About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« February 2008 | Main | April 2008 »

8 posts from March 2008

Not really an open and shut case

By Dave Birch posted Mar 31 2008 at 6:53 AM

[Dave Birch] Let's start at the beginning. Surely the most low-hanging of the digital identity fruit is Internet single sign-on. All of us have countless usernames and passwords and are driven to distraction by them. It's a common experience and a common source of dissatisfaction:

Here's the one thing I hate about using the web - all the passwords I have to remember to access various internet services. From Facebook, Gmail and Flickr to Amazon, ASB online and my Inland Revenue account, I need to enter a password and user name to log on. I have a different one for each and they are just a handful of the websites I visit. That's a long list of passwords and I change them regularly which complicates things further.

[From Managing your online identity - 20 Jan 2008 - NZ Herald: Technology News and reviews from New Zealand and the World]

A while back, OpenID was created to provide a simple, distributed solution to this simple, distributed problem. For a while, OpenID lurked in the shadows, of interest only to identity nutters like me. But then it began to gain a little traction

Lately, though, there’s been a spate of OpenID news, highlighted by the announcements that both Yahoo! and Blogger are joining the list of OpenID providers. This means that you can use your Yahoo! or Blogger credentials to log on to sites that take OpenID (though neither one accepts OpenID logins in return; Blogger lets you use an OpenID login to leave comments and Yahoo! says they’re working on it).

[From Web Worker Daily » Archive OpenID: Is it Time to Care Yet? «]

Being the nerd that I am, I immediately went my Yahoo! account when I read this and, sure enough, there was a link to create an OpenID, so I did. I haven't used it yet, because I've now got too many OpenIDs and can't remember the passwords to all of them and none of them are two factor, but it's progress I suppose. You can't argue that momentum isn't growing...

The OpenID Foundation today announced that Google, IBM, Microsoft, VeriSign and Yahoo! have joined as its first corporate board members.

[From Technology Leaders Join OpenID Foundation to Promote Open Identity Management on the Web]

I imagine that I will soon consolidate down to three or four OpenIDs, much as I have three of four payment cards. My work OpenID, my home OpenID, my games and nonsense OpenID. But I really would like a "serious" two-factor OpenID that I can use to log on to important things, like my bank account and so on.

Continue reading "Not really an open and shut case" »

The real me

By Dave Birch posted Mar 26 2008 at 2:54 AM

[Margaret Ford] Knowing some of the vulnerabilities of the UK’s ‘Connecting for Health’ programme, I have accepted that my medical details may well become a matter of public record. Still, my nephew received outstanding emergency treatment as a result of his records being available on the backbone, so I’ve been keeping an open mind.

However, one aspect I hadn’t expected is the hypnotic effect of technology. At a recent routine check-up the blood pressure monitor failed, so I was told that my pulse was faulty. No effort was made to investigate this faulty pulse, but it did excuse the machine’s inability to perform. When I gave the nurse a brief history of my condition, she looked puzzled and told me that I must be mistaken because otherwise the doctor would have included those details in my notes. Unfortunately my doctor was away, and so unable to confirm.

As the nurse stared intently at the screen, it became clear that this digital representation of me was much more real to her than my physical presence. I persevered, reasoning that her original training must have included living, breathing human beings. Finally, sensing that this was a losing battle and remembering posters promising dire consequences for anyone upsetting surgery staff, I decided to give up the struggle. With no medical consequences, it was only a minor irritation but did give me a brief insight into the powerlessness and alienation resulting from digital misrepresentation. Even without identity fraud, it was not a very happy experience.

Continue reading "The real me" »

Talkin' bout my reputation

By Dave Birch posted Mar 24 2008 at 1:55 PM
[Dave Birch] I went to a talk by Clay Shirky. The talk was, essentially, about his new book Here Comes Everybody. He's a very good speaker, had very cogent and thought-provoking material and has made me start reflecting on my model of identity and reputation once again. There's no point reproducing his talk since you can read the book or the blog yourselves, but there were a few points that I feel like highlighting. The core of what he said was the the technology of the Net has become boring enough to become socially interesting (in other words, my Dad reads my blog now) and one of the first-order effects of this is that media is becoming a call to action. He gave a couple of very well-chosen examples to illustrate the point (taking on the mafia in Palermo via a web site and flashmob protests in Minsk) that it is only now that we are entering the real experimental period as group co-ordination evolves as a branch of political philosophy. This experimental period has some fundamentally new characteristics because of the nature of the underlying technology: in particular, you don't need anyone's help or permission to experiment with new models and the cost of failure is much reduced. This sounds like the next phase may be chaos, but as Kevin Kelly observed "bottom up is never enough". At some point, there needs to be some structure in a group and I think that there is some evidence to suggest that distributed reputation management may well be the only mechanism needed to achieve that once there is some genuine security in place (so that reputations cannot be hijacked). Therefore, my view of the importance of secure credentials is reinforced, because I see reputation as being the history of a virtual identity over time and that virtual identity is a collection of credentials.

Continue reading "Talkin' bout my reputation" »

Addressing a real problem

By Dave Birch posted Mar 17 2008 at 9:23 PM

[Dave Birch] There's a general class of problem whereby one party to a transaction needs the other party's address to proceed, but the other party doesn't want to proceed with the transaction if they have to give up their address. Here are a couple of examples.

Over on the Digital Money Blog we decided to mark the launch of the Single European Payments Area (SEPA) by making a celebratory SEPA Credit Transfer (SCT) to a friend in the Netherlands. In order to do this, we had to obtain his bank account details: his IBAN. Now I think that in many circumstances, people will be reluctant to give this sort of information out, lest they suffer a Jeremy Clarkson-style incursion. So why can't the bank give me a pseudonym to use in transactions: if someone wants to send me money, they can send it to leadbelly.gutbucket@barclays.co.uk, or whatever. I don't mind giving out this pseudonym, since only the banks knows that it's mean. So when an SCT for leadbelly arrives, the money can be routed to my account. I can publish the pseudonym on my web page if I want, just as I can happily give out my PayPal address, since only I know that it's mine (well, PayPal know as well, of course).

Another example comes from the retail space. A retailer wants me to give him my mobile phone number so that he can let me know when a relevant special offer is on. I want to know that the relevant special offer is on. But I'm not giving my mobile phone number to a retailer: I don't want them ringing me up until Kingdom Come. I want control over the link between the retailer and me. Once again, why doesn't the phone company allow me to create arbitrary pseudonyms, so I can tell the retailer that I'm leadbelly@O2: the retailer (and any else) can text to leadbelly@O2 and the O2 SMS centre will route it to the correct phone number. If I don't want to do business any more, I can just junk the pseudonym.

Hey presto, an addressing scheme that provides both convenience and privacy.

Continue reading "Addressing a real problem" »

National identity scheme is about reducing crime

By Dave Birch posted Mar 14 2008 at 3:18 PM

[Dave Birch] In a meeting a couple of days ago, I was asked to explain the key purpose of the U.K. national identity card scheme. I wasn't entirely sure, so I thought I would have a google around. PA Consulting, who were the Development Partners to the Home Office for the identity card scheme, should know and they say that the scheme is about reducing crime...

The biographic information recorded on the NIR is limited by law to basic identity information such as name, address, gender and date of birth. However, crucially, any attempt to steal an identity would need to be backed up by a matching identity card with associated biometric information (eg, fingerprints).

[From PA Consulting Group - 2007 - National identity scheme is about reducing crime]

This is correct, although the

Information that may be recorded in Register

[From Identity Cards Bill]

about a person actually includes his full name; other names by which he is or has been known; his date of birth; his place of birth; his gender; the address of his principal place of residence in the United Kingdom; the address of every other place in the United Kingdom where he has a place of residence; a photograph of his head and shoulders; his signature; his fingerprints; other biometric information about him; his nationality; his entitlement to remain in the United Kingdom; where that entitlement derives from a grant of leave to enter or remain in the United Kingdom, the terms and conditions of that leave; his National Identity Registration Number; the number of any ID card issued to him; any national insurance number allocated to him; the number of any immigration document relating to him; the number of any United Kingdom passport that has been issued to him; the number of any passport issued to him by or on behalf of the authorities of a country or territory outside the United Kingdom or by or on behalf of an international organisation; the number of any document that can be used by him (in some or all circumstances) instead of a passport; the number of any identity card issued to him by the authorities of a country or territory outside the United Kingdom; any reference number allocated to him by the Secretary of State in connection with an application made by him for permission to enter or to remain in the United Kingdom; the number of any work permit relating to him; any driver number given to him by a driving licence; the number of any designated document which is held by him and is a document the number of which does not fall within any of the preceding sub-paragraphs; the date of expiry or period of validity of a document the number of which is recorded by virtue of this paragraph; particulars of changes affecting information in the register and of changes made to his entry in the Register; his date of death; the date of every application for registration made by him; the date of every application by him for a modification of the contents of his entry; the date of every application by him confirming the contents of his entry (with or without changes); the reason for any omission from the information recorded in his entry; particulars (in addition to its number) of every ID card issued to him; particulars of every person who has countersigned an application by him for an ID card or a designated document, so far as those particulars were included on the application; particulars of every notification given by him for the purposes of (lost, stolen and damaged ID cards etc.); particulars of every requirement by the Secretary of State for the individual to surrender an ID card issued to him; the information provided in connection with every application by him to be entered in the Register, for a modification of the contents of his entry or for the issue of an ID card; the information provided in connection with every application by him confirming his entry in the Register (with or without changes); particulars of the steps taken, in connection with an application, for identifying the applicant or for verifying the information provided in connection with the application; particulars of any other steps taken or information obtained for ensuring that there is a complete, up-to-date and accurate entry about that individual in the Register; a personal identification number to be used for facilitating the making of applications for information recorded in his entry, and for facilitating the provision of the information; a password or other code to be used for that purpose or particulars of a method of generating such a password or code; questions and answers to be used for identifying a person seeking to make such an application or to apply for or to make a modification of that entry; particulars of every occasion on which information contained in the individual’s entry has been provided to a person; particulars of every person to whom such information has been provided on such an occasion; other particulars, in relation to each such occasion, of the provision of the information.

Continue reading "National identity scheme is about reducing crime" »

Privacy TV

By Dave Birch posted Mar 7 2008 at 3:11 PM

[Dave Birch] I've been watching ever since the BBC launched it's new drama series about the surveillance state. It's called The Last Enemy, and I was quite looking forward to watching it, as were others, since it touches on a lot of the issues that I spend a lot of time thinking about. Given my conviction that sometime you need to turn to art to help you to understand change, I thought it might deliver some insight into the balance between privacy and security in the modern world. Actually, it's turned out to be a bit dull, and I've been a little disappointed.

It's just occurred to me why.

It's because the BBC, like the Government, is a vast hierarchical beauracracy that it is essentially backward-looking, group-thinking and inward-focused. Just as the government can only envisage things like ID cards in a kind of 1960s frame of reference, of centralised databases and giant computers, so the BBC can only construct a discussion around them in that same frame of reference, a cross between George Orwell and Groundhog Day, endlessly retreading the same tired version of the future.

Hence the event stream seems a bit ridiculous: why on earth would people be lurking around looking for anyone in a world where there appears to be camera in every room? In one episode there's a bit of road rage and one motorist shoots two others, but nothing happens. I guess the cameras are only looking out for dangerous double-parkers or congestion charge-evaders. As far as I can see, the scriptwriters are just producing a standard cowboys-and-indians story with ID technology as a plot backdrop, not even a maguffin to keep things moving (although I'm sure that, at some point, there will be a chase involving a CD containing important data that could just as easily be e-mailed). And as in all TV shows that involve computers, it was rife with stereotypes:


People type furiously on a keyboard to open up a new window - check
  People have multiple screens open with photos on, but never seem to pick a screen to put stuff onto - check
  Fonts are big enough to be seen from miles away - check
  Interface is in its own basement room - check.

[From Tech & Gadgets Editor's Blog]

And, of course, the computer spoke, which in "real life" would drive you mad. What was funniest of all was the central icon of the near-future state, the pillar of the technologically omnipotent surveillance state: the ID card that the characters had to use to get into buildings and so forth. It was a trivially-counterfeitable magnetic stripe card, circa 1971.

Continue reading "Privacy TV" »


By Dave Birch posted Mar 6 2008 at 9:58 PM

[Dave Birch] In any discussion about identity in the U.K. recently, the big unknown has been the government's proposed national identity card scheme. There was a lot of uncertainty about how exactly the scheme might work, what the timetable might, what the vision for the scheme was. I was therefore very excited to have been invited to come along in person to the think tank DEMOS this morning to hear the Home Secretary, Jacqui Smith, set out the government's plan. I was thinking that I don't often get the chance to talk to someone like Jacqui (ie, an incumbent in one of the great offices of state) and that she probably doesn't often get the chance to talk to someone like me (ie, someone who knows about national ID card schemes), so it would be an interesting exchange. The government published both a plan to deliver the ID scheme (well, most of) by 2017 and the Crosby report.

When I took my seat, it turned out I was next to Meg Hillier, the Minister for ID Cards, who was kind enough to introduce herself. She turned out to be a good sport...

Meg Hillier: Pleased to meet you, I'm Meg Hillier.

Me: Hello, I'm Dave Birch from the Digital Identity Forum, pleased to meet you. Oh, was it you who said that ID cards were a bit like internal passports?

Meg Hillier: Yes, it was an unfortunate turn of phrase. They're not, of course. There'll be no legal requirement to produce them.

Me: What, not even if you're buying a second home?

She was polite enough not have me thrown out so I was able to stay and listen to Jacqui. Anyway, the event was being recorded and broadcast so I thought I would add to the sum total of understanding by doing the same. I've taken Jacqui's speech as well as the question and answer session and made them into a special edition of the Digital Identity podcast that will be posted on our feed shortly. Have a listen to what she says and make up your own mind about it (alternatively, you can read the speech online).

By the way, it wasn't an idle boast inserted above (about knowing about national identity card schemes). Consult Hyperion is currently advising on its fourth national identity card scheme at the moment (or a European government) so I'd like to think that our opinions might count for something.

Continue reading "ID-Day" »

Faking it

By Dave Birch posted Mar 4 2008 at 9:40 PM
[Dave Birch] I was in a discussion about this "internet of things" again today. It reminded me about my recent visit to the Automatic Identification and Data Capture (AIDC) European Centre of Excellence, which is in Halifax. They have a super facility with a shop, bank, hospital, town hall, library and main street set up on one floor of what I imagine to be a disused mill building. Their vision is to be able to demonstrate AIDC technologies (including some of our favourites such as biometrics and RFID) in "real" environments. During my tour, I came across a notable use of RFID tagging that flagged up -- once again -- just how widespread the use of RFID is likely to become and just how many niches there are for it to fill. I'm not skipping over the privacy issues. Nor, for that matter, are the European Commission...

One source told me that a requirement from the EU for consumers to positively opt-in to RFID in-store and for RFID tags to be decommissioned at the point-of-sale would kill RFID at item-level in Europe. Such a move, the source added, would put us internationally behind the curve, cost thousands of jobs in the RFID industry and be a terrible waste of a very useful opportunity.

[From Is the EU about to publish RFID privacy proposals? (Tune into RFID)]

Some form of RFID code of conduct -- such as the one that Toby Stephens wrote for Digital Identity Management -- is a good thing, but the opt-in and decommissioning ideas are not the right way forward.

Continue reading "Faking it" »