About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« December 2007 | Main | February 2008 »

10 posts from January 2008

Federation is about trust

By Dave Birch posted Jan 29 2008 at 1:40 PM

[Dave Birch] A conversation today set me thinking (yet again) about why things are not getting better. Once again, I must ask why is it that the identity management situation does not seem to be improving much? In particular, surprisingly little seems to be happening in federated identity. Not because the standards needed to do it don't exist, or exist but don't work, but because they don't overcome the trust barrier. Why should a company trust another company's credentials? Or, at least, why should a company trust another company's credentials unless the both belong to a "gang"? Businesses want certainty in these matters, they want to see that liabilities are distributed in a known and understood way, so that everyone knows where they stand. Thus, in a scheme such as MasterCard or IdenTrust, each of the participants can assess risk and reward properly. But if I'm FaceBook, should I accept a MySpace identity? What if the MySpace identity claims to be under or over 18 and I'm going to rely on that credential in some way?

Continue reading "Federation is about trust" »

Is this the world's biggest identity fraud?

By Dave Birch posted Jan 25 2008 at 3:19 PM

[Dave Birch] No doubt you will all have choked on your cornflakes this morning hearing about the sorry tale of Jerome Kerviel, the so-called "rogue trader" (I thought they all were!) who threw away FIVE BILLION EUROS of Societe Generale's money and, in passing, may have left the world financial system on the brink of collapse. Now Societe Generale (amusingly, the "Global Equities Derivatives House of the Year") must have had an army of compliance-wallahs, ticking boxes here and there, and spent a fortune on management consultants and auditors to comply with Basel II and every other directive under the sun. And yet, as the FT tells us,

Mr Kerviel appears to have built up his losses over a short period using accounts and passwords belonging to colleagues.

[From FT.com / In depth - The rogue trader who cost SocGen €5bn]

Well, well. And there was me thinking that investment banks with extremely valuable data to protect would have used some form of 2FA or even 3FA to protect themselves against losses that could extend into billions. Perhaps they decided against smart cards on the grounds of cost, or doing proper risk analysis on the grounds that it was waste of money, or something like that.

Continue reading "Is this the world's biggest identity fraud?" »

A new law

By Dave Birch posted Jan 23 2008 at 1:50 PM

[Dave Birch] I propose new law, to go alongside Moore's Law and Reed's Law and all of our other useful tools for dong back-of-the-envelope projections of where things will be going in the short- to medium-term. I propose Stoke's Law, which is that

as the amount of data that the government collects grows, so will the number of people who are victims of crimes that were made possible by unauthorised access to government databases.

[From Analysis: Metcalfe's Law + Real ID = more crime, less safety]

We all know it to be intuitively true, but the question is "what is the shape of the curve"? Jon Stoke's links it to Metcalfe's (ie, square) curve, but I wonder if it mightn't be steeper than that because of the variety of criminal interests that might want to exploit different subsets of my personal data. To take a simple case, there might be criminals that want to access my national identity register record because they want to pretend to be in order to allow an illegal immigrant to get a job but they are different from the terrorist interests that want to access my DVLA record because they need to track down people who have cars that use a particular stretch of road every day.

Continue reading "A new law" »

Harry Potter it's not

By Dave Birch posted Jan 22 2008 at 6:28 AM

[Dave Birch] Now, this is very exciting. But only to me. It turns out that "Digital Identity Management: Technological, Business and Social Implications" had shot up in the Amazon rankings: I imagine someone must have bought a copy, because it went up to 38,735. This sounds poor, but it's actually not bad. Charles Dicken's "A Christmas Carol" was 99,541 and the last book that I bought (A.C. Grayling's "Against All Gods: Six Polemics on Religion and an Essay on Kindness") was at 1,835. It was an exciting and heady time, that week, because it's I've slipped way back down below Dickens. Anyway, I'm beginning to learn how good it feels to an author to see their book up the chart, now matter how briefly. In fact, it's fantastic in more than one respect, because it's a recognition of the fact that digital identity is becoming an important business topic.

Continue reading "Harry Potter it's not" »

Some best practices

By Dave Birch posted Jan 21 2008 at 1:24 AM

[Dave Birch] The European Commission's ePractice.eu is hosting a free workshop on electronic identity in Brussels on February 14th. I'll be going along to hear three best practice presentations -- from Spain, Belgium and Estonia -- and to join in the discussion about how to learn from and build on them. See below for more details if you want to come along too.

Continue reading "Some best practices" »

Dog years

By Dave Birch posted Jan 17 2008 at 10:31 AM
According to one of the U.K. newspapers, the government is thinking about chipping prisoners in order to track them, as they (sort of) do at the moment with ankle bracelets...

But, instead of being contained in bracelets worn around the ankle, the tiny chips would be surgically inserted under the skin of offenders in the community, to help enforce home curfews. The radio frequency identification (RFID) tags, as long as two grains of rice, are able to carry scanable personal information about individuals, including their identities, address and offending record.

[From Prisoners 'to be chipped like dogs' - Independent Online Edition > UK Politics]
They are talking about Verichips here, but a moment's reflection leads me to the conclusion that the story either cannot be true at all or can only have been leaked to the newspaper by someone who hasn't the slightest understanding of RFID technology or, for that matter, technology in general. Verichips store only a 16-digit number and they are not re-writable: they can't store addresses or anything else. But then none of the people in the article seem particularly au fait with the either the technology or its risks:

Consumer privacy expert Liz McIntyre said a colleague had already proved he could "clone" a chip. "He can bump into a chipped person and siphon the chip's unique signal in a matter of seconds," she said.

When she says "siphon the chip's unique signal", she of course means "read the chip ID as per the specification". Reading the ID number off of the chip is no different to reading it off of the patients bracelet. It's just a number. I'm not waving away perfectly valid privacy concerns here. I'm just pointing out that the fact of the matter is that there is no point implanting a chip under the skin of someone who doesn't want to co-operate. They will simply take it out, or swap it with another chip. The technology has absolutely nothing to offer in this case.

Continue reading "Dog years" »

1% of the way

By Dave Birch posted Jan 15 2008 at 9:07 AM

[Dave Birch] Things haven't been going terribly well for America's ambitious Real ID scheme. Government agencies missed the end of October deadline to complete background checks for employees and contractors who have worked for the federal government for 15 years or less and to begin issuing the new identity cards that include employees' fingerprints as required under Homeland Security Presidential Directive 12, which President Bush issued in 2004. In all, about 1.9 million federal employees and 591,358 contractors require credentials. As of that deadline, 97 percent of federal employees and 79 percent of contractors had completed the required background checks, but federal agencies had issued only 1 percent of the new cards. Now it turns out that some of the other deadlines around driving licenses are being rolled back as well.



Continue reading "1% of the way" »

The internet of things 2.0

By davebirch posted Jan 9 2008 at 8:43 PM
[Dave Birch] Over on the Digital Money Blog, we're obsessed with the spread of NFC technology built in to mobile phones because it will have a disruptive impact on the retail e-payments world. But the technology will undoubtedly have an impact on the identity world as well, and not just because the NFC-enabled mobile phone is an ideal personal identity management device, but also because it bridges the local and remote environments to provide infrastructure for the internet of things: in fact, one might argue that bringing mobile into the picture (the internet of things 2.0) turbocharges the whole concept. The Auto-ID guys seem to think this as well. At the St. Gallen/ETH Zurich Auto-ID Lab, for example. They agree that NFC-enabled mobile phones could give consumers access to the EPCglobal Network. This isn't because NFC phone can read EPC tags -- they can't, because NFC technology, which operates in the high-frequency band, and EPC technology, which operates in the ultrahigh-frequency band, are incompatible -- but because they could link local devices that can read tags (Bluetooth-connected pens and that sort of thing) into the savant network needed to make RFID work in a useful way. It's possible, of course, that UHF EPC readers may be integrated into mobile phones in the future, though it's technically challenging because the readers drain a lot of energy from the phone's battery. What's more likely is that some applications will end up using NFC tags. I tend to favour this NFC direction on the overall roadmap, because it links to the wider demand for NFC phones. While NFC is still in pilot for most operators around the world, this is about to change as an increasing number of commercial launches are due to take place in 2008: while in the short term there still remain important challenges for the development of NFC-enabled devices, analysts are saying that in the long term NFC will be a feature supported on the large majority of the phones sold. This already the case in Japan, where NTT DoCoMo has FeliCa contactless technology embedded in about 80% of the phones they sell. There are no great technological or cost barriers for NFC to be integrated quickly into a wide range of devices, so this must stimulate a tag ecosystem.

Technorati Tags: , ,

Continue reading "The internet of things 2.0" »

Top gearknob

By davebirch posted Jan 7 2008 at 10:00 PM
[Dave Birch] There's a wonderful "identity theft" story running in the U.K. and I feel I must draw our international readers' attention to it. The BBC presenter Jeremy Clarkson, famous for presenting a programme about cars called Top Gear, published an article in the Sun newspaper saying that identity theft was a fuss about nothing and that no-one need worry about having their bank account details stolen. To prove the point, he published his bank account details in the newspaper. Now he's found money missing and, hilariously, the bank won't tell him who took it "because of the Data Protection Act".

Technorati Tags: , , ,

Continue reading "Top gearknob" »

Triple play

By davebirch posted Jan 2 2008 at 9:38 AM
[Dave Birch] Someone asked me about the idea of connecting contactless cards to PCs via USB (since PCs lack contactless interfaces -- or at least they do outside Japan). This is kind of product they were thinking about: a USB interface on a payment card, using the chip to generate a one-time password (OTP) for transactions. The card is emulating keyboard output so no drivers are required and it can work across machines or operating systems. A trojan could capture the OTP and redirect it, but that's a general problem with this kind of 2FA. But what's the point of using an OTP? If you can connect the card to the PC, and you're not bothered about keyboard input being subverted, then why just use EMV and do a level 2 transaction (using the PC as a POS terminal)? Oh right, it's a U.S. card.

Technorati Tags: , , ,

Continue reading "Triple play" »