About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

47 posts categorized "Crime & Justice"

Mexican standoff

By Dave Birch posted Apr 20 2011 at 6:45 PM

At last year's conference on The Macroeconomics of Mobile Money held at Columbia University in April 2010, Carol van Cleef (a partner at Paton Boggs LLP in Washington) gave a presentation on the "Opportunities and Dangers of E-Payments", in which she noted that the Mumbai terrorists used mobile phones and "showed themselves to be part of the mobile phone generation" (as, I imagine, they showed themselves to be part of the mass transit generation and the automatic weapons generation). She notes that the attackers were using their own phones (so the IMEIs could be tracked, making the life of law enforcement easier) and that they had purchased more than 37 SIMs in different names using false identification (so the compulsory SIM registration was shown to be pointless -- although some of the SIM card sellers were arrested). She also says that the most critical tool for drug traffickers in Canada is the prepaid phone (I'm sure she's wrong: I'll bet it's either cash or cars).

I remember thinking when I read this at the time that this continued law enforcement focus on the prepaid phone and the prepaid card, both of which are critical tools for financial inclusion, would end up with restrictions on both that would make no difference to criminals but would make life much harder for the financially excluded, because of the strong link between identity and money.

Why do I think that? Well it is just not clear to me that demanding strong proof of identity for prepaid products will help. In Mexico there is a national registry for prepaid phones and all purchasers are recorded and fingerprinted, the operators keep calls logs, texts and voice mail for a year (in a database only accessible with a court order -- or by criminals, I'd wager). All prepaid phones not in the registry were supposed to be turned off this month, although a quick round of googling and searching couldn't tell me whether this is actually happening or not. As I wrote a couple of weeks ago, in the context of the Mexican government's reward scheme for people who call in reports of money laundering:

Good luck to anyone who decides to report in person, or by telephone. SIM registration is mandatory in Mexico, which means that the money launderers will find you before the police do

[From Reputation does not depend on “real” identity]

If we focus on phones, for a moment, is it reasonable to assume that demanding identity in the purchase of phones (prepaid or otherwise) will do anything to reduce crime (or will it simply shift the crime to acquiring identities and actually raise the criminal premium on those identities?).

Eight men and one woman have been arrested on suspicion of conspiracy to defraud... calling expensive premium-rate numbers owned by the fraudsters that charge up to £10 a minute... O2 had a total of £1.2m stolen through premium phone lines throughout July, with police claiming that a West African gang bought the phones from high street stores using false identities.

[From British police arrest iPhone scam gang | News | TechRadar UK]

Like many similar scams, this isn't a mobile fraud or a payment fraud or any other kind of fraud: it's basic identity fraud, yet again. To some extent, therefore, one has to be a tiny bit unsympathetic to O2. Clearly, if they make everyone jump through hoops to get an iPhone then they won't sell very many of them. On the other hand, allowing people to take out contracts without really proving who they are or (and this is the commercial arrangement that is lacking) providing an identity that is underwritten by someone who will take liability for it being wrong, means accepting risk. Remember, it's not the mobile operators, handset manufacturers or criminals who pay for the police raids, the court system, the prison time: it's us, the taxpayer. So the distribution of risks is not aligned with the distribution of liabilities, as is so often the case in the world of identity fraud. This isn't a UK-only problem. It is very clear that in countries without secure national identity registers (ie, almost all countries), requiring mobile operators to determine the identity of subscribers (contract or prepaid) will solve nothing. This does not, by the way, mean that it is impossible to catch criminals. Far from it.

Deputy District Attorney Mena Guirguis said that after Manunga and her former boyfriend stopped dating in 2008, she took out a pre-paid cell phone in his sister-in-law's name, and started sending the threatening text messages to her regular cell phone... Her scheme was uncovered when the victims went to the phone store, talked with the salesman and learned that Manunga had bought the pre-paid phone under the sister-in-law's name, Guirguis said.

They reported that information to a Costa Mesa police detective, but by then a third arrest warrant had been issued for the sister-in-law. During a follow-up investigation, the detective discovered that most of the threatening text messages were sent when the pre-paid cell phone was in close proximity to Manjunga's home or work.

[From Woman jailed for making threats – to herself | sister, law, manunga - News - The Orange County Register]

What this story shows is that actual police work is helped by the perps using mobile phones, even if you don't know the identity of the person using the phone, because phones mean tracking and tracing and location. We read today that iPhones keep a complete record of everywhere they've been...

Apple iPhone users’ movements are being tracked and stored without their knowledge in a file that could easily be accessed by a snooping employer or jealous spouse, security researchers have found.

[From Apple iPhone tracks users' location in hidden file - Telegraph]

Surely it would be better to have criminals running around with iPhones, sending money to each other using mobile networks and generally becoming data points in the internet of things than to set rigorous, quite pointless identity barriers to keep them hidden.

Stux on you

By Dave Birch posted Nov 29 2010 at 8:58 PM

[Dave Birch] The media are full of cyberwar at the moment. I'm sleeping safely in my bed knowing that we now have a cyberwar strategy. But there does appear to have been one cyberwar attack that has already succeeded. The story about Stuxnet is fascinating, especially now that the Iranians have admitted that it worked.

President Mahmoud Ahmadinejad admitted Monday that "several" uranium enrichment centrifuges were damaged by "software installed in electronic equipment," amid speculation Iran's nuclear activities had come under cyberattack.

[From France24 - Iran admits uranium enrichment hit by malware]

So whoever wanted to stop the Iranians from enriching uranium (the Americans, the Saudis, the Israelis etc) found a cheaper and more efficient way to do it than launching cruise missiles or dropping bunker busting bombs.

Continue reading "Stux on you" »

Who to trust?

By Dave Birch posted Aug 5 2010 at 10:18 AM

[Dave Birch] I've been involved in some involved discussions about an involved topic: trust (again). It happens that a number of the projects that Consult Hyperion is currently working on include implementing trust infrastructures in both private and public sectors. Now, we're not alone in thinking that this is a big deal.

Newmark called some form of distributed trust system “the killingest of killer apps” for the web over the next decade (he said he wasn’t sure that was the best way to describe it, but was trying out to see how it sounded). He talked about “reputation and trust ruling the web, just the way it does in real life,”

[From Craig Newmark on the Web’s Next Big Problem – GigaOM]

Do they rule real life? Consider the transactions that I've made so far today. I took a bus -- no trust required, I paid with cash -- and then bought a train ticket -- chip and PIN, so no trust in me required -- and went to a couple of meetings -- we'll come back to this in a minute -- took the train home -- no trust in me required since I had a ticket -- and then took the bus home -- no trust in me required since I had a ticket.

Continue reading "Who to trust?" »

Will mobile phones mean more crime?

By Dave Birch posted May 9 2010 at 12:01 PM

[Dave Birch] There was a discussion at this year's Digital Money Forum with David Nordell from the Terror Finance blog. He called mobile payments a terrorist's dream, but I disagreed. People always see the worst in new technologies, projecting existing crimes on to it. But the ability of new technology to fight crime is surely just as great. Mobile phones are no different from any other technology in that respect. One the one hand mobile phones can be used to commit new crimes, but on the other hand they can be used to prevent, detect and solve crimes.

Recently, two death row inmates were arrested in Nakuru GK Prison after being tracked through the assistance of mobile services firm Safaricom. More than 10 mobile phones and a number of SIM cards that were used to transact more than Sh300,000 were confiscated. The inmates colluded with people outside the prison to provided them with phone numbers of wealthy people who they called and threatened with death if they did not follow orders. Police launched investigations into how the convicts had separately received Sh350,000 and Sh40,000 in their welfare accounts when the racket that was unearthed in February.

[From Daily Nation: - News |Police probing mobile money transfer racket]

Nice mobile payment application -- call people up, get them to send money back via the mobile payment system -- but only if you're a really stupid criminal, since the phone company knows where you are and will tell the police. And the police will be able to track you, and they will know the details of anyone else you call. And it doesn't matter if it's a prepaid phone not registered to you, because knowing where you are and who you are calling is pretty useful information.

The tracking is especially useful and in the future we will come to accept that we know where stuff is, all the time. As an aside, this doesn't mean the end of privacy, but I think it does mean new notions of privacy.

Within seconds, a Tampa map appeared with a blinking orange dot moving away from the park. "We're thinking to ourselves, there are our cell phones going down the road," Jennifer Jensen said. The dot left the park, headed down McKinley Drive, headed south of Fowler Avenue and stopped less than 4 miles away from where it started... Caroline switched to satellite mode, and they were suddenly looking at the outside of the Bentley Court Apartments, 11603 N 22nd St.

[From There's an app for that, too — Tampa cops find stolen iPhones with GPS - St. Petersburg Times]

At one level, this is just a fun "there's an app for that story". But think about it more as a window into the "internet of things" future. When everything is connected to everything else across an infrastructure then the idea of stealing something will become outdated (although, to be fair, some idiots still rob banks with shotguns). What's the point of getting into my car if you can't drive it without my RFID keyfob, what's the point of stealing my TV if it will only decode encrypted signals if it is in range of my router and what's the point of running off with my mobile phone if it won't allow you to make calls unless you can mimic my voice? And what's the point of stealing any of them at all if I can log in to any computer anywhere in the world and see where they all are?

Continue reading "Will mobile phones mean more crime?" »

Dog's life

By Dave Birch posted Apr 1 2010 at 5:01 PM

[Dave Birch] There was a news story in the UK recently about the very sad death of a young woman who was lured to a remote spot by a man who met her on Facebook. The man was pretending to be a teenage boy. Facebook became the focus of the story, with the usual calls for something to be done. So is the sky falling in because of social networking?

You could just as easily argue that criminals are easier to catch because of Facebook, or any other new technology. The police can use them too, can’t they? Doesn’t social networking make it easier for the police and others to work together? Couldn’t Twitter help detectives? Can’t detectives subscribe to RSS feeds on cases of interest? (Frankly, I doubt it, but you get my point.)

[From 15Mb: yet another blog from Dave Birch » Blog Archive » The “Ford Mondeo Killer”]

People might think they're anonymous, but they're not. A rational policy on law and order would surely try to get more criminals to carry out their crimes online, because it's easier to catch them in the virtual world than in the real one.

When a YouTube video came to its attention on Friday in San Francisco, the FBI had a Philadelphia man in custody the next day

[From How the FBI busted one YouTube nutjob in under a day]

It's the same logic as with money laundering. If you raise high barriers by making people prove who they are before going online then they will either go to great lengths to avoid the rules (thereby enriching middlemen) or just avoid going online, in which case they cannot be tracked or traced at all. I wrote an article for SPEED ("Moving money and securities worldwide") magazine's Spring issue, noting that if criminals were to abandon suitcases full of 500 euro notes for platinum pieces in Everquest (frankly unlikely, but there you go) then surely it would be easier for law enforcement officers to masquerade as half-orc barbarians in Norrath than as criminals in the real world and therefore follow the money.

Continue reading "Dog's life" »

Imperfect crime

By Dave Birch posted Dec 24 2009 at 10:15 AM

[Dave Birch] Some years ago at the Digital Money Forum, Richard Bartle from the University of Essex characterised the economy of virtual worlds as "people buying things that don't exist from people who don't own them" which was, frankly, a brilliant summary. There are also, sadly, a class of people stealing things that don't exist from people who don't own them and this is a crime, so it was with great interest I read that

A British man has been arrested and cautioned for stealing accounts for online game Runescape... A statement from the Police National e-crime unit said: "A 23-year-old man was arrested in Avon and Somerset... on suspicion of a number of computer misuse offences."... Once hi-tech thieves have these credentials they plunder the accounts, strip characters of their items and sell off the rare virtual goods for Runescape gold.

[From BBC News - Runescape creator pursues 'phishing thieves']

This is real identity theft. If criminals somehow get into my bank account and spirit the money away, I don't really care because it's the bank's problem and they will give me the money back. But if the criminals take over my Runescape character, that's a real personal violation. As I said before

a bank can easily restore my money, but it's much harder for Facebook to restore my reputation (apart from anything else, a reputation takes time to build). Which is the worse crime?

[From Digital Identity Forum: What identity is important?]

It's the latter, clearly. So perhaps the "standard" use case for strong authentication should be switched from logging on for home banking to logging on to Facebook, which takes us into the world of OAuth and OpenID instead of EMV and OTP. In this world, there's already plenty of work going on around authentication, credentials and federation that could provide key portions of the infrastructure that we know that we are going to need in the mass market.

Continue reading "Imperfect crime" »

Fit and counterfeit

By Dave Birch posted Dec 24 2009 at 10:15 AM

[Dave Birch] When the first Bank of England banknotes were issued in June 1694, they must have seemed pretty secure, with their fancy engraving and the handwritten signatures. It must have been a bit of a shock in August 1694 when the first counterfeits were detected. Or should I say that the first counterfeits bad enough to be detected were detected. One of the problems that plagued the Royal Mint at that time was that the machinery to make notes and coins was being stolen by corrupt employees and sold to the criminal underworld. The machines were not really producing counterfeits, because they were the same plates and dies as being used in the mint, they were producing unauthorised versions. Banknotes have evolved a bit since then, but given the regularity of the stories about North Korea "supernotes", the counterfeiters have kept pace.

North Korea has been producing “super notes,” counterfeit 100-dollar bills practically indistinguishable from legal tender, even since 2007 when the U.S. released North Korea from financial sanctions. North Korea has also tried to bring some of the notes into South Korea.

[From Daily NK - Super Notes Still in Production]

There's no need to get Korean ultraforgers on board so far as the new UK national identity card goes. In fact, our indigenous forgers have been doing an excellent job, selling first-class forgeries of the UK ID card even before the UK ID card existed. Why they are bothering is not entirely clear.

Darren McTeggart tried to use the £30 card to pick up a replacement credit card from a branch of Santander – formerly Abbey – in Manchester, where the scheme was rolled out on a voluntary basis last year. Mr McTeggart, one of the first people to get the card, said: “They said it was not on their list of approved ID.

[From Man can't prove ID with ID card - Telegraph]

I'm sure this is just a hiccough. But how are indigenous ultraforgers creating their dastardly fake ID cards? Are they breaking into the government's factories and stealing the chips? Have they got corrupt insiders working for them? Sadly, nothing that interesting. It's apparently so easy to forge documents like this that the police are now asking the companies who sell printers to report suspicious customers, much as banks have to do when opening new accounts.

U.K. police are trying to get wider participation from printer manufacturers and makers of specialist equipment in a voluntary program designed to cut off criminals from the tools they need to make fraudulent passports and ID cards.

[From UK Police Engage Print Industry to Stop Fake IDs - PCWorld Business Center]

Oh come on. You can't seriously tell me that criminals can just walk into PC World and buy printers that can produce a fake ID card? I don't believe that for a moment. Oh, wait...

The Met has shut at least 20 [fake ID] “factories” in the last 18 months and believes more than 30,000 fake identities are in circulation. Police examined 12,000 of them and established they were behind a racket worth £14 million. One £750 printer was withdrawn from sale at PC World after detectives revealed it could produce replicas of the proposed new ID card and EU driving licences.

[From Police war on fake ID factories as fraudsters net millions | News]

Whoops. I'm sure this isn't what former Home Secretary David Blunkett had in mind when he was outlined his plans for the national ID card way back whenever.

Continue reading "Fit and counterfeit" »

Digital division

By Dave Birch posted Dec 7 2009 at 8:22 PM

[Dave Birch] There was yet another debate about the "digital divide" in London, featuring the British government's technology tzarina, Martha Lane Fox (note for foreign readers: Martha Lane Fox was a co-founder of the famous internet enterprise Lastminute.com), who is charged with forcing a recalcitrant populace -- one-sixth of Britons say they don't want the web -- to log on to things. There are 10 million people in Britain who have never been on the Internet and the Digital Inclusion Task Force has to get 4 million of them "online" by 2012, otherwise... Actually, I don't know what the "otherwise" clause is, so had better move on.

At the debate, they were (essentially) talking about the divide between people who order books online from Amazon and people who don't, and I'm sure this is an important topic, but I'm not that interested in it. I once got into trouble in a meeting with a public sector customer because I said that people who weren't on the web generally didn't want to be, and since they could clearly afford Sky television and mobile phones, I didn't think that it really mattered that they chose not to buy broadband. But I digress.

Is there an interesting, and more important, digital divide? Yes, there is. And it's the digital divide between the developed world and the developing world. But it's not what you think and, as Tomi Ahonen frequently points out, it's got nothing to do with "one laptop per child" or submarine cables for internet access.

In the Industrialized World we have TVs, PCs, FM radios, fixed landlines and mobile phones to consider and compare and use and more than half of the population has one of each of those. In the Developing World, the only technology that reaches half the population is mobile telecoms, and all others are tiny in comparison. For the Emerging World, mobile is not only the first screen it is literally the only screen.

[From Communities Dominate Brands: The Digital Divide in Numbers: TVs, PCs, Internet users, Mobile around the world]

If we are going to deliver services to the mass of people in the developing world, services that are going to improve the lives of the mass of the population, then we need to focus those services on the mobile channel.

# The mobile device will be the primary connection tool to the internet for most people in the world in 2020.
# The transparency of people and organizations will increase, but that will not necessarily yield more personal integrity, social tolerance, or forgiveness.
# Voice recognition and touch user-interfaces with the internet will be more prevalent and accepted by 2020.

[From Pontydysgu – Bridge to Learning » Blog Archive » Digital Identities and Social Relations]

This seems like a reasonable projection given current trends and a bit of imagination and, personally, I think that the issue of transparency may well have the most impact, changing both businesses and government in ways that we haven't taken on board yet but that's an issue for another day. But take these points on board, particularly the reinforcing synergies between the mobile phone as the device, the mobile phone as the tool for opening up organisations and the mobile phone as locus for the voice interface (which, together with voice authentication, will transform identity and authentication).

Continue reading "Digital division" »

What identity is important?

By Dave Birch posted Sep 8 2009 at 5:46 PM

[Dave Birch] A couple of days ago I was in a discussion concerning the discrepancy between what enlightened experts (eg, me) think about identity management and what governments, civil servants and IT vendors think about identity management. One of the points I made, which I think I can defend, is that the "common sense" notion of identity, rooted in our pre-industrial social structures and pre-human cortex, is not only not very good at dealing with the properties and implications of identity in an online world but positively misleading when applied to system and service design. The fact is that virtual identity and "physical" identity are not the same thing, and they differ in ways that we are only beginning to take on board. Here's an interesting reflection on the difference between physical and virtual identity.

I used to work on campus 5 days a week, but working at home more has coincided with the advent of blogs and twitter. My professional and personal profile on campus is now much higher than it was when I attended every day, but largely sat in my office, and occasionally ventured out for coffee.

[From Establishing Our Online Identity « Ramblings of a Remote Worker]

Interesting. An online identity in a context that makes it worth more than an offline identity, because it is more connected. The Facebook economy, so to speak. Which leads me on to...

Continue reading "What identity is important?" »

The Guildford triangle

By Dave Birch posted Jun 10 2009 at 10:49 PM

[Dave Birch] What is it with Britain? Digital or otherwise our degraded realm is an international identity scandal. Europe's no.1 exporters of payment card fraud, we are apparently now the world's worst for identity theft overall.

INTERNET users in Britain are more likely to fall victim to identity theft than their peers elsewhere in Europe and North America. In a recent survey of 6,000 online shoppers in six countries by PayPal and Ipsos Research, 14% of respondents in Britain said that they have had their identities stolen online, compared with only 3% in Germany.

[From Where your identity is more likely to be stolen | Online fraud | The Economist]
There may be a correlation here between "identity theft" and "card-not-present fraud" (Germans rarely use credit cards, least of all on the interweb), but we'll return to that in a future discussion. Now, these statistics don't, I think, mean the Brits are more criminally inclined. After all, fraud is an international business.

The criminals stored much of their data on computer servers in Latvia and Ukraine, and purchased blank debit and credit cards from confederates in China, which they imprinted with some of the stolen numbers for use in cash machines, investigators say.

[From Global Trail of an Online Crime Ring - NYTimes.com]

It's more likely that Britain is a soft touch: high card penetration and use, lots of internet shopping and other factors that lead to identity theft on an industrial scale. But where does this tidal wave of fraud actually originate? I read in The Telegraph that the top 10 identity theft hotspots in the UK are all in south east England. There's an area of white collar fraud between London, Reading and that well-known criminal outpost, Guildford. Odd. In the top 10, only St. Albans falls outside of this theft triangle. Yet the government is going to test ID cards in Manchester... Well, as well all know, ID cards won't have the slightest impact on identity theft for at least the next decade.

ID cards have been touted as the solution to a number of real problems - terrorism, crime and so on - though none of their supporters can ever explain how having an ID card stops a mugger or suicide bomber. But they began as the answer to a classic fake problem, still routinely cited by ministers, the need to "secure our identities" against "identity theft".

[From The ID card is on its last legs - just let it die with dignity | News]

Now, I wouldn't call identity theft a "fake problem". On the contrary, it's a very real problem. But what is generally meant by identity theft, certainly in the Guildford triangle, is largely to do with payment card fraud (which is rampant in the UK) and account takeover. These are specific problems, not general identity problems. Until retailers demand that you present an ID card when you buy anything, or somehow allow them to read your identity card over the interweb, nothing much will change. Fortunately, someone is thinking this through: the UK ID card scheme may well use chip and PIN technology so that it can be accepted at retail POS. Lots of newspapers reported this, so I'll choose to point to the report in that august journal of record from my home town, Swindon (or, "Swindon, city of the future", as have generally called since 4th July 1995):

ID cards could be fitted with chip and pin technology to help combat identity fraud. The head of the Government agency tasked with producing the cards said there were no "technical obstacles" to adding chips to the cards and handing out pin numbers.

[From ID cards 'could use chip and pin' (From Swindon Advertiser)]

I rather imagined that the cards already had chips on them, but putting that to one side, the idea of making ID cards work in chip and PIN terminals isn't totally infeasible, although I'm not completely clear as why you would want to do this. I suppose the thinking is that the shops already have the terminals. But if you are asked to put your ID card into a terminal and punch in your PIN, wouldn't you then get annoyed at having to take it back out again, then put your chip and PIN card in and then punch in another PIN? Why not just link your bank account to your ID card?

Continue reading "The Guildford triangle" »