About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« July 2008 | Main | September 2008 »

8 posts from August 2008

Voicing my opinion

By Dave Birch posted Aug 29 2008 at 9:13 AM
[Dave Birch] As I've mentioned a few times on the blog (eg, here), there are many reasons for thinking that voice technology (both authentication and recognition) is particularly important to the world of digital identity. There are two main reasons for my enthusiasm: the first is that my technology roadmap has mobile at the centre and there are obvious synergies between voice technology and mobile phone technology, the second is that voice can deliver a biometric suited to multi-channel, local and remote environments. Therefore I'm very pleased to be speaking at this year's Voice Biometrics conference in London on 19th and 20th November 2008, explaining how the technology fits into a broader picture of identity management for government and business, so that I can test some of our ideas in this space on other experts in the field.

Continue reading "Voicing my opinion" »

More data hilarity

By Dave Birch posted Aug 27 2008 at 11:17 AM
[Dave Birch] Last week it was PA Consulting who were on the front page for losing masses of personal data, partly because the newspapers love stories about government data getting lost (I'm surprised they're not bored with it, since it happens absolutely all the time) and partly because PA Consulting are designing Britain's new ID card. The Home Office said back in March that the first cards will be issued by "day 330 of 2008", which I think is their way of saying 1st December. SInce that's only two months away, I'm sure that the first-class design is all squared away and the media are making a mountain out of a molehill over PA Consulting losing a USB memory stick full of data -- this has nothing to do with the ID card scheme, as far as I know.

PA Consulting – which on Tuesday told ministers it had misplaced the unencrypted names, dates of birth and expected release dates of the inmates, as well as the addresses of 33,000 prolific criminals – has won £240m of government contracts since 2004, including one as the Home Office's "development partner" to "work on the design, feasibility testing, business case and procurement elements of the identity cards programme".

[From Consultants who lost data are working on ID cards - UK Politics, UK - The Independent]

Today, however, PA Consulting have vanished from the papers, having been swept away by the hilarious blunder by one of RBS' suppliers, who sold a disk drive on eBay without erasing it first.

The computer hard drive was sold for a paltry £35 but the information on it was priceless, as it contained highly sensitive documentation on American Express, NatWest and Royal Bank of Scotland customers.

[From Customers' bank data sold through eBay | News | TechRadar UK]

Now, while the newspaper anger is, to my mind, slightly misplaced -- while RBS losing peoples' personal details including mother's maiden name is bad, what's worse is that you can use personal details including mother's maiden name to execute transactions because RBS (like many other banks) have no consistent two- or three- factor security across channels, so the paper should be angry at banks for not implementing digital identity rather than losing hard drives -- it must at some level lead to even further erosion of trust in banks.

Continue reading "More data hilarity" »

Category error

By Dave Birch posted Aug 25 2008 at 9:48 PM

[Dave Birch] A common mistake in government-related discussions around identity is completely misunderstand the nature of the problem itself:

people need to prove who they are many times during a day.

[From In Development » Just what is ‘identity’?]

No, they don't. People need to prove that they are entitled to do something or are allowed to do something several times during a day, which is actually an entirely different issue. Mind you, it's an often-repeated mistake, even amongst those who should know better but haven't really thought it through. When he was the Home Office Minister for ID cards, Andy Burnham said that "I take the view that it is part of being a good citizen, proving who you are, day in day out". How wrong can you be? Other than the current Home Office Minister for ID cards, Meg Hillier, who said that we should see ID cards as “passports in-country”. Or, indeed, the Home Office Minister for ID cards before him, Tony McNulty, who said that

"There are now so many almost daily occasions when we have to stand up and verify our identity."

[From BBC NEWS | Politics | Labour admits ID card 'oversell']

I blame the education system, but blog readers may have some other explanations as to why this same, fundamental, error is propagated by people who ought to have some grasp of the issues.

Continue reading "Category error" »

Charlie Edwards, DEMOS

By Dave Birch posted Aug 20 2008 at 9:15 AM
[Dave Birch] Charlie Edwards is a senior researcher at the London "think tank" DEMOS. He writes, lectures and consults on national security, resilience, defence and intelligence. He works with international institutions, government departments, companies, and NGOs. A regular commentator in the national and international media, in this podcast he discusses the DEMOS essay collection "UK Confidential", reflecting on issues of privacy and identity in the modern age.

Continue reading "Charlie Edwards, DEMOS" »

Industrial-scale identity theft

By Dave Birch posted Aug 15 2008 at 9:25 AM

[Dave Birch] Well, not really identity theft at all, but stealing credit card details on a massive scale then using them to obtain goods or services fraudulently. These ones got caught.

Federal prosecutors have charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what officials said on Tuesday appeared to be the largest hacking and identity theft ring ever exposed.

[From 11 Charged in Theft of 41 Million Card Numbers - NYTimes.com]

Judging by the ever escalating figures for credit card fraud, however, plenty of others are still getting away with it. Are the figures telling us something very specific about authentication: that online PINs and passwords are not only not a particularly good authentication mechanism but may actually make matters worse? The prosecutors allege that the criminals stole card details and PINs as they were passing (apparently unencrypted) over wireless networks and then used the fake card to details to manufacture cards and then used the PINs with the cards to withdraw cash from ATMs. No PINs, no cash out of the ATM.

Continue reading "Industrial-scale identity theft" »

U.K. government research

By Dave Birch posted Aug 11 2008 at 9:57 PM

[Dave Birch] The British Government is to invest in three new research projects that will help to develop the next generation of secure identity management systems. The Technology Strategy Board, Engineering and Physical Sciences Research Council (EPSRC) and Economic and Social Research Council (ESRC) have joined forces to back the three projects with an investment of over £5.5 million. The three projects are:

  • Encore, which will focus on the issue of providing more rigorous means for individuals to grant and revoke their consent for the use, storage and sharing of personal data, bringing together technological, procedural and regulatory developments.
  • VOME, a research project that will reveal and utilise end users' ideas and concepts regarding privacy and consent, facilitating a clearer requirement of the hardware and software required to meet end users' expectations.
  • Privacy Value Networks (pvnets), will generate a detailed understanding of individuals' and organisations' conceptions of privacy and identity across a range of contexts and timeframes - using a range of techniques including in-depth privacy value and devalue chains analysis to model the impact of the personal information.

Consult Hyperion are contributing to the VOME project (with Royal Holloway University of London, Cranfield University, Salford University and Sunderland City Council) and the pvnets project (with University of Oxford, University of St Andrew’s, University College London and University of Bath), so I hope to be able to share some interesting results with blog readers in the future!

Continue reading "U.K. government research" »

Pass this one up

By Dave Birch posted Aug 6 2008 at 6:48 PM

[Dave Birch] The newspapers here are having a fine time with the very latest Dutch chip shenanigans: A Dutch researcher has shown The Times how easy it is to clone e-passport chips and change the details.

The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it. Britain is a member but will not use the directory before next year. Even then, the system will be fully secure only if every e-passport country has joined.

[From ‘Fakeproof’ e-passport is cloned in minutes - Times Online]

Nearly right. It's digital signatures that "would not match" and the international database contains the public keys that allow you to check the signatures. I doubt it's much of a threat to be honest, because you'd have to forge the paper part of the passport to match the cloned chip, and that strikes me as a little harder. The only people who read the chips, or at least attempt to read the chips, are immigration officers. My bank doesn't have any readers, nor does my airline and nor does Eurostar or anyone else. Anyway, as the journalist points out, digital signatures are pretty useless if no-one implements them. I'm not sure why it's in the new today, since it's a recycling of a story that's a couple of years old

A German computer security consultant has shown that he can clone the electronic passports that the United States and other countries are beginning to distribute this year.

[From Hackers Clone E-Passports]

It may be a symptom of a general collapse in public trust of any kind of government IT rather than a specific reflection on anything to do with e-passports.

Continue reading "Pass this one up" »

Public transports

By Dave Birch posted Aug 1 2008 at 6:20 PM

[Dave Birch] Stuart Kwan, Director identity and Access at Microsoft, kicked off something a while back by talking about the need for some sort of "identity bus" that can allow different systems, components, applications to tap into an effective digital identity infrastructure. It doesn't exist as an architecture, let alone products, but people do understand what he means.


The "identity bus" is, of course, still just a vision, but at least it is a beginning. Understanding and building toward an identity industry that is "the identity bus" should be the mission of every serious identity vendor out there.

[From Identity Bus: More than meets the eye | CSO Blogs]

Kim has been talking about this as well. There's a lot to commend this way of thinking. From the technical side, we all understand what a bus implies: standards and interfaces, "plug and play", commodity units. Whether this is realistic in the identity space needs further discussion, because the industry may not be yet know enough about what is wanted, what the real requirements are, in order to be able to come up with some building blocks of lasting value. Yet in a discussion this afternoon, in connection with the use of mobile phones in the identity infrastructure, I did start to think that perhaps instead of endless industry bodies, government studies and new experiments, it might be better to just start plugging a few bits and piece together.

Continue reading "Public transports" »