About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« February 2009 | Main | April 2009 »

6 posts from March 2009

Government interface

By Dave Birch posted Mar 24 2009 at 10:54 AM

[Dave Birch] Government identity is so important that the vigilance of the "issuers" must be unwavering. Thus, the rest of the identity management value network can function. It's so important that one might even go so far as to say that a key role of government should be to test it's own vigilance in an open and transparent way. In other words, shouldn't parts of the government be checking up on other parts of the government and telling us what happened. This would be a really interesting experiment to try here in the UK, now that the government has started issuing identity cards. It would be great to have some reassurance that the process is indeed protecting us from international terrorists, dole scroungers and health tourists. The National Audit Office (NAO) could try and obtain bogus identity documents from the Identity and Passport Service (IPS) and see what happens. Just like the recent experiment in the US.

To do so, GAO designed four test scenarios that simulated the actions of a malicious individual who had access to an American citizen’s personal identity information. GAO created counterfeit documents for four fictitious or deceased individuals using off-the-shelf, commercially available hardware, software, and materials. An undercover GAO investigator then applied for passports at three United States Postal Service (USPS) locations and a State-run passport office.

[From Security Document World]

And the results? Did the ever-vigilant staff, the best IT that money can buy and the process designed by top management consultants come together to defeat these almost trivial attempts to deceive?

In its four tests simulating this approach it was successful in obtaining a genuine U.S. passport in each case.

[From Security Document World]

Uh oh.

Continue reading "Government interface" »

No, wait, Titanic isn't the right metaphor

By Dave Birch posted Mar 20 2009 at 2:22 PM

[Dave Birch] For many years I have consistently maintained that multiple identities (more specifically, multiple virtual identities bound to digital identities that can be authenticated against "real world" identities) are an integral part of the digital identity infrastructure of the future and emphatically part of the solution, not part of the problem. There is a technical caveat though: the virtual identities must be kept separate. As Robin Wilton notes, with his usual perceptiveness,

maintaining different 'personas' can contribute to personal privacy - and personal privacy is undermined when the barriers between those 'personas' are broken down.

[From Racingsnake - the blog of Future Identity: Is privacy only for the rich?]

So we need a good technology (firewalls, PKI, keys, tamper-resistant hardware blah blah blah, you know the score) to make the barriers and should not rely on guidelines or ombudsmen instead. However, I made a terrible mistake explaining this vision to group of people recently. I said that the partitioning of identity in this way was the equivalent of building a big ship with a series of waterproof compartments separated by strong bulkheads, so that if one compartment is holed, the ship is not threatened. What, someone said, you mean like the Titanic?

Continue reading "No, wait, Titanic isn't the right metaphor" »

There's always mistales

By Dave Birch posted Mar 18 2009 at 11:14 AM

[Dave Birch] Well, this is interesting. One of my mobile phone operators (I currently have three: my iPhone, my dongle and my son's phone) has sent me someone else's bill. I now have someone's name, address (why it came through our door I have no idea: the address isn't even in the same town, let alone the same street), mobile number and an itemised bill. I'm sure I could get up to some mischief with this. I don't want to pick on mobile operators in particular, but I do want to point out that this sort of thing will always happen. In a bizarre way, we've come to expect them. It's even vaguely comforting to read about the usual colossal cock-ups with computers, because it reassures you that all is right with the world...

Zamora said the pump at the By-Pass Deli and Conoco service station at Stevens Drive and the Highway 240 Richland bypass registered only $26 for the fuel. But somehow the transaction was recorded on his debit card as totaling $81,400,836,908... After learning that afternoon by e-mail that his debit card was maxed out (no kidding! ed.) he called customer service... "Somebody from a foreign country who spoke in broken English argued with me for 10 to 15 minutes," Zamora said. " 'Did you get the gas?' he asked. Like I had to prove that I didn't pump $81,400,836,908 in gas!"

[From Local News | How many billion dollars for that tank of gas? | Seattle Times Newspaper]

I am literally astonished that a charge for $81 billion could go through the debit card system at all. Wouldn't you have thought that the settlement system had some limit minding in it that will trigger if a transaction for more than, oh I don't know, let's say A BILLION DOLLARS comes through on a debit PAN? Clearly, whoever built the system never imagined that this could happen, so they never put in any logic to watch out for it.

It's crazy to build systems on the assumption that nothing will go wrong. Amusingly, in a tragic and depressing kind of way, this was reinforced by the news that public employees have already been snooping around in the proto-national identity register to look up friends, family and presumably other "interesting" people even though it's not even been built yet. Still, not to worry. So far it's only 30 local authorities that have noticed a problem.

Staff at 30 local authorities have been responsible for "serious security breaches" in the government database that will form the core of the national ID cards programme. Local authority staff have viewed sensitive personal records on the Customer Information System (CIS) run by the Department for Work and Pensions (DWP), it emerged today. The £72m Customer Information System is an Oracle database being built by Accenture for the Department for Work and Pensions. It will hold a wide variety of data on nearly all UK citizens.

[From ID Cards insider: scheme is "largest , most complex and sensitive undertaking in Government" (Tony Collins's IT Projects Blog)]

Why on earth would anyone have imagined that there would be any other outcome? And by the way, if I was one of these public employees snooping around for the purposes of amusement, I'd have been using someone else's username and password, so there's no real chance of catching them.

Continue reading "There's always mistales" »

In 2018, we can start catching up with Lithuania

By Dave Birch posted Mar 11 2009 at 6:03 PM

[Dave Birch] One of my most frequent criticisms of the UK's national identity card scheme is that it is backward-looking, an electronic simulation of a Victorian ID card rather than an ID card for the 21st century. I gave an example of this in a talk recently by using the case of OpenID, noting that in Finland you can use your ID card to log in to OpenID, and pointing out that this bringing together of |nternet standards and national ID made sense on a number of levels. Needless to say, I have never heard OpenID mentioned in connection with the UK national ID card.

Now I hear that another country has gone over to OpenID. In this case, Lithuania.

Starting January 1st 2009 every issued Personal ID card has OpenID in it, backed up by personal digital certificate. National Certificate Center under the Ministry of Interior will be the national OpenID provider (https://openid.vrm.lt/). Provider service is currently in testing mode, it is not yet open to the general public, but it will go public anytime soon.

[From [OpenID - Eu] Republic of Lithuania goes OpenID]

Doesn't anyone else find it odd that our flagship national identity programme is so unambitious? That our roadmap to 2018 does not include services that are already rolled out in Lithuania?

Continue reading "In 2018, we can start catching up with Lithuania" »

Announcing Identity & Privacy 2009

By Dave Birch posted Mar 6 2009 at 2:53 PM

[Dave Birch] Here's another date for your calendars: London, 14th an 15th May 2009. The Digital Identity Forum and the Enterprise Privacy Group will be hosting the first Identity & Privacy Forum, sponsored by Consult Hyperion with support from HP, Microsoft, Symantec, Verisign and VoicePay. The Forum will be held at the Guoman Charing Cross Hotel, London, and I'm looking forward to seeing you there. Toby Stevens and I will be sending out a detailed agenda in a couple of weeks, but just as a heads-up there are going to be four sessions: "a snapshot of electronic identity", "co-evolving privacy and consent", "sharing front line experiences" from the public sector and "catching up with biometrics".

We'll be sending out the agenda in a couple of weeks and fleshing out the expert panels. As soon as we do, you'll be able to buy tickets!

Continue reading "Announcing Identity & Privacy 2009" »

Privacy-enhancing anti-technology in Europe

By Dave Birch posted Mar 3 2009 at 9:44 AM

[Dave Birch] There's been another rash of stories about fingerprinting and the linking of identity and authentication and I thought I'd take a look at a few of them after my afternoon at the Social Market Foundation. Let's begin by looking at a mass market use of biometrics...

Under a new law published Monday, Mexico will start a national register of mobile phone users by fingerprinting all customers in an effort to catch criminals who use mobile phone to extort money and negotiate kidnapping ransoms. The new law, which will be in force this April, will give mobile phone companies a year to build the database of their clients - complete with fingerprints and any other personally identifiably information.

[From New Mexico Law to Fingerprint All Mobile Phone Users]

Fingerprint mobile phone users could never happen here, of course. Well, not for a while. But fingerprint mobile providers might...

Vodafone dealership DigitalMobile is the latest employer to introduce fingerprint scanning for staff. DigitalMobile spokesman Will Allan says the scanners have been installed in the company's 22 stores around the country and most of its 190 staff are using them to clock in and out.

[From Vodafone sales staff asked to scan in - New Zealand's source for technology news on Stuff.co.nz]

This seems pretty reasonable: using biometrics to make life easy more people is a much more convincing business case and, as far as I can see, a much more effective use of the technology than biometrics for security (outside nuclear missile launch codes and that kind of thing).

Continue reading "Privacy-enhancing anti-technology in Europe" »