Close enough for jazz

[Dave Birch] I had a typical fascinating and productive discussion with Hazel Lacohee and Piotr Cofta when we last got together. We were kicking around some ideas for finding practical ways to improve privacy, security and other good stuff while simultaneously worrying about the government's approach to the interweb, broadband and ID cards. With the right combination of technology and vision we can take an entirely different view of the "identity problem" and how to solve it. In a decentralised fashion we can see identity develop as an emergent property of trust networks, shaped by evolution to be fit for purpose or, as Piotr Cofta puts it, "good enough identity". Good enough identity (GEI). I love it.

I'm certain that there is merit in this approach. There is a real difference between between trying to create a kind of "gold standard" identity that delivers the highest possible levels of authentication and identification in all circumstances and trying to create an identity that is useful (defined by: reduces total transaction costs and, in my world, aligns social costs with private costs). Therefore, a utilitarian approach of trying to do something, anything to make the identity situation improve for individuals and organisations, we might be better off starting with some simple building blocks and building up rather than by starting with a national ID card (I mean, a 21st-century national ID card of the psychic ID kind, not electronic cardboard) and driving that down. Go from the personal to the enterprise, from the enterprise to government.

What a cunning stunt

[Dave Birch] I am, very literally, green with envy. I count myself as a reasonably good speaker, and I try to use narrative and historical examples to explain key principles. But nothing beats a good demo, and I saw an excellent one today, one that I wish I'd thought of!

At the Intellect conference on Identity & Information in London today, Edgar Whitely from the LSE gave a terrific presentation. He was pointing out that the principle of data minimisation in identity systems is important, but he did it in a particularly arresting way.

Here's what he did.

He showed this recent newspaper photograph of the British Home Secretary, Alan Johnson, showing off his new ID card and holding it up to the camera. This version comes from The Guardian....

Alan Johnson reveals the design of the British national identity card. Photograph: Stefan Rousseau/PA

As you can see in the picture, for reasons that will be not fully explained in a moment, the UK ID card has the holder's full name, date of birth and place of birth on it. These three data points are sufficient to uniquely identify the overwhelming majority of the population. So Edgar went to the Identity & Passport Service birth certificate ordering service and put in the details from the Home Secretary's card. He then paid his £10 and... with a suitably theatrical flourish, Edgar produced the copy of the Home Secretary's birth certificate that he had been sent in the post. Note that Edgar hadn't done anything wrong. As James Hall, the head of IPS who was on the same panel, pointed out, in the UK anyone can order a copy of anyone's birth certificate. He said that if you are a celebrity then hundreds of people will order copies of your birth certificate every year, which had never occurred to me. I'm sure James is right, but it does seem a little odd that people who want to commit identity theft will simply have to look at their mark's ID card to get started.

Edgar hadn't used the birth certificate to open a bank account or get a driving licence or anything, he was just making the point that if we don't adopt the right principles (eg, data minimisation) for identity systems, then we run the risk of making identity theft worse. It was a great presentation and a super stunt. Well done.

Anyone familiar with my deranged rantings about psychic ID (ie, virtually nobody) will be familiar with the general point: a characteristic of a 21st-century ID scheme is that it should only give up information necessary to enable a transactions, nothing more or less. So, if you are authorised to ask my ID card whether I am over 18 or not, that's all it should tell you. Not my name, not my address, not my age or date of birth. Just whether I am over 18 or not and that's it.

The current ID card scheme does not have this key characteristic, not for any functional reason but because the ID card and passport were jumbled up for a political purpose -- the purpose being, as far as I know, to make it harder for an incoming administration to scrap the scheme -- that constrains the design and implementation. Since the government wants the ID card to be used as a travel document within in the EU, it has to have certain human-readable information on it. That's why it gives away the key data points that make it tempting for criminals to kick-start their identity theft antics.

The DNS of the industrial bourgeoisie

[Dave Birch] I have a vague memory -- which five minutes googling cannot substantiate and I'm too lazy to go and find the book in the other room -- that somewhere in the Gulag Archipeligo by Aleksandr Isaevich Solzhenitsyn there is mention of Stalin's desire to have a more revolutionary telephone system where all calls had to go through a central exchange and be encrypted so that Stalin could listen to everyone else's calls but his would be encrypted to remain secret. The prisoners with relevant skills were supposed to be designing this while in the gulag. It never worked, of course, and the Soviet Union had appalling telecommunications infrastructure as a consequence because the communications revolution was halted by the dictatorship of the proletariat: there's some deep incompatibility between innovation and centralisation. I couldn't help thinking of this when I read about the calls by Eugene Kaspersky to have a more Stalinist internet:

The CEO of Russia's No. 1 anti-virus package has said that the internet's biggest security vulnerability is anonymity, calling for mandatory internet passports that would work much like driver licenses do in the offline world.

[From Security boss calls for end to net anonymity • The Register]

What he means by this is that he wants a technologically complicated and expensive solution to be implemented so that ordinary people are inconvenienced to the maximum while criminals can roam free (which is what would happen). Creating such an asymmetric solution is not the way forwards: for one thing, who would decide what to censor?

A little local controversy involving the Church of Scientology and its critics could lead to curbs on the right to anonymity of anyone using the web.

[From Scientology seeks to squash anonymity • The Register]

We already have experience of this "solution" in the UK. Laws giving a wide variety of bodies the ability to monitor CCTV, the internet, phone calls and everything else which were supposed to save us from international terrorism are used by local councils to stop people from trying to get their children into better schools and to check that people are recycling enough of their rubbish. I'm sorry, but creating a world in which anyone can read anyone else's e-mail, track anyone else's web browsing, see what anyone is reading is not the way stop Russian virus writers from taking over everyone's PCs. We need an identity infrastructure.

Lizzie Coles-Kemp, Royal Holloway

[Dave Birch] Dr. Lizzie Coles-Kemp, of the Information Security Group at Royal Holloway, is a Primary Investigator on the Visualisation and Other Methods of Expression (VOME) project which is joint research between Cranfield University, Salford University, Royal Holloway (University of London), Sunderland City Council and Consult Hyperion. The project is funded by The Technology Strategy Board, Engineering and Physical Sciences Research Council (EPSRC) and Economic and Social Research Council (ESRC). In this podcast she talks about the VOME project and explains how the visualisation of privacy is fundamental to informed consent and therefore e-government and e-business.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

Who says?

[Dave Birch] According to a letter I saw a while ago in The Daily Telegraph, British supermarkets won't accept a British armed forces ID cards as a proof of age, but they will accept foreign ID cards that they cannot read. Or not. It depends what for.

The student's French ID card was not deemed to be sufficient proof of her age for the staff at Sainsbury's, even though the chain does accpet the card from foreign workers who wish to work in the UK.

[From Sainsbury's denies French student]

So you can use your foreign ID card to get a job at Sainsbury's but not to buy a bottle of champagne. Bizarre, but predictable: this is what happens when we jumble up credentials and identification, absent any well-formed rules for understanding or verifying them. It reminded me of the discussion from a few weeks back concerning the distinction between actual security and security theatre. Here's a simple example: you go to open bank account and the bank asks to see identity, so you show them a passport. If it is a British passport, they can phone a Home Office hotline to see if it is real, whether it has been reported stolen and so forth. If it is, say, a Bulgarian passport, they cannot possibly tell whether it is real or not, so they just photocopy it and file the copy away somewhere, just as the British Attorney General should have done with her maid's work permit (since it is an offence is to not to keep a copy of such documentation). Thus, if you are a criminal then you will always choose to use a Bulgarian passport. Honest citizens are inconvenienced, criminals aren't. This isn't so much security theatre as security pantomime, as the BBC have highlighted.

The banks are worried it is still too easy to use a counterfeit passport from abroad to open a bank account, or to get an overdraft or credit card.

[From BBC NEWS | Business | Fake passports prompt fraud fear]

Well, I suppose they could always not open the account unless they can understand and verify the identification documents. The fact is, it's really, really hard for anyone to understand foreign credentials of any kind. Remember the amusing story of the mystery Polish serial traffic offender being tracked by the Irish police?

It was discovered that the man every member of the Irish police's rank and file had been looking for - a Mr Prawo Jazdy - wasn't exactly the sort of prized villain whose apprehension leads to an officer winning an award... Prawo Jazdy is actually the Polish for driving licence and not the first and surname on the licence.

[From BBC NEWS | Northern Ireland | The mystery of Ireland's worst driver]

This does nicely illustrate a key advantage of digital identity over physical identity: this would never happen. If my reader can't understand your card, that's the end of the discussion. There's a nice binary outcome. Where the results depend on human interpretation of shades of grey, surely the system will always throw up crazy outcomes.

An innocent South Tyneside man was arrested because his MoT certificate was a paler shade of green. Michael Cook, from South Shields, had gone to the Driver and Vehicle Licensing Agency (DVLA) centre in Newcastle to renew his car tax. Staff thought his two-week-old MOT certificate was a forgery because it was a lighter shade than his previous one, and the police were called.

[From BBC NEWS | England | Tyne | Arrest over wrong colour MoT form]

Essential to a functional identity system, then, is a cheap and simple "box" for checking whether the card is valid. You put your French ID card, British Forces ID card or Tesco Clubcard into the box at the checkout and the light goes green or red. That's it.

Good morning, thing

[Dave Birch] OK, so I know it sounds spooky and people are uncomfortable with RIFD-at-a-distance, but there would be some advantages to being "recognised" by machines. Think about the subject from a customer service perspective rather than a security, spying and generally creepy perspective. As, in fact, some people already have been.

The Financial Services Technology Consortium (FSTC) today announced the launch of a project whose goal is to help member banks adopt radio frequency identification technology (RFID).

[From FSTC | Financial Services Technology Consortium - Press & Articles]

Why would banks want to do that? Well, it is relatively easy to implement vicinity (let's say up to a couple of metres) read-only functionality along side the proximity (let's say up to a couple of centimetres) read-write functionality used in contactless identity cards, bank cards and NFC phones. The chip sets are readily available. Handled correctly, this is something that a great many customers would appreciate.

Imagine a world where, when you walk into your bank, messages and adverts pop up that address you by name.

[From What high street banking will look like in 2020]

While The Times might see this as something for 2020, more technologically advanced nations are already experimenting with the technology,

Now "Yes Bank" which is a commercial bank operating out of India has been piloting an RFID system so that bank employees can identify these rich fat customers and offer them personalized services. Under the pilot RFID banking cards have been offered to select customers apart from deployment of RFID interrogators and customized gate antennas at bank premises... The moment the elite customer arrives in the bank his details are flashed on the system which enables the relationship team to identify the concerned person so that they can accord him services in the best possible manner.

[From The RFID Weblog: RFID being used to give preferential treatment to rich clients in Indian banks]

I can readily imagine using a Tesco Clubcard with this technology, or a BA Executive Club card or a transit card. As a consumers, I want to get better service where possible and the idea that everything from shopping cards to airport display boards might know who I am and deliver personalised service because of that is rather appealing. At least, it's rather appealing provided that my identity is managed properly and my privacy is assured. This could be done at a physical level: you might, for example, have a Clubcard that only functions when you press a button on it.

This system creates a tiny, ultra-thin, pressure sensitive switch "which ensures that the device can only be read when the owner is pressing the switch", said Peratech.

[From British firm develops RFID security technology to prevent ‘skimming’ | 20 Aug 2008 | ComputerWeekly.com]

Well, I can see how that might work for a card, although it seems a bit of a hassle in practice. But what about other form factors, particularly form factors that might make it difficult for someone to physically reach the switch. For example:

In times where a lot of hue and cry is being raised over injecting humans with RFID tags here is a video of a guy who seems pretty cool about injecting RFID chip in his hand

[From The RFID Weblog: The Do It yourself Guide to implanting RFID Chip in your hand]

Connecting things up is easy, but disconnecting them is hard! The solution, surely, is not down at the physical layer but in the logical layer above it. Extending the future digital identity management infrastructure to the Internet of things has to be the way forward and if properly designed such an infrastructure could deliver more, I think, thank many people imagine. In particular, such an infrastructure could protect privacy through the judicious use of cryptography rather than through codes of practice or goodwill.

The right to moan

[Dave Birch] I've been following a few discussions about online anonymity, triggered by a couple of stories about bloggers identities being disclosed for one reason or another. One of them was the ridiculous story about an outraged model.

Of course, pretty much no one would have seen such a blog if Cohen hadn't gone legal about it, claiming (with no proof) that she was losing jobs because of it (which seems difficult to believe).

[From Outed Blogger Plans To Sue Google; Skank Model Mess Gets Messier | Techdirt]

This what they call on the interweb the "Streisand effect", but of course in these knowing post-modern times it could all be a clever publicity stunt and the model is not being stupid by cynically wasting taxpayers money to attract attention. Anyway, the point is that this story got yet another discussion about internet anonymity going. The general tone of the discussions in the media appears to be the usual unthinking "if you've got nothing to hide...".

I take a different view. Most people do not have anonymity, it's a myth. If I log on to The Guardian's "Comment is Free" and post something about the destruction of the public finances under the name "General Wolfe of Quebec", I am not really acting anonymously because it is trivial (as the recent headline stories have proved) to determine the IP address that the post came from and then go to the ISP to get the account. So although the Internet seems anonymous to people who don't understand it (eg, models, politicians), it isn't. And it's not obvious whether that is good or bad. If you're trying to track down someone posting child pornography (the usual short-circuit for the argument) then it's bad, but if you're trying to complain about the treatment of political prisoners in your country, then it's good. And what's more, whether your blogging is anonymous or not depends on the technology, not on the constitution or the judiciary.

As Ben Laurie has so clearly pointed out, unless the connection layer is anonymous, nothing else matters.

[From Digital Identity Forum: Internet]

I think that at a minimum bloggers should have conditional anonymity: that is, they should be able to use a pseudonym that is only connected to them on the production of a court order. This cannot be achieved by depending on the service providers: even if they operate with good will,

Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques for protecting the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated they can often 'reidentify' or 'deanonymize' individuals hidden in anonymized data with astonishing ease.

[From SSRN-Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization by Paul Ohm]

What this, I think, implies is that there will be blogging platforms that spring up in the US to operate under the provisions of protected free speech legislation and beyond the vagaries of UK libel laws and, over time, the most interesting and valuable blogs will migrate in that direction. Those platforms will provide authenticated pseudonymous identities (using, as I repeatedly wish for, 2FA OpenID or something similar) that are contingent on cryptography. How is the nurse going to blow the whistle on a drunk surgeon without pseudonymity?

No-one should think this stuff is easy

[Dave Birch] I've repeatedly said that I want the laws of mathematics and physics to protect my personal data, not to rely on the laws of the UK (or anywhere else). This is for two reasons. For one thing, I'm not confident that the people making the laws know what they're doing (they tend to be lawyers and politicians rather than engineers or scientists). For another thing, there's no reason to expect that the cold, hard distinction between 1s and 0s that builds the virtual world is suitable to manage the ambiguities of the legal world. Thus, even if a law is set out correctly, that doesn't mean that it will never be replaced or altered in a perverse way. The oldest law still on the books in our United Kingdom is the Distress Act of 1267 (which outlawed private feuds, forcing people to go to court for redress in civil disputes) but not many laws have made it through eight centuries. Things change. But even if the law is right and on the books, that doesn't mean it will be interpreted as intended. At the eema European eIdentity conference, I noticed that the Chief Privacy Officer for the Department of Homeland Security referred to the US Privacy Act of 1974 as one of the inputs to their policy. But,

The Privacy Act of 1974—the law designed to protect your rights as the government collects, uses, and shares your data—fails to consistently protect of citizens’ privacy because circuit courts disagree on how to interpret its language.

[From PolicyBeta - Blog Archive - A Remedy for Every Wrong? Why We Need a Consistent Privacy Act]

This illustrates my point. My personal data should be protected by cryptography, not by the vagaries of judicial interpretation.

Bring it on

[Dave Birch] As has been mentioned once or twice, the world of social networking provides a specific and immediate kind of weapons range for testing new ideas about identity and privacy. Facebook, in particular, seems to developing an emergent properties space where all sorts of experiments are already under way with the identity concepts at their core already one step removed from the common sense" view of identity . There is one class of experiment that I find particularly fascinating, and these are about matching and comparing the "grown ups" perspective against the "kids" perspective. US examples are always more acute because they involve law suits, so let's start there. Here's a fabulous example.

a suit was filed in Mississippi that alleges a school official—more specifically a teacher acting in her capacity as a cheerleading coach—demanded that members of her squad hand over their Facebook login information. According to the suit, the teacher used it to access a student's account, which included a heated discussion of some of the cheerleading squad's internal politics. That information was then shared widely among school administrators, which resulted in the student receiving various sanctions.

[From Cheerleader sues school, coach after illicit Facebook log-in - Ars Technica]

This follows on from other recent stories about employers demanding log in passwords for social networks and so forth. If my employer wanted my LinkedIn password, I would regard it is transparent evidence of their insanity and a clear flag that our working relationship had collapsed. But if you're a kid and it's a teacher asking, I suppose you might feel under pressure to comply with something that's obviously a breach of natural justice. Not surprising, in many ways, because it's always difficult for social mores to adjust to new technologies -- people used to be given instructions for answering the telephone -- and this stuff is still really, really new. People don't yet have sense of what is naturally right or wrong in the new environment.

So, people in authority behave inappropriately when faced with new technology. No big surprise. But what I found fascinating about this story -- and the lesson it contains about emerging "norms" around identity in a digital age -- was the reaction of some other kids faced with the same demand.

...several other students asked for their logins simply deleted their accounts using their cell phones, preventing this sort of intrusion; the schools apparently have a filter that blocks access to its Web interface from school computers.

[From Cheerleader sues school, coach after illicit Facebook log-in - Ars Technica]

In a way, I find this heartwarming. The kids aren't stupid: they live in that world and they can distinguish their multiple virtual identities. Faced with a privacy violation that undermines a virtual identity, they slash and burn. And the school's efforts to prevent them manipulating their virtual identities are fruitless.

Doctoring the evidence

[Dave Birch] Health care is a very difficult environment to deal with, and no-one can underestimate the complexity and tensions in the space. I want my health details to remain absolutely private, but if I get run over by a bus then I want the doctor in casualty to have access to everything, instantly. There are basically two ways of doing this: storing my medical details with my doctor and letting other doctors access them, or taking my details and putting them in a big database for other doctors to access. In the UK, the government has naturally opted for the big database model. But as with big database models for everything else (eg, the Children's Index) that means that privacy is hard to preserve because things will always go wrong.

Dr Paul Golik, secretary of North Staffordshire LMC and a GP in Norton-in-the-Moors, Stoke on Trent... accessed the personal details of a number of other patients registered elsewhere, including, with their consent, staff at his practice – all without being detected... ‘It’s basically open – we might as well put our names and addresses on Google,’

[From Pulse - GPs' fears over new IT security loophole]

This is apparently the Conservative Party's plan anyway.

Health records could be transferred to Google or Microsoft under a Tory government.

[From Google or Microsoft could hold NHS patient records say Tories - Times Online]

Why do health records have to be transferred anywhere? Everyone has to be registered with a GP, so let the GPs choose whichever service providers they want to store the data provided they comply with certain interface requirements. Then when I go to GP B while on holiday, he can put his smart card in his laptop and look up my health details at GP A (it would be easy to do: just make nhsnumber@gpa.nhs.co.uk autorespond with my health record in XML encyrpted using the public key of the requesting doctor). Of course, there might still be ways for it to go wrong, provided people are involved somewhere. Even the Germans are having problems securing national health data, although in their cases they've buggered it up in a "fail safe" way and lost the keys so that no-one can read the data, rather the having everyone read the data which I suppose if you're going to make an error is the better way to do it.

Test runs with Germany's first-generation electronic health cards and doctors' "health professional cards" have suffered a serious setback. After the failure of a hardware security module (HSM) holding the private keys for the root Certificate Authority (root CA) for the first-generation cards, it emerged that the data had not been backed up.

[From Loss of data has serious consequences for German electronic health card - News - The H Security: News and features]

Oops.