About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« September 2008 | Main | November 2008 »

8 posts from October 2008


By Dave Birch posted Oct 29 2008 at 7:45 AM

[Dave Birch] The use of the mobile phone as an identity and authentication platform is, to my mind, inevitable. The capability and connectivity of the mobile handset makes it a million times more useful for identity, access control, credential management and most other digital identity functions. And, of course, the place can also act as a verification tool. One thing that holds up development in this area is the lack of trusted infrastructure in the handset (the handset environment is not protected: anyone can run software on the phone). But what about the network? Can we trust that? SMS provides a useful lesson. There are plenty of banking and payment services, for example, that use text messaging for transactional services:

Users simply send a text message to RBC Mobex with the dollar amount and the recipient's cell phone number. Funds are then taken from the sender's Mobex account and moved to the recipient's Mobex account. The recipient also receives an instant text message on their cell phone to let them know when the money has been sent to them.

Amounts of up to $100 per day can be sent to anyone with a mobile phone serviced by any Canadian wireless carrier, even if they do not have an RBC Mobex account. Recipients just need to register for the payment service to access their funds. The RBC Mobex account is a stored value account and enrollment is through the RBC Mobex web-site, where money can be loaded from any bank account with any financial institution in Canada, or by using a credit card.

[From Payments News: Canada: RBC's Mobex Mobile Payment Service - September 29, 2008]

There's an IVR callback with online PIN for transactions over $25, so there are limited opportunities for fraudsters. Provided that the allowed actions are limited, this kind of scheme works well, although there have been problems in some countries (eg, South Africa) where criminals have been able to obtain replacement SIMs from corrupt operator employees. Yet the fact that it may be hard to make bogus transactions does not mean that text messaging is ideal for identity and authentication services, nor does it mean that we should see services that use unencrypted text as reliable.

Continue reading "SOS SMS" »

Identity applications

By Dave Birch posted Oct 22 2008 at 9:37 PM

[Dave Birch] What are the IT guys up to at the moment? Do they still see digital identity as a facet of identity management, something that you can buy a product for and tick off the compliance list or do they see it as a strategic component of their organisations roadmap? A little while back, the feeling was that we still weren't seeing the applications, and I'm sure that's still the case:

Without revealing too much of our “off the record” conversation, let me say that I left that call with the same frustration I’ve begun to express here as of late: we’re still building identity infrastructure and have not yet moved to identity applications.

[From From identity infrastructure to identity applications | CSO Blogs]
Yet surely almost everything is an identity application. It doesn’t matter whether it’s payroll, customer service or anything else, identity should be used as an integral part of all applications. Not in the simple "government" sense of requiring a single, unique identity for administrative convenience but integral in the sense of drawing on a common set of resources to make all of the applications not only more secure but easier to implement.

Continue reading "Identity applications" »

Deniz Tuncalp, Turkcell

By Dave Birch posted Oct 20 2008 at 3:18 PM
[Dave Birch] Deniz Tuncalp is the founder of the mobile digital signature service in Turkcell. In addition to his work with Turkcell, he lectures on technology management and organisation in several universities in Istanbul. He is also doing research in the adaptation of individuals and organisations to new technology. In this podcast, he talks about Turkcell's operational mobile digital signature service and explains how it is developing the market.

Continue reading "Deniz Tuncalp, Turkcell" »

Footprints in the silicon

By Dave Birch posted Oct 17 2008 at 1:26 PM
[Dave Birch] I like the phrase "digital footprints" as I think it provides as useful metaphor and image. Your digital identities leave digital footprints behind and other people -- perhaps people you don't know -- can follow those footprints. That's a reasonably powerful picture to put in front of people. I was trying to come up with something like this because I was thinking about how to educate people to be aware of the new way of the world. Children, in particular, need to understand the ramifications of their new media use (not to stop them from using it, but to help them to use it more effectively). For example...

When these kids are in high school and college, will a prerequisite for dating my teenage daughter be reading my blog?

[From Digital Footprints: Raising Kids Online - Media Bullseye]

Probably. It would certainly be way for a prospective daughter-in-law to score points with me! There's nothing wrong in helping children to lead lives online, but we must obviously do what we can to protect them and encourage responsible usage (which I think a digital identity infrastructure would do, but it's not the only way of doing it). Who are we protecting them from, other than future in-laws? We all understand the risks, even if they are somewhat overplayed in the media and not understood at all by politicians. As I said before

so it turns out that by and large perverts don't use social networking sites while pretending to be teenagers, but nonetheless something must be done, and who better to decide what to do than politicians.

[From Digital Identity Forum: Hard cases]

But your digital footprint isn't only of interest to criminals and peverts, but also marketers. In other words, hiding your digital footprint away (or not creating one) isn't a solution because allowing the right people to see your digital footprint at the right time means better products and services. In fact, if marketing could be on the basis of your digital footprint rather than a random collection of facts about you together with suppositions about group behaviour, that might be rather a good thing.

This is the future of marketing intelligence. Its no longer demographics. Identity is not worth collecting. Lets safely secure that with our customers, promise them we won't mine their identity. But the digital footprint, that is valuable. And the social context - Like Alan Moore says, this is the Black Gold of the 21st Century, the biggest prize. We can only discover social context accurately via the mobile phone, but the companies that build upon this dimension, those companies will seem like "reading our minds" in how accurately, cannily, they will serve ever better services and products and offers and campaigns for us.

[From Communities Dominate Brands: Datamining our identity, digital footprint, and social context]

We need a way to manage the connections between other people, our footprints and our selves.

Continue reading "Footprints in the silicon" »

The future is another (virtual) country

By Dave Birch posted Oct 14 2008 at 5:55 AM
[Dave Birch] In many countries the banks have begun to issue 2FA tokens of one form or another. In some places, such as Singapore, 2FA is already mandatory for home banking, and everyone is used to carrying around their token. In many companies, people use 2FA tokens of one form or another for intranet and VPN access. Authentication is improved tremendously, hurrah. But the "necklace problem" looms. The necklace problem is that if you need half-a-dozen different tokens to log in to your different bank accounts and corporate systems, not to mention government services, then you will have to carry them around your neck or risk not having the right one by your side when you need to do something. Oddly, despite the existence of (for sake of argument) SAML or OpenID, none of the tokens that I have in my possession are in the least bit interoperable. My Barclays token doesn't even help me log in to another U.K. bank, let alone the U.K. government or a corporate site.

Continue reading "The future is another (virtual) country" »


By Dave Birch posted Oct 10 2008 at 5:48 PM

[Dave Birch] Now that Britain has declared the nation of Iceland to be part of the axis of evil...

The freezing order against Landsbanki, which owns failed internet bank Icesave, was issued under the 2001 Anti-Terrorism, Crime and Security Act.

[From Iceland bank freeze 'used anti-terror laws' - politics.co.uk]
...a new Cod War may be just around the corner. Hence it is diverting to remember the previous cod wars and the key contribution of the Icelandic people to the story of cryptography. Implausible as it may sound, I have in front of me a splendid book by Mark Kurlansky called "Cod: Biography of the fish that changed the world". Within its pages it a lovely story of the neverending struggle between security and new technology.

The Anglo-Danish Convention of 1901 gave the British permission to fish up to three miles from the coast of Iceland, a state of affairs that the volcanic colony was most unhappy about. By the late 1920s, the Icelandic Coast Guard had started to arrest British (and German) trawlers found within its (as it saw) territorial waters. From 1928, the British trawlers were equipped with radio and started passing coded messages between themselves to alert each other when Coast Guard vessels were in and out of harbour. "Grandmother is well" meant that the Coast Guard were in port, for example. In an early example of governments attempting to legislate new technology, the plucky Icelanders made it illegal send to coded wireless messages. This had no impact whatsoever, of course: British seafood companies simply devised new code systems for the trawlers to use. Think about it: how on Earth would an Icelandic wireless operator know whether "Tottenham Hotspur are the pride of North London" was a coded message or gibberish? Then came World War II. Iceland got independence from Denmark in 1944, but more importantly the British trawlers were requisitioned for the war effort, so Iceland found itself with the only fishing fleet in Northern Europe and Britain's "sole" supplier (tee hee).

Things were quiet for a while, until the First Cod War in 1958 when the might of the Royal Navy (which was recently told not to arrest Somali pirates in case they claim asylum) was deployed against the Icelanders. Then, in 1972, the Cod War started. Iceland extended its territorial waters to 50 miles and the British once again sent the fleet. But in the intervening period, the Icelanders had developed and deployed a secret weapon (literally: it was a closely-guarded secret until first use). The Icelandic Navy could never outgun the British Navy (and in any case didn't want to actually shoot at us) so they assembled a fiendish weapon: a net cutter. When they found a British trawler, they would sail behind dragging a net cutter and the trawlers net (worth a lot of money) would head for Davy Jones locker while the fish made for the underwater hills. Things did turn nasty -- with ships getting rammed and live shells being fired, the Icelandic government refused to allow injured British seamen treatment -- until eventually NATO made Britain back down.

Continue reading "Codpiece" »


By Dave Birch posted Oct 6 2008 at 10:30 AM
[Dave Birch] The current issue of Scientific American has a special section about privacy (there's a podcast with the editor here) and it made for a diverting read for me, because I tend to see privacy through the digital identity prism rather than from a wider (albeit still technological) perspective. So instead of thinking about privacy in "mechanical" terms -- which digital identities are allowed to validate the credentials of which other digital identities and under what circumstances -- I've been thinking about privacy in social terms and wondering if this different perspective leads to different conclusions about the way forward.

Continue reading "Unscientific" »

Mobile focus

By Dave Birch posted Oct 1 2008 at 4:40 PM
[Dave Birch] At NFC conferences these days (I've just got back from NFC World Asia) there tends to be a focus on using the NFC-equipped mobile phone for payments of one form or another, but I am convinced that identity management should be getting just as much attention. The idea that you could leave home with only your phone and no wallet depends on the phone replacing all of things in your wallet, not just a couple of cards.

The point was made that to focus only on speed of transaction though was to miss the areas of convenience, security and the concept that people will leave home without their wallet but not without their phone. I think the latter point is a stretch to think that “mobile commerce will be driven by people without their wallets” – after all they still need their driver’s license to commute in their cars and office badge to get into many buildings. This is cash replacement and not a card or wallet replacement strategy.

[From Glenbrook Partners: Report from CTIA - Mobile Payments Eventually]
Absolutely. But that's not to say that a wallet replacement strategy is not plausible, if we use the mobile phone as the platform for digital identity infrastructure as well as digital money infrastructure.

Continue reading "Mobile focus" »