About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« June 2008 | Main | August 2008 »

11 posts from July 2008

Out of control

By Dave Birch posted Jul 29 2008 at 9:37 PM

[Dave Birch] Well, I have to say, I didn't expect the reaction that I've been getting to my podcast with Sir Bonar. Only four days after I put it up, it's already on course to be the most-downloaded of our podcast series, thanks in no small measure to getting coverage from the likes of Boing Boing (one of my favourite blogs) referring to the

UK tech-czar's ridiculous, fatuous podcast interview

[From UK tech-czar's ridiculous, fatuous podcast interview -- hilarious gag interview - Boing Boing]

Thanks for all the e-mails, good and bad.

Continue reading "Out of control" »

Engineering eID

By Dave Birch posted Jul 28 2008 at 12:55 PM

[Dave Birch] What are differences between the proposed German identity card and the proposed UK identity card? Well, for one thing we already know how the German card will work and what applications it will contain. In fact it will contain three: the ePass application for police and border control, the opt-out eID application for e-business and e-government and the opt-in eSignature application. It has some interesting functions, such as proof of age without disclosing age, and supports end-to-end online security because it has a mutual authentication scheme built in. If someone wants to authenticate you using your card, they have to provide a digital certificate (issued to them by the German government) that contains a map of the attributes (eg, address) that the service provider is allowed to use. Since the card and the service provider thus have an encrypted end-to-end channel, they are immune to man-in-the-middle attacks.

A function I find particularly interesting is the pseudonym function. A service provider can request an identity that is known only to that service provider and the card will generate a pseudonym according to a published algorithm. Since this involves using the service providers public key, service providers cannot know other service providers pseudonyms, a simple means to increase both security and privacy for very little effort. If there is a specification for the U.K.'s identity card that is currently being procured then I haven't seen it, but I'd lay a pound to a penny that it does not include this kind of privacy-enhancing technology (PET) because I have never seen it in any of the management consultants presentations, government strategy documents or discussion forums. What a shame. Why do Germans deserve this kind of security but we Brits don't?

Continue reading "Engineering eID" »

No more PETs win prizes puns, please

By Dave Birch posted Jul 23 2008 at 7:44 PM

[Dave Birch] Microsoft has been sponsoring the annual privacy-enhancing technology awards at the PETS Symposium for a few years now. This year the winning paper was written by Arvind Narayanan and Vitaly Shmatikov, researchers at The University of Texas, who looked into large publicly available anonymised data sets – and very quickly discovered a major privacy risk, as their experiments showed that such data sets could be used to re-identify individuals using efficient algorithms. All of which means that companies should be careful about storing masses of data on customer choices because, even if customers aren't explicitly identified in the individual records, it doesn't take much effort to identify them from the pool. Interesting stuff.

Runners-up, Cambridge University researchers Steven J. Murdoch and Piotr Zieliński, also focused on online anonymity. Their paper discusses and analyses, for the first time, the possibility of surveillance at internet exchanges (IXes) where Internet traffic crosses from one network to another. Because so much traffic passes through these, the research seems to indicate that a relatively small snapshot of the data in transit contains a lot of information about what is moving between which nodes.

I found the other runner-up paper especially fascinating because of my focus on the intersection of the digital money and digital identity worlds. The paper "Making P2P Accountable without Losing Privacy" (by Belenkiy et al, Brown University) posits the use of e-cash (that is, the original Chaumian e-cash) to add accountability to file sharing networks without giving up privacy. The idea is to balance between selfish users in a transparent way (and money is the most transparent of all ways) without sacrificing anonymity. Given some of the discussions about anonymity over on Digital Money, this is a timely addition to the debate and shows the accountability and privacy are not mutually exclusive.

Incidentally, their premise that fairness is essential to providing scalable incentives for greater participation seems right to me, as does there characterisation of "selfish peers" as agents in a virtual economy, but I'm not sure if e-cash is a necessary grease to make that work. The authors suggest that the money used in their scheme has five essential characteristics:

  • It should be fungible (ie, no "different strokes" and everyone's money can be used for everything in any combination).
  • It should be integral to the fair exchange of money for goods/services. Because of my history in this space, I'm particularly interested in "shopping" protocols that include all of the steps in a transaction.
  • The money must be unforgeable, obviously.
  • The payment system must be efficiently implementable.
  • Finally, users should be able to spend anonymously.

This is an axiom I think: it's not clear to me from the paper whether they have some reason for thinking that anonymity will or will not make any difference to the performance of the scheme. Would anyone care?

As an aside, when discussing the economic issues raised by the paper, the authors say that under limiting conditions they can demonstrate the knowledge of bank balances (M1) can predict how much money can be added to the network without causing a crash. I hope the Chancellor reads up on their model!

By the way, a big thanks to the guys at Microsoft for sponsoring this valuable award.

Continue reading "No more PETs win prizes puns, please" »

You've got my identity, now what?

By Dave Birch posted Jul 22 2008 at 6:09 PM

[Dave Birch] Let's suppose you are a master identity criminal and you've pulled off a heist: You've got away with the HMRC disks, or the POS keylogger or the hospital laptop. You've got my identity. Now what are you going to do with it? Open a bank account? Pretend to be me to commit acts of international terrorism?Take out a mortgage? Stalk someone via social networks? Get a credit card? Actually, it's none of the above.

Wireless-phone accounts were the most frequent types of new accounts opened using ID theft, according to the report. These criminal cellphone account openings increased from 19 percent to 32 percent of new account fraud last year, exceeding fraudulently opened credit cards, loans, checking or savings accounts.

[From Javelin Strategy and Research » The Savvy Consumer: Don’t be taken in by drop in identity theft]

Generally speaking, most kinds of identity theft are really financial frauds of one form or another. If you want to sneak into NORAD, then you're unlikely to find a useful ID floating around on the Net, you'd be targeting a more specific identity, blackmailing someone, that kind of thing. So if run-of-the-mill identity theft is about getting a bank loan in a bogus name, then I wonder if it might be economically more efficient for society as a whole to make getting bank loans harder to get rather than racking up costs defending against identity theft. if, in the U.S., you needed more than a plausible name, address and social security number combination to get a loan, then stealing the name, address and social security would presumably become less interesting to criminals.

Continue reading "You've got my identity, now what?" »

Technology lessons

By Dave Birch posted Jul 17 2008 at 7:49 AM
[Dave Birch] It must make me sound like some sort of snob, but I genuinely feel that one of the problems with the discussion of identity, privacy and related issues in the public sphere is that, ultimately, the policymakers, regulators and politicians just do not understand either technology as part of the problem or technology as part of the solution. Ian Brown's review of the Thomas/Walport report about data sharing touches on this:

While it makes a brief mention of credentials (r. 5), the report is extremely backward-looking on technology,

[From Blogzilla: Thomas/Walport data sharing review published]

The problem, I think, is more insidious than it seems at first. It isn't just that the people writing the report don't understand the technology, it's that they don't even appear to think that the technology is important. As I noted at the time of the review...

Pete Bramhall from HP sagely noted that the consultation document began with the statement that it assumed a familiarity with the Data Protection Act and other relevant legislation. How come, he pointed out, it did not assume a familiarity with rudimentary information technology, basic data security, elementary cryptography or, indeed, anything else that might help to develop a privacy-enhancing infrastructure for the modern world. Quite.

[From Digital Identity Forum: Another thing invented by lawyers]

How are we going to get a genuine breakthrough in identity management when the gap between the "two cultures" appears to be widening. No, not those two cultures but the cultures of information and communications technology one the one hand and lawyers (particularly the ones that end up in the government).

Continue reading "Technology lessons" »


By Dave Birch posted Jul 15 2008 at 8:56 AM

[Dave Birch] 2FA is clearly important. But what kind of 2FA? At the moment, the "something you know" plus "something you have" version is in vogue, and a great many organisations have been rolling out tokens of one form or another. In the U.K., Barclays (to name but one) have already rolled-out 2FA to the mass market:


Gemalto announced it has passed the 1 million mark for Barclays customers using PINsentry, its cryptographic smart card reader. The bank started deploying its authentication program in July 2007 and since then not one PINsentry online customer has suffered fraud.

[From 1 million Barclays customer using smart card reader : SecureID News]

As I've said before, I'm a happy PINsentry customer, even though I know it doesn't provide total security. But it's a bit limited. I can't use it to log in to anything else: I'd much rather that Barclays offered a 2FA OpenID login using the PINsentry and then I could use my Barclays OpenID to log in not only to the bank but to any other sites that needed that kind of security (eg, the government). Simon Willison's excellent OpenID blogged alerted me to the fact that other people are already thinking in that direction.


Microsoft are accepting OpenID for their new HealthVault site, but with a catch: you can only use OpenIDs from two providers: Trustbearer (who offer two-factor authentication using a hardware token) and Verisign.

[From Simon Willison’s Weblog]

So OpenID/2FA is not only feasible, it's a good idea. But we don't want to end up with a 2FA necklace -- with the tokens from half-a-dozen banks plus eBay plus our corporate networks plus plus plus -- that we have to carry with us at all times and this could happen if banks and other service providers don't accept each other's OpenIDs in a rich enough way.

Continue reading "2.5FA" »

Out of band, out of mind

By Dave Birch posted Jul 14 2008 at 9:36 AM

[Dave Birch] Using SMS to provide an out-of-band 2FA scheme for access to online services sounds like a reasonable idea. But it depends on customers to do the right thing, and this is generally a bad idea in security terms. One study of a scheme that required customers to copy a pass code from their phone to a web page (to confirm online transactions) found that customers did not notice when the message included incorrect details. My guess is that this is a general result: once you train customers to perform some simple action in order to obtain security, they won't do any of the other cross-checks and because they think (for no reason) that SMS is somehow secure, then SMS-based approaches may be even more exposed. This is a shame, because it may hinder the development of mobile services, such a banking. People are increasingly comfortable with using their mobiles for banking, we all know that. According to TowerGroup, 90% of those who tried mobile banking at Bank of America have remained active with 99% checking balances, 87% looking at transaction history, 10% making funds transfers, and 5% paying a bill. But if they begin to read in the newspapers about mobile security being subverted, those numbers will fall.

Continue reading "Out of band, out of mind" »

Fingers in the dyke

By Dave Birch posted Jul 11 2008 at 4:15 PM

[Dave Birch] Over on the Digital Money Blog, we've been talking about the well-known MiFare security issue. We're interested in it over there because MiFare is used for things such as Oyster cards and there's an overlap between contactless cash replacement and contactless transit systems. From this frame of reference, the security issue is interesting and it needs to be factored in to system procurement, card updates and that kind of thing. No-one is going to implement an electronic purse system using MiFare Classic, so the sky isn't falling in. So, the guys are saying, well, next time we buy some cards we'll buy MiFare Plus instead, but other than that, what's the worry. But now it turns out that the problem may be far more troublesome than at first realised, because it turns out that the same technology (designed for mass transit) is being used by the Dutch government to secure access to important facilities:

...the Dutch Interior Ministry's spokesman said this is "a national security issue," since several government agencies there use the same technology to restrict access to their facilities.

It looks as if the researchers behind the MiFare crack have done Dutch citizens a big favour by alerting them to the inappropriate use of technology -- MiFare Classic was designed for mass transit, not for identity cards and access control for sensitive facilities -- before some bad guys do.

Continue reading "Fingers in the dyke" »

John Letizia, BBA

By Dave Birch posted Jul 9 2008 at 8:46 PM
[Dave Birch] John Letizia is the Director of Government Affairs and Special Assistant to the Chief Executive at the British Bankers Association (BBA). He joined the BBA in July 2005. He is responsible for building strong relations with key people at all levels across UK Government, Parliament and other key stakeholders, and to build and maintain a pro-active representation programme. Prior to joining the BBA, John was Political and Regional Affairs Adviser at a leading manufacturing employers' organisation. John has also worked for a number of consultancies and has been an Adviser to a Government Minister. In this podcast, John reflects on the BBA's views of the proposed UK national identity card. Since banks are seen as being key users of such a scheme, these views are important.

Continue reading "John Letizia, BBA" »

UK Confidential

By Dave Birch posted Jul 2 2008 at 12:54 PM
[Dave Birch] The excellent DEMOS report on privacy "UK Confidential" contains contributions from many of the people i regard as thought leaders in the field and has ideas aplenty. It was supported by BT "in the interests of furthering public debate", which it certainly does. I'm curious about the extent to which the "tag line" on the report is true or not. It says "an open society depends on individuals rediscovering the social value of privacy". Is it really for individuals? It seems to me that it is something that needs to be woven into the fabric of society -- partly through the technological implementation of identity, the kind of thing that interests me greatly -- because it's a social good.

Anyway, in the introduction, Charlie Edwards and Catherine Fieschi say that "We lack the language to discuss privacy holistically. We use outdated frames of reference that are no longer adequate to discuss the contemporary landscape of privacy concerns or re-frame complex issues about data protection and vulnerability in other terms". I couldn't agree more -- I've been writing a magazine article arguing, similarly, that both the government and its critics on identity management share this outdated frame of reference (which I've labelled "Orwellian") -- and there's no doubt that it is a major impediment, a contributing factor to the privacy logjam we're now stuck in, where privacy and security are seen as opposites that we have to balance in some way. I don't want to dip into the "what is privacy" discussion here, except to note that it is important not to make the mistake of conflating a brief period of essentially urban anonymity with privacy and therefore make privacy something we can return to or get back in some way: Most people, throughout most of history, have had no privacy whatsoever.
The essential core of privacy in a modern context, I think, must be built around choice and consent (this is why I'm looking forward to our participation in a couple of Technology Strategy Board projects on Privacy & Consent later in the year). I tend to see these as important components of future consumer propositions and therefore viable if chosen carefully -- there's no point coming with great privacy plans that business will never implement. They call the privacy component of an exchange an "invisible transaction", which is nice way of putting it. If companies can find privacy-enhancing processes that go with the grain of business, then surely they will promote them (much as they have begun to promote "green" elements of their operations).
In the conclusion Charlie and Catherine say that "our collective ignorance means that we get the privacy we deserve" but I'm not sure I'd be so negative. People are ignorant about lots of things, but they expect professionals (eg, us, I hope) to make good decisions for them. I'm happy to contribute to that debate.

Continue reading "UK Confidential" »