About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« September 2007 | Main | November 2007 »

11 posts from October 2007


By davebirch posted Oct 31 2007 at 6:27 PM
[Dave Birch] The blook that we put together for the Digital Money Forum turned out to be rather popular. As one of our consulting clients put it, we'd accidentally invented the perfect business product for the tube! So we've done the same for the Digital Identity Forum. Jane Adams and I have taken the "best" (in an utterly subjective contest) posts on the Digital Identity Forum blog over the last year or so, organised and edited them, indexed them and turned them into a blook: a book made from a blog. The blook is the "The Digital Identity Reader 2007" and all delegates to the eighth annual Digital Identity Forum in London on November 20th and 21st -- sponsored by the kind, wise, good people at CPP, CoreStreet and ACI Worldwide -- will receive a complimentary copy. Less fortunate persons can still order it from Amazon.

Technorati Tags: , ,

Continue reading "Blookseller" »

Come and join in the conversation

By davebirch posted Oct 30 2007 at 6:47 PM
[Dave Birch] If you fancy listening to some single sign-on vendors presenting product features and calling them a strategic vision for the future of identity management then you have plenty of conferences to choose from. If, on the other hand, you fancy joining in intelligent conversation and genuine debate about the future of identity in a networked world, you'll probably want to come along to our annual Digital Identity Forum in three weeks' time. There are presentations and expert panels featuring representatives from the Home Office, UCL, Identity & Passport Services, Visa, Oxford Internet Institute, ACI Worldwide, University of Surrey, Garlik, CoreStreet, EMAP, Hitachi Europe, Valimo, DEMOS, Ping Identity, Sun, Bournemouth University, ARM, CPP, the Mobile Data Association and the National Policing Improvement Agency. They'll be covering subjects ranging from the use of digital signatures in Turkish mobile phones to the potential for authentication as a business in its own right. But most of all they'll be continuing the Digital Identity Forum's tradition of open, friendly and informed discussion. And there's a pub quiz too! What's not to like! And they're virtually giving away the delegate places for the miniscule sum of 445 pounds plus VAT.

Technorati Tags: ,

Continue reading "Come and join in the conversation" »

More data points

By davebirch posted Oct 29 2007 at 9:26 PM
[Dave Birch] I'm still curious to see whether we can assign a cost to identity for business planning purposes. One path to take is to simply look at the market value of stolen identities. Naturally, there is a spectrum here depending on what "identity" it is that has been stolen: Credit card details up for saleemail passwords can cost as little as $1 whereas credit card details go for up to $350. There must be a wide variation in these bands though: my e-mail password would surely be worth more than $1 to someone (I'd be crushed if it wasn't) and David Beckham's or Hillary Clinton's would be worth even more. But those are special cases where the "theft" is very personal: in reality, the overwhelming majority of identity theft isn't.

Technorati Tags: ,

Continue reading "More data points" »

The real stuff

By davebirch posted Oct 27 2007 at 11:31 AM
[Dave Birch] Identity by itself isn't enough to help solve the problem of counterfeiting: both product and provenance must be secure to give confidence. It's a problem worth solving, because of both the scale of the problem and the potential seriousness -- counterfeit handbags is one thing, but counterfeit parts for aircraft another. In the U.K., we tackle the most serious problem (loss of tax revenue to the Exchequer) first: cigarettes subject to UK duty are to carry a "covert security feature" intended to combat the problem of tobacco counterfeiting and smuggling. Apparently, British American Tobacco, Gallaher and Imperial and Phillip Morris have been manufacturing cigarette packets with the security feature since 1 October. The feature "will allow customs staff to use small hand-held readers to authenticate cigarettes" which most commentators have interpreted to mean that RFID tags are being used. Even though I haven't touched a packet of Marlboro in years, I'm pretty sure this is not the case. Anyone who saw the presentation on Document DNA at last year's Digital Identity Forum will have seen a more plausible alternative brilliantly demonstrated.

Technorati Tags: , , , ,

Continue reading "The real stuff" »

Identity management in a big organisation

By davebirch posted Oct 24 2007 at 9:36 AM
[Dave Birch] Sounds like the identity management business is a good place to be. The market has lots of issues -- privacy and compatibility issues, high initial investment, and troubles in management -- that are holding it back, but even so the investments ought to generate a good return because of increased security, restricted unauthorized access to information and time saving. Thus a 7%+ CAGR is forecast 2007-2011. Within this, the hardware token authentication market will grow faster (11%) until 2009. All good news for us, but how will organisations make it pay?

Technorati Tags: , ,

Continue reading "Identity management in a big organisation" »

Security on a grand scale

By davebirch posted Oct 22 2007 at 6:08 PM
[Dave Birch] It's really difficult to keep big systems secure when they have lots of users. Especially when those users don't really care about security. And worse when there's no identity infrastructure. The textbook case study for years to come will be the "troubled" $25 billion-ish National Health Service "Connecting for Health" (CfH) system. It's travelling a predictably rocky road. NHS staff (which, from a risk analysis perspective, means everyone in the world -- the NHS employs over a million people) have complained they have not been properly consulted, system designers have argued it is foolhardy to keep patient records in one central database and security experts have warned that the system might (!) be vulnerable to unauthorised users. Some of the most stringent security measures in the IT industry have been devised to protect confidential information: staff have been issued with smart cards, for example. Of course, they don't actually use them to log in: they find the person with the highest level of authorisation, put their smart card into the system and then leave the card in until the end of the shift.

Technorati Tags: , ,

Continue reading "Security on a grand scale" »

Cardspace apace

By davebirch posted Oct 20 2007 at 6:00 PM
[Dave Birch] It's been a while since Microsoft's Cardspace first began to obtain reasonable media attention, and it's certainly true that it now figures on the potential technology roadmap in many corporate strategies, but it doesn't yet seem to have crossed the chasm, so to speak. Early business model ideas -- such as the scenario in which cardspace-style authentication would reduce fraud rates so that credit card issuers would be able to offer merchants a discount for using -- haven't yet materialised. Yet momentum does seem to be building (see, for example, the ACI presentation from Digital ID World) and I'm sure that some banks will become experimenting or piloting soon -- but perhaps they are right to be cautious.

Technorati Tags: , ,

Continue reading "Cardspace apace" »

Will they have to write to everyone in the entire country?

By davebirch posted Oct 15 2007 at 8:10 PM
[Dave Birch] Some people think that data breach legislation is a useful way to force companies to take their data protection responsibilities seriously. Personally, I'm not entirely convinced but I'd be very happy to hear the arguments from either side. If I got a letter from, say, Tesco saying that one of their systems had been compromised and some people's personal details had been stolen, then I'd just chuck it in the recycling since -- like most other people, I imagine -- I don't really care and I've no idea what to do with the information if I did. As it happens, my Tesco loyalty card isn't in my real name anyway. But suppose -- just suppose -- that it is the government itself that is compromised? Do then they have to write to every single person in the country?

Technorati Tags: , ,

Continue reading "Will they have to write to everyone in the entire country?" »

This what virtual identities are for

By davebirch posted Oct 12 2007 at 4:26 PM
[Dave Birch] The New York Times published an article based on a concept put forward by Mike Neuenschwander of Burton Group.. This is what he called the "Limited Liability Persona" (or LLP). This persona would be a legally recognized virtual person in which users could “invest” the financial or identity resources of their choosing. Once their individual personas are created, consumers would be able to use them as their legal “alter ego,” even in financial transactions. As Mike says:
My L.L.P. would have its own mailing address, its own tax ID number, and that’s the information I’d give when I’m online.
. The author of the Times article, Denise Caruso quotes Drummond Reed as well:
The myth is that companies have to know all this information about you in order to do business with you ... [b]ut from a liability perspective, the less I know about my customers the better.
Or, as Forum friend and former editor of Wired UK John Browning wrote a decade ago (in Wired 5.11)
The true identity of a counterparty may be the least interesting fact about them in a commercial transaction.
Drummond's point is made form the perspective from the U.S. National Retail Federation open letter to the credit card industry asking them to stop putting retailers on "the horns of a dilemma" by requiring them to store personal data, but then turning around and penalizing them when that data gets compromised. The LLP idea aims to help by giving retailers (and everyone else, of course) help to protect individuals by giving those individuals identities which contain only a limited amount of personal information (I don't see why companies would have LLPs as well though). If this sounds familiar, and I sound uncritical, that's because this is one of our PET projects: but we don't call them LLPs (I prefer to shy away from the word "liability") but pseudonymous virtual identities, and they solve more problems than PCI-DSS compliance.

Technorati Tags: , , ,

Continue reading "This what virtual identities are for" »

Identity fraud, theft, whatever

By davebirch posted Oct 8 2007 at 8:17 AM
[Dave Birch] Because of a talk I gave at the University of Surrey, I was thinking about the labelling of identity "issues". I remember seeing an post about this by Javelin earlier in the year, which made the point that whatever the actual taxonomy, the fact is the we need to be realistic:
a single overarching term (such as identity theft) is here to stay, and the label preferred by our government is now codified into use from the office of President on down.
I agree with them that, whatever the language, we need to avoid bundling account takeover and the like with "simple" card fraud -- which is why the suggestion of "identity fraud" and "card fraud" seems reasonable and because (as was discussed at last years' Digital Identity Forum, "identity theft" doesn't really mean anything) -- but no-one has yet come up with a good catch-all term to cover both of these. As an aside, there's always post-modern ironic identity theft, which ought to be special category in its own right. Anyhow, whatever you call it, it's back in the news again because British MPs have called for an Identity Czar to be appointed (presumably because the whole Drug Czar thing worked out so well).

Technorati Tags: , ,

Continue reading "Identity fraud, theft, whatever" »