About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« April 2008 | Main | June 2008 »

8 posts from May 2008

Next generation platform

By Dave Birch posted May 29 2008 at 6:51 PM

[Dave Birch] With the U.K. newspapers focussing on ID cards again, now that the shortlist of the only suppliers who wanted to be on a shortlist has been announced, I wonder if it isn't time to abandon even talking about ID cards, when the practical implementation of identity for the foreseeable future is going to be centred on mobile phones. Since mobile phones can do a great many things that cards cannot, they provide an obvious means to deliver some useful identity services to both individuals and to organisations. Examples might be simple, secure authentication for online services.

 

Forrester Research analyst Bill Nagel claimed that mobile authentication has taken hold in many countries, and that mobile signatures are a "logical extension... Nearly all of the banks and operators we spoke to said that the technology operates flawlessly and that the experiences of customers who use the system are very good," he said.

[From Mobile signatures given the thumbs up - WhatPC?]

This is an attractive vision. The idea of making the Internet more secure sounds promising at first, but it has many negatives as well. If we make the Internet more difficult to connect to and harder to use, we lose the creative dynamic around it. Therefore, it kind of makes sense to leave the Internet cheap, flexible and insecure and kick the security layer off the end of the Internet and into the phones. Phones start off from a more secure base, because they already have tamper-resistant hardware (ie, the SIM) in place and since this hardware is a general-purpose computer, there is plenty more it can do. This idea fits rather well with the identity-as-utility view that we have been putting forward for some time. The mobile phones works perfectly as the "identity gadget", the universal faucet that we will all use to turn identity on and off (emergency stop: bad analogy detected). We're hardly the only people working along this line of thought.

 

From Marco, a great HP paper on Identity-Aware Devices, describing some PoC work HP did with Intel around the Liberty Alliance's Advanced Client specifications.

[From ConnectID: Identity-Aware Devices]

In the HP paper, they talk about "identity-aware devices", which I rather like as a way of thinking about practical solutions. They point out that in order to function in a sophisticated environment (in this case, a federated identity environment) the identity-aware device needs some kind of trusted module that can function as an identity provider. This is exactly how I see the SIM: there's no need to invent anything new, just use find a way to get the mobile operators and others to co-operate to implement the kind of ideas that we can all already see are the way forward.

Continue reading "Next generation platform" »

You're fingered for it

By Dave Birch posted May 22 2008 at 8:08 AM

[Dave Birch] There's no doubt that consumers aren't as adverse to the use of fingerprints for applications such as retail payments as security experts worry that they might be. In fact

 

Six-in-10 consumers worldwide believe they will be able to pay for purchases using fingerprints by 2015, according to the report New Future In Store from TNS.

[From Consumers give thumbs up to biometric payment - Talking Retail]

Not that I think that we should pay much attention to what the public think about anything (after all, a good portion of them think that Sherlock Holmes ws a real person) but I'm sure they are right about biometrics, but wrong about fingerprints. One obvious problem that I can foresee is that retail POS will become (as in the case of PINs) a place to steal cardholder verification details. Then consumer's fingerprints might end up in all sorts of strange places. I wonder if the German japesters the Chaos Computer Club haven't done us all a favour by inventing a splendid new sport based on biometrics. You'll recall that they

 

published digital copies of the German Home Secretary Wolfgang Schäuble's fingerprints in their magazine. This was done in protest over the increased use of biometric data, for example in biometric passports and airport immigration. Apparently they lifted the original fingerprint from a glass that the Secretary used during a conference. Over 4,000 copies of the magazine were published, which also included a thin plastic film which could be stuck onto one's finger in order to provide a false biometric reading, and pretend to be Herr Schäuble.

[From Chaos Computer Club Publishes Fingerprints of German Home Secretary - Securethoughts]

In practice, I'm sure that the first use of this tactic for criminal purposes won't be to impersonate an important official. What on Earth could you gain access to with the Home Secretary's fingerprint? I didn't notice biometric fingerprint readers at the door of no.10 the last (and, in fact, only) time I went there. No, it will be to get someone random person's fingerprint and put it at the scene of a crime to set a false trail or start a cover up or something similar. If I were going to murder someone, I'd wear gloves and leave your fingerprint at the scene of the crime.

Continue reading "You're fingered for it" »

Awards and ceremonies

By Dave Birch posted May 21 2008 at 11:23 AM
[Dave Birch] Not really anything to do with Digital Identity, but I'm one of the judges for this year's CNET UK Business Technology Awards and they are looking for nominations in a variety of categories (see below) so I was wondering if any Digital Identity Denizens had any suggestions for identity management-related products and services. I'm sure someone's already entered the Identity & Passport Service's National Identity Card Scheme for "Public Sector Technology Project of the Year", but if any of you have other suggestions then do scoot over to the web site and fill out a nomination form.

Continue reading "Awards and ceremonies" »

From paradise? No, Luton South

By Dave Birch posted May 16 2008 at 10:21 AM
[Dave Birch] What a guru I am! It's almost uncanny! On 11th May 2008, I wrote (in an unpublished draft for this blog) that "I It's only a matter of time before some M.P. suggests that one of the many benefits of the government's splendid new identity card scheme is that is that it will help with identifying kids on the web to protect them or stop them from buying knives or something". Well, today I read that

If you can’t prove how old you are, your days of shopping on the internet may be numbered. Fears that young people could be getting hold of knives, adult DVDs and alcohol are all fuelling a campaign by Margaret Moran, MP for Luton South, to make online age verification compulsory in the UK.

[From Online ID checks to limit teen booze and knife purchases | The Register]

I assumed that selling alcohol to someone under 18 was illegal whether you do it in a shop or on the web and so merchants would want to carry out age verification to avoid prosecution. As the reporter says, "Does anyone feel yet another justification for compulsory ID coming on?"

Continue reading "From paradise? No, Luton South" »

Digital Identity Forum will be on October 15th/16th in London

By Dave Birch posted May 13 2008 at 9:58 AM

[Dave Birch] A date for your diary. We've chosen 15th/16th October for this year's Digital Identity Forum in London. We're looking at a couple of venues and hope to confirm something in the next week or two. The web site will go up tomorrow and I'm looking forward to starting work on the programme soon. As always, constructive suggestions are welcome, but at this time I'm thinking that we should take another look at where the UK is with ID cards (I'm afraid it's the 800lb gorilla), some kind of OpenID/Cardspace "bootcamp" to explain them to a business audience, an update on biometrics and a big session on identity in social networking. And of course, a pub quiz (sponsor please!) and a electronic "Game of Life" for charity, excellent company and conversation.

Continue reading "Digital Identity Forum will be on October 15th/16th in London" »

Interwhat?

By Dave Birch posted May 12 2008 at 10:38 PM

[Dave Birch] At the European e-ID conference in Leuven last month, a few basic conclusions were established early on in the proceedings: there is precious little interoperabilty across borders and it's not obvious what to do about it, although the general idea of moving away from interoperable infrastructure and towards gateways to the "magic bus" seemed to have some currency. Not everyone was as downbeat as me. Perhaps the whole idea of pan-European interoperability is simply too big too take on and it might be better to refocus on more limited but more practical goals. The idea of a few national gateways that could interoperate may be more manageable and I did get involved in a couple of discussions about the layers that would be needed to make this happen. But on reflection, it was another idea that might have more success (because of a more decentralised nature): instead of trying to construct a system for interoperability, try to construct a market.

Continue reading "Interwhat?" »

Yoof

By Dave Birch posted May 7 2008 at 3:54 PM

[Dave Birch] Dealing with the government online is precisely the kind of activity that is subverted by bad identity management. Case in point:

 

Ambitious plans to switch the majority of provisional licences from postal to online could not be taken up by one of the largest group of customers - teenagers - because they couldn't prove their identity. Only 40,000 out of the 1 million people seeking a provisional licence were able to complete an online application. The remaining 960,000 had to stick to postal applications. One of the main reasons, according to the NAO, was that online applicants had to have either a new digital passport or a credit record to prove their identity.

[From DVLA plan fails ID test | Special Reports | Guardian Unlimited Politics]

The government has portal for accessing public services -- DirectGov -- but it's of limited usefulness, precisely because of this issue. And I'd lay a pound to a penny that the new ID card won't make the slightest difference, since I've not heard a single minister or official say anything about using it in this way. Speaking of which, young people won't have to worry about this problem for much longer because they'll soon be able to get a splendid new identity card that will solve that problem for them. As the Home Secretary said recently

 

We will start to make identity cards available to young people on a purely voluntary basis in 2010. I believe there are clear attractions in the scheme. It will make it easier to enrol on a course, apply for a student loan, open a bank account, or prove your age - especially as we get tougher on sales of alcohol to those under-age.

[From BBC NEWS | Politics | In full: Smith ID card speech]

Anyone familiar with the U.K. will recognise the wisdom of making it more difficult for children to buy alcohol.

Continue reading "Yoof" »

e-Dictum meum pactum

By Dave Birch posted May 2 2008 at 11:58 AM

[Dave Birch] There's a story about identity in The Economist magazine that I read on the plane to Washington ("My bow is my bond", p.98, 26th April 2008) that connects directly with something I'm working on for a client at the moment. Naturally, neither the client or the assignment will be discussed here, except to note that I've been playing around with some ideas on value-adding identity services for the mass market. I'd also recently received an e-mail from an august body, which won't be discussed here either, asking if I'd like to provide (for free!) some ideas on how to get private companies to use the U.K. identity card: I ignored the request, of course, but I did jot down a few notes. For both of these reasons, the story caught my eye.

The story concerns a fraud against Lehman Brothers in Japan. They lent a Japanese company $350 million, The load was guaranteed by a well-established Japanese trading house. Bankers from Lehman met an executvie from the trading house -- at the trading house's office -- to sign the contract. When the firm in question defaulted, Lehman went to the trading house to get their money, but the trading house claimed no knowledge of the deal. The executive had been an imposter and the contract was fake. When someone gives you their business card, you assume that it is true (by custom and practice -- you don't explicitly validate it) and when they put a letterhead in front of you, you take it to be real. Oops.

Continue reading "e-Dictum meum pactum" »