed after botched castration]
How did he do this? Was he a master forger, capable of producing an authentic-looking medical school diploma using specially-aged paper, his engraving skills and authentic ink procured from the correct German manufacturer? No, of course not: this is a post-modern crime.
He bought a fake university certificate off the internet, the court heard.[From BBC News - Bogus Lancashire vet jailed after botched castration]
Now imagine an alternative infrastructure. I am asked to prove that I have a degree from Southampton University. I log on to the university using my OpenID id.dave.com and answer some questions, provide some data, to satisfy the university that I am, indeed, the relevant dave. My OpenID profile includes a public key, so the university creates a public key certificates, signing that key and some standard data that they provide. I can now give this certificate to anyone, and they can check it by verifying the signature using the published Southampton University public key, resolving the certificate chain in the usual way.
the BBC suffered another embarrassment today after a man interviewed on Radio 4's World at One who claimed to be a Liberal Democrat MP was revealed to be an imposter.[From Radio 4 follows Jeremy Hunt gaffe by interviewing fake MP | Media | guardian.co.uk]
How would the proposed infrastructure help here? The system has to be so easy to use that a harassed BBC researcher can use it. Come to that it has to be so easy that military installations, the police and other can use it too.
During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD's military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area[From Schneier on Security: The Security Threat of Forged Law-Enforcement Credentials]
Step forward the mobile phone. Every single one of the people who were "verifying" IDs in these stories has a mobile phone, so there's no need to look any further. The military policeman's mobile phone should be able to check your ID. And your mobile phone should be able to check his ID. And if you're both using mobile phones, both IDs can be checked simultaneously. We already know that symmetry is an important property of an identity infrastructure: the bank needs to be able to check it's me, but I need to be able check it's the bank. And the mobile phone can do both. So next time Peter shows up for an interview, the interviewer can simply tap Peter's NFC phone against their NFC phone and see a full list of his credentials.
(Law enforcement has special additional issue though: sometimes, the policeman doesn't want to reveal that he's a policeman, but that's a topic for another day.)
Facebook itself has been playing with this kind of thing - personal location - for a while. We're all familiar with the various "check in" services, but the internet of things is something much more.
All attendees of the f8 developer conference are receiving special RFID tags that enable them to check-in to various locations throughout the conference venue. The service lets you tag yourself in photos, become a fan of various Facebook Pages, and share activity to your Facebook profile. While it’s still a concept service, it’s interesting to see some of the things that Facebook developers are currently testing[From Facebook Tests Location Through RFID AT f8]
Location-based services take either a lot of time -- you have to manually check in everywhere you go -- or take a lot of liberties -- you open up your personal information to businesses.
If RFID checks you in and out automatically, then the web will certainly "take a lot of liberties" (although this may well be what people want). But this is just about the location of people. What will happen when the location of things becomes part of the natural order?
I happened to be chairing a panel at IIR's M2M Business Exchange event in London recently, and I have to say that I was surprised by the range of organisations that came along. I'd assumed that it would be mainly hardware guys and telcos, but the sessions that they had on smart metering, remote healthcare, retail and so forth were actually discussing some quite diverse applications. Naturally, I was on the lookout for things that might make a business for our customers, so I was focused on the applications that demand more security, such as payments.
ETSI, the telecoms standards body, has been working on what they call SES, which stands for "Service Enablement Services" to form a standard layer between the internet of things and the value-added services to sit above them. Joachim Koss, the TC M2M Vice Chairman said that the standard would include security "tools", which obviously I would like to see as including fully-functional digital money and digital identity elements because this connects to my somewhat simplistic definition: smart pipe = dumb pipe + digital identity + digital money.
I think this is the right approach, provided that the SES layer contains rich enough services to provide for a proper spectrum of identity types (that is, it does not require the full disclosure of "real identity" or allow uncontrolled anonymity). Another advantage that I can see is that if mobile operators were to get their act together, they might be able to use the SES in combination with a secure token (in the UICC) to make a business from it: for example, I might want to choose an option on my phone which means that my location is visible to anyone on LinkedIn provided they work for Consult Hyperion, and then temporarily extend this to a client for a month in connection with a project, but allow my wife to see it via Facebook at all times, that sort of thing. It would be another example of a value-added service that could, when built in to the infrastructure of other more sophisticated value-added services, generate much more income than raw data.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
[Dave Birch] We've often looked at the natural strategy of using identity infrastructure as the "front end" to payment infrastructure. To put it simply, if you have an id card in your pocket (or, more likely, your phone) wherever you go, then what's the point of carrying other cards around? Well, one reason is that if you only have one ring to rule them all, and that ring is lost, you're in schtuck (I think there's an idea for a book there somewhere). This is a valid concern.
A junior, who wishes to remain anonymous to protect her identity, had her ID card number stolen.[From Identification card theft becomes a documented issue on campus - News]
Now, of course, in a developed nation (such as Germany, for example) this shouldn't matter, since there is nothing remotely secret about ID card numbers and they cannot be used to effect any transactions -- you need the smart ID card for that. But when the ID number is attached to something that has no inherent security, like a piece of cardboard, then it can be the root of mischief.
A week later, she decided to check her account balance at the Help Desk. The help desk printed her receipts, and she realized her laundry money account had decreased from $21 to $2.
"I saw a lot of Marvin's, but I hadn't ordered from Marvin's at all this year," the student said.
"I looked at the transactions to compare them," she said. "When I was in Chicago, my card was being used here, and once of my receipts said that I had charged for Marvin's at 6:46 p.m., when I had also bought food at the Hub at 6:48 p.m."[From Identification card theft becomes a documented issue on campus - News]
This is the inevitable consequence of 1-factor authentication, just like magnetic stripes on credit cards. Fortunately, the story has a modern, happy ending.
Public Safety, who traced the Marvin's orders to a cell phone number, caught the perpetrator.[From Identification card theft becomes a documented issue on campus - News]
Too funny: the master criminal who copied the ID card number down used his own mobile phone to order food using the number. Still, it's a serious point, and it has been discussed with relation to some of the national smart ID schemes that we have advised on: there's a reasonable concern that ID cards might be a target for crime if they can be used for payments, which is true, if the ID cards have no security. But suppose the ID cards have not only a chip on to prevent counterfeiting, but also a biometric cardholder verification method.
The much talked about Unique Identity Project (UID) is not just about providing citizens with biometric cards. In fact, the new identity cards can be used for multiple purposes and can even replace the debit or credit cards one day.[From UID cards can replace bank cards - CIOL News Reports]
So, once again, let's be clear about these implications. An effective digital identity infrastructure sitting on top of a standardised "payments cloud" will completely reshape the sector. It will substantially reduce the cost and complexity of starting a new payment scheme, and will further substantially reduce the cost and complexity of running a new payment scheme.
Here's a good reason for not having your Facebook account in your real name (as I don't):
Five interviewees who traveled to Iran in recent months said they were forced by police at Tehran's airport to log in to their Facebook accounts. Several reported having their passports confiscated because of harsh criticism they had posted online about the way the Iranian government had handled its controversial elections earlier this year.[From Emergent Chaos: Fingerprinted and Facebooked at the Border]
I've already created a new Facebook identity and posted a paen to Iran's spiritual leaders just in case I am ever detained by revolutionary guards and forced to log in. But will this be enough? Remember what happened to film maker David Bond when he made his documentary about trying to disappear? The private detectives that he had hired to try and find him simply went through Facebook:
Pretending to be Bond, they set up a new Facebook page, using the alias Phileas Fogg, and sent messages to his friends, suggesting that this was a way to keep in touch now that he was on the run. Two thirds of them got in contact.[From Can you disappear in surveillance Britain? - Times Online]
So even if you are careful with your Facebook personalities, your friends will blab. As far as I can tell, there's no technological way around this: so long as someone knows which pseudonym is connect to which real identity, the link may be uncovered. Probably the best we can do is to make sure that the link is held by someone who will demand a warrant before opening the box.
As Philip Virgo notes, there appear to be some conflicting messages here and there may be some danger of a lack of strategic co-ordination.
The National Fraud Authority (NFA) said fraudsters who stole identities had gained £1.9bn in the past year. Their frauds had affected 1.8 million people, the NFA estimated.[From BBC News - Identity fraud now costs £1.9bn, says fraud authority]
Just after Martha had described her plans to the "Parliament and the Internet" conference last week, those at the session on "On-line Safety" discussed the need to bring the two sets of messages together lest they cancel each other out.[From Mixed messages: "Get Online Week" v. "National Identity Fraud Prevention Week" - When IT Meets Politics]
I've scoured the coverage to find out exactly what it is that the "Get Online" campaign and the "Fraud Prevention" campaign plan to do about identity infrastructure and I've looked through the Cabinet Office "Manifesto for a Network Nation" (which does not mention identity or authentication even once) to find out what the British equivalent of the US National Strategy for Trusted Identities in Cyberspace is but I'm afraid I've come up with a bit of a blank (although a search of the Get Online Week website did turn up one article that mentioned identity theft in 2008). Perhaps I'm looking in the wrong places and a correspondent can point me in the right direction.
The UK national security strategy that was released last week does at least mention identity theft as a problem (it says that "Government, the private sector and citizens are under sustained cyber attack today, from both hostile states and criminals. They are stealing our intellectual property, sensitive commercial and government information, and even our identities in order to defraud individuals, organisations and the Government") but doesn't actually mention identity or authentication, nor does it put forward any suggestion as to what might be done about the problem.
[Dave Birch] I'm giving a talk on identity services as a potential new business for mobile operators, and I'm trying to make the point that there are routine, everyday, prosaic applications for this kind of thing: it's not all about opening bank accounts and reporting deaths. Every single day I take part on transactions that are made complicated, expensive and unsatisfying because of the lack of an identity infrastructure. How many times in an average week do you press the "forgot your password" button? I do it all the time. Here's the standard pattern:
1. Get e-mail from British Gas asking for a meter reading (we still have dumb meters -- more on this in a future post).
2. Read meter.
3. Click on link in e-mail to submit reading.
4. It asks for e-mail address and password, so enter e-mail address and then click on "forgot your password".
5. It says I'm not registered, so then I have to go and register. I use the same password that I use for everything else.
6. But my password has to be between 8 and 16 characters (they take security seriously) so then I have to think of another one (which I am certain to forget again next time).
6. Then I can log in and give the reading.
7. But I get "We're sorry but access to your online account is temporarily unavailable. Please try again in a few minutes."
8. Next day get an e-mail from British Gas apologising for problems with online system. (This isn't really anything to do with identity, but it was nice of them, so I thought I'd report it.)
The process should have been:
1. Get e-mail to remind me to read meter (British Gas must have my e-mail on file somewhere to do this).
2. Read meter.
3. Clink on link in e-mail to submit reading.
4. Since the system knows the e-mail address it can prefill this and then ask for my login code from my Barclays dongle (or mobile phone, or whatever).
Bingo. Secure log in, with no effort, since my card and dongle are next to the computer.
Incidentally, and apropos of nothing, I was curious why the system was a bit crap, so I googled British Gas CRM to see if other customers were complaining, and I found this:
A good CRM system can provide automated, reliable and accurate billing and cope with high levels of customer switching and multiple service offerings. This is what British Gas set out to do with Project Jupiter in 2001, when it commissioned Accenture to install a new £317 million SAP billing system. Unfortunately, the well-documented problems with Jupiter resulted in a spike in customer complaints, loss of market share and a £182 million legal battle between British Gas and Accenture that looks set to rumble on for several years.[From British Gas sorts out billing issues and prepares for smart metering - Interviews - Features : Utility Week]
Anyway, back to the topic. We must, as a matter of urgency, start moving to an identity and authentication infrastructure that puts a stop to this time- and money-wasting replication at every service provider.