No more PETs win prizes puns, please

[Dave Birch] Microsoft has been sponsoring the annual privacy-enhancing technology awards at the PETS Symposium for a few years now. This year the winning paper was written by Arvind Narayanan and Vitaly Shmatikov, researchers at The University of Texas, who looked into large publicly available anonymised data sets – and very quickly discovered a major privacy risk, as their experiments showed that such data sets could be used to re-identify individuals using efficient algorithms. All of which means that companies should be careful about storing masses of data on customer choices because, even if customers aren't explicitly identified in the individual records, it doesn't take much effort to identify them from the pool. Interesting stuff.

Runners-up, Cambridge University researchers Steven J. Murdoch and Piotr Zieliński, also focused on online anonymity. Their paper discusses and analyses, for the first time, the possibility of surveillance at internet exchanges (IXes) where Internet traffic crosses from one network to another. Because so much traffic passes through these, the research seems to indicate that a relatively small snapshot of the data in transit contains a lot of information about what is moving between which nodes.

I found the other runner-up paper especially fascinating because of my focus on the intersection of the digital money and digital identity worlds. The paper "Making P2P Accountable without Losing Privacy" (by Belenkiy et al, Brown University) posits the use of e-cash (that is, the original Chaumian e-cash) to add accountability to file sharing networks without giving up privacy. The idea is to balance between selfish users in a transparent way (and money is the most transparent of all ways) without sacrificing anonymity. Given some of the discussions about anonymity over on Digital Money, this is a timely addition to the debate and shows the accountability and privacy are not mutually exclusive.

Incidentally, their premise that fairness is essential to providing scalable incentives for greater participation seems right to me, as does there characterisation of "selfish peers" as agents in a virtual economy, but I'm not sure if e-cash is a necessary grease to make that work. The authors suggest that the money used in their scheme has five essential characteristics:

• It should be fungible (ie, no "different strokes" and everyone's money can be used for everything in any combination).
• It should be integral to the fair exchange of money for goods/services. Because of my history in this space, I'm particularly interested in "shopping" protocols that include all of the steps in a transaction.
• The money must be unforgeable, obviously.
• The payment system must be efficiently implementable.
• Finally, users should be able to spend anonymously.

This is an axiom I think: it's not clear to me from the paper whether they have some reason for thinking that anonymity will or will not make any difference to the performance of the scheme. Would anyone care?

As an aside, when discussing the economic issues raised by the paper, the authors say that under limiting conditions they can demonstrate the knowledge of bank balances (M1) can predict how much money can be added to the network without causing a crash. I hope the Chancellor reads up on their model!

By the way, a big thanks to the guys at Microsoft for sponsoring this valuable award.

Fingers in the dyke

[Dave Birch] Over on the Digital Money Blog, we've been talking about the well-known MiFare security issue. We're interested in it over there because MiFare is used for things such as Oyster cards and there's an overlap between contactless cash replacement and contactless transit systems. From this frame of reference, the security issue is interesting and it needs to be factored in to system procurement, card updates and that kind of thing. No-one is going to implement an electronic purse system using MiFare Classic, so the sky isn't falling in. So, the guys are saying, well, next time we buy some cards we'll buy MiFare Plus instead, but other than that, what's the worry. But now it turns out that the problem may be far more troublesome than at first realised, because it turns out that the same technology (designed for mass transit) is being used by the Dutch government to secure access to important facilities:

...the Dutch Interior Ministry's spokesman said this is "a national security issue," since several government agencies there use the same technology to restrict access to their facilities.

It looks as if the researchers behind the MiFare crack have done Dutch citizens a big favour by alerting them to the inappropriate use of technology -- MiFare Classic was designed for mass transit, not for identity cards and access control for sensitive facilities -- before some bad guys do.

RUSI and all that

[Dave Birch] One (!) of the conferences I spoke at last week was the Royal United Service's Institute's conference on Science and Technology for Homeland Security and Resilience. I decided to put my original presentation about ID card technology to one side and go with my new psychic ID card slides. If you're at all curious, the slides are here...

| View | Upload your own

There were a couple of tough questions -- mostly around "why bother with an ID card at all" -- but on the whole the people there were very nice to me, and prepared to listen to what I suppose must seem like a fairly radical idea if you are from a conventional security background.

As the comments on the original blog post seem to indicate, I think I've stumbled on a useful way of describing an alternative form of identity card. I've been writing it up in more detail for a journal, so hopefully I can address some of those issues as I go along with the "psychic rewrite", by which I mean that I'd already prepared a paper on how to use smart cards, mobile phones and so on to create new kind of identity card, but I'm currently rewriting it to use the Dr. Who framing as it does seem to speak to people far more effectively than any of my previous attempts.

Grasses up

[Dave Birch] If you haven't been over to Wikileaks, you should probably go and have a quick look before you read the rest of this post! There's an article about it in a recent New Scientist, talking about how "onion routing" is used to provide anonymity. So people (eg, whistleblowers in large corporations) can obtain genuine anonymity online. I'm in favour of this, generally speaking, and it's certainly necessary in a free society. But is it sufficient?

Suppose, for example, that I post a plausible-looking document that seems to show that the British Royal family are actually giant extraterrestrial bloodsucking lizards. How do you know whether it's a genuine leak or a double-cross? If, for example, there's a document purporting to be the Identity & Passport Service's National ID Scheme Options Analysis, how can you be sure that it really comes from them (just to pick a mischievous example) or was made up by someone at No2ID? If we as a society agree that some from of whistleblowing is a social benefit -- and yes, we must also accept that it means that some drug-dealing Nazi child pornographers will be able to take advantage of it too -- then we should have systems in place to deliver it. And that doesn't mean implementing anonymity.

Engineering principles

[Dave Birch] Privacy and security aren't additional extras, costly options for new system. They are (or should be) part of the fabric. You can choose how to implement systems in either a privacy-enhancing or privacy-reducing way. Take, for example, congestion charging. There are a couple of ways to do this: you could do it the way they do in Singapore, where you have a prepaid card that communicates via RF with an overhead gantry. When you go through a gantry, the system attempts to take a fee from the card. If the transaction goes through (it's an offline purse transaction) then you're on your way. If you borrow a mate's car, you can take your card and put it in his car, no problem. But if you don't have a card, or you don't have any money on your card, then you get photographed. Alternatively, you can do it the British way. In London, all cars get photographed and then automatic numberplate recognition is used to try and work out who to charge. In many cases, it works and the correct account of a poor person is charged. I say poor person, because rich people register their Lambourghinis as taxis and avoid the charge

 

Cleangreencars has discovered that there are an unusually high number of luxury cars that have been granted the private hire designation, including two Maserati Quattroportes, three Maybach 62 and eight Rolls Royce Phantoms.

[From Taxi!? London luxury car owners register Maseratis, Rolls Royces as C-charge-free private hire vehicles - AutoblogGreen]

Incidentally, if you can't be bothered to send your chauffeur round to register the Porsche as a private hire, you can always just leave the Belgian plates on it, because the supercomputer running the system is not connected to other supercomputers in other European countries...

 

I drove for 4 years in london with a german plate, many times in the zone (once it was introduced), never paying and my ex never got a ticket sent to her place in HH where the car was registered.

[From London congestion charge for foreign cars]

In fact, as that tax-avoiders' handbook The Independent notes,

 

there are a number of ways to exploit the loopholes in this system as a private, law-abiding motorist if you are willing to be a little inventive.

[From Congestion charge loopholes: Now just learn the Knowlege... - Features, Motoring - The Independent]

Bit I digress. My point is that we have choices, and not building privacy-enhancing technology into a system is making a positive choice to have a data catastrophe at some point downstream.

Now, who's smart and who's dumb?

[Dave Birch] There are a great many advantages to smart cards as a platform for digital identity -- they're smart (ie, they have a microprocessor in them) for one thing -- but there's one huge drawback. They need readers. Now you might reasonably assume that no-one would countenance launching a smart card scheme with no readers, but that's precisely what has just happened in the U.K.

 

Eleven million free travel smart cards have been issued but many buses are not equipped to read them, a report by MPs claims. The report, by the House of Commons Transport Committee, entitled Ticketing and Concessionary Travel on Public Transport, said the situation was "daft". Ten years after committing to integrated bus ticketing, the Government has "achieved too little of practical value", the report said.

[From The Press Association: £1bn bus pass scheme 'stalling']

When they say "not many" buses have been equipped to use the cards, what they actually mean is "virtually no" buses have been equipped to read the cards. The cards are simply being used as "flash passes" so as long as you wave something that looks like a valid card then the bus driver will let you on board since he/she has no way of verifying that the card is valid. Since the cards have a two-year lifetime, and since the readers won't be in place for two years, it's hard to see what the use of them is. It seems like a huge waste of money to me, but then I am not well-versed in government smart card policy...

 

The first nationwide smartcard-based travel scheme launches next month, but the majority of passengers outside London will not be able to use the advanced functions.

[From Free smartcard travel arrives - 20 Mar 2008 - Computing]

Nor will the majority -- in fact, all -- of the passengers in London since (as the article makes clear) Transport for London won't even begin trialing the readers for these cards until mid-2009 and won't be installing them until 2010.

identity, pseudonym

Talkin' bout my reputation

[Dave Birch] I went to a talk by Clay Shirky. The talk was, essentially, about his new book Here Comes Everybody. He's a very good speaker, had very cogent and thought-provoking material and has made me start reflecting on my model of identity and reputation once again. There's no point reproducing his talk since you can read the book or the blog yourselves, but there were a few points that I feel like highlighting. The core of what he said was the the technology of the Net has become boring enough to become socially interesting (in other words, my Dad reads my blog now) and one of the first-order effects of this is that media is becoming a call to action. He gave a couple of very well-chosen examples to illustrate the point (taking on the mafia in Palermo via a web site and flashmob protests in Minsk) that it is only now that we are entering the real experimental period as group co-ordination evolves as a branch of political philosophy. This experimental period has some fundamentally new characteristics because of the nature of the underlying technology: in particular, you don't need anyone's help or permission to experiment with new models and the cost of failure is much reduced. This sounds like the next phase may be chaos, but as Kevin Kelly observed "bottom up is never enough". At some point, there needs to be some structure in a group and I think that there is some evidence to suggest that distributed reputation management may well be the only mechanism needed to achieve that once there is some genuine security in place (so that reputations cannot be hijacked). Therefore, my view of the importance of secure credentials is reinforced, because I see reputation as being the history of a virtual identity over time and that virtual identity is a collection of credentials.

identity, management, pseudonym

Addressing a real problem

[Dave Birch] There's a general class of problem whereby one party to a transaction needs the other party's address to proceed, but the other party doesn't want to proceed with the transaction if they have to give up their address. Here are a couple of examples.

Over on the Digital Money Blog we decided to mark the launch of the Single European Payments Area (SEPA) by making a celebratory SEPA Credit Transfer (SCT) to a friend in the Netherlands. In order to do this, we had to obtain his bank account details: his IBAN. Now I think that in many circumstances, people will be reluctant to give this sort of information out, lest they suffer a Jeremy Clarkson-style incursion. So why can't the bank give me a pseudonym to use in transactions: if someone wants to send me money, they can send it to leadbelly.gutbucket@barclays.co.uk, or whatever. I don't mind giving out this pseudonym, since only the banks knows that it's mean. So when an SCT for leadbelly arrives, the money can be routed to my account. I can publish the pseudonym on my web page if I want, just as I can happily give out my PayPal address, since only I know that it's mine (well, PayPal know as well, of course).

Another example comes from the retail space. A retailer wants me to give him my mobile phone number so that he can let me know when a relevant special offer is on. I want to know that the relevant special offer is on. But I'm not giving my mobile phone number to a retailer: I don't want them ringing me up until Kingdom Come. I want control over the link between the retailer and me. Once again, why doesn't the phone company allow me to create arbitrary pseudonyms, so I can tell the retailer that I'm leadbelly@O2: the retailer (and any else) can text to leadbelly@O2 and the O2 SMS centre will route it to the correct phone number. If I don't want to do business any more, I can just junk the pseudonym.

Hey presto, an addressing scheme that provides both convenience and privacy.

identity, pseudonym

Chinese whispers

[Dave Birch] Lying on your Facebook page is part of the fun, isn't it? Just like being a man in Second Life if you're a woman. Surely being able to play around with multiple identities is one of the fascinating new aspects of life online? Apparently, not everyone shares such a playful and experimental view of virtual identity. One of China's major game operators has announced that they will freeze the accounts of male players who have elected to play as female characters in the King of the World MMORPG. Apparently there are no bans on women playing male characters, but women (and men-wanting-to-play-as-women) will be required to prove their gender via webcam. I did not make this up. Women will be required to prove their gender via webcam (how, exactly? -- the mind literally boggles). And this is in a country with compulsory ID cards. Next they'll be saying that you can only be a Gnome Bard if you are in real life less than four feet tall and able to recite a medieval Icelandic saga from memory. Who is running these games, David Blunkett? (Note to foreign readers, David Blunkett was the British Home Secretary who introduced the current British identity card scheme).

Technorati Tags: identity, management, privacy

This what virtual identities are for

[Dave Birch] The New York Times published an article based on a concept put forward by Mike Neuenschwander of Burton Group.. This is what he called the "Limited Liability Persona" (or LLP). This persona would be a legally recognized virtual person in which users could “invest” the financial or identity resources of their choosing. Once their individual personas are created, consumers would be able to use them as their legal “alter ego,” even in financial transactions. As Mike says:

My L.L.P. would have its own mailing address, its own tax ID number, and that’s the information I’d give when I’m online.

. The author of the Times article, Denise Caruso quotes Drummond Reed as well:

The myth is that companies have to know all this information about you in order to do business with you ... [b]ut from a liability perspective, the less I know about my customers the better.

Or, as Forum friend and former editor of Wired UK John Browning wrote a decade ago (in Wired 5.11)

The true identity of a counterparty may be the least interesting fact about them in a commercial transaction.

Drummond's point is made form the perspective from the U.S. National Retail Federation open letter to the credit card industry asking them to stop putting retailers on "the horns of a dilemma" by requiring them to store personal data, but then turning around and penalizing them when that data gets compromised. The LLP idea aims to help by giving retailers (and everyone else, of course) help to protect individuals by giving those individuals identities which contain only a limited amount of personal information (I don't see why companies would have LLPs as well though). If this sounds familiar, and I sound uncritical, that's because this is one of our PET projects: but we don't call them LLPs (I prefer to shy away from the word "liability") but pseudonymous virtual identities, and they solve more problems than PCI-DSS compliance.

Technorati Tags: identity, management, PKI, security

Sva cviqve persona

[Dave Birch] The idea that people might be represented by signs rather than names is actually rather an old one, and I'm not saying this just because I went to see the artist currently known as Prince in London last week. From a technical perspective, I can see the obvious advantages and disadvantages. On the plus side, there are a lot more signs than there are names and they are a help for the illiterate. On the minus side, it makes issuing identity cards a lot more complicated (although a lot more interesting as well). But I also think that signs carrying a meaning that names do not: I quite like the idea of a sign for my individual persona, a sign for my work persona, a sign for my play persona and so forth. This would have the effect of communicating my persona to counterparties in a rich way, like choosing a pseudonym but acting simultaneously as an identity selector and a mask. Who do you want to be today, so to speak. Since I believe firmly that we have to develop a this richer notion of identity before we can make progress digitising it, the connection between signs, logos, masks and pseudonyms is fascinating.

Technorati Tags: identity, names

There is such a thing as society

[Dave Birch] Or, at least, there is such as thing as the Royal Society for the Encouragement of Arts, Manufactures & Commerce (the RSA), founded in 1754. I popped in today, for an afternoon seminar on Society, Government and the Internet [MP3].

Technorati Tags: identity, management, social networking

If you can't stand the heat, get out of the chatroom

[Dave Birch] I'm always looking out for real-world problems that appear serious but where intelligent analysis shows that an effective digital identity infrastructure can support good solutions.  As such, I often use the "chatroom paradox" as a simple example of how the technology to deliver pseudonymity can balance the needs to stakeholders even in a contentious environment.  But I'm a technologist, so I tend to dwell on how online identities might be protected rather than why they might be protected.  A recent Israeli court ruling has made me think about this again.

Technorati Tags: identity

Anonymity as substrate

[Dave Birch]  Ben Laurie has previously pointed out that identity management systems are not the only way you are identified and tracked.  And this is a problem, because if society chooses a particular kind of identity management system -- perhaps one which responds to European sensibilities around privacy and data protection -- but has to deliver it on top of a surveillance infrastructure, then society's choices are subverted.  In other words, there must be a substrate of anonymity to make higher level choices about pseduonymity or conditional anonymity valid.  So, as Ben puts it, the choices we make for identity management don’t control what information is gathered about us unless we are completely anonymous apart from what we choose to reveal.  But is this a realistic architecture for the real world?

Technorati Tags: identity, internet, privacy, pseduonymity

More converts?

[Dave Birch] The International Telecommunication Union (ITU) has issued a report "digital.life"  calling for more "joint efforts" to set up a coherent digital identity scheme that should be able to facilitate on-line interactions while protecting data and alleviating privacy concerns.  What caught my eye was that the report asks for digital identity management that is based on the use of "partial identities" depending on context and user choice.  This sounds very much like the real-digital-virtual identity model that we use whereby different groups of virtual identities are bound to different digital identities.

The report was drafted by a team of analysts from ITU's Strategy and Policy Unit, covering chapters on "going digital," lifestyle, business, identity and living in the digital world.  Chapter 4, called "identity.digital" will be the one of most interest to blog readers.  It's not bad: it covers a lot of the main issues in a fairly readable way and section 4.3.3 covers the benefits of pseudonymity as an operational mode, making the critical point that it should be up to individuals to determine the subset of their attributes that is communicated in order to effect a transaction.

Technorati Tags: pseduonymity, security

Pseudo's corner

[Dave Birch] I was at a workshop last week with a whole bunch of other people to discuss possible architectures for a public sector sort-of entitlement card (I can't say what for as that would give it away, which I'm not supposed to do).  I was really cheered to hear, quite unprompted, someone put forward the idea of pseudonymity as a way to balance some security and privacy issues.  To hear the term introduced into a conversation at that level is, frankly, music to my ears.

Technorati Tags: internet, security