About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« April 2009 | Main | June 2009 »

3 posts from May 2009

Give us the chance to do better

By Dave Birch posted May 26 2009 at 9:50 PM

[Dave Birch] One of the frustrating aspects of being a technologist in the identity space is that I know that the technology can deliver more than customers want. There are a number of reasons for this, but two of them will suffice to make a point. Firstly, people's "common sense" version of identity is simply not sophisticated enough for a modern economy and, secondly, that the people who actually specify and procure systems that hinge on identity do not make privacy part of the proposition because they (incorrectly) view security and privacy as opposites. In fact, the technology can deliver both and some times it's very easy to make it do just that. Look at the basic case study of "no fly" lists, where the problem is to check whether someone's name appears on a list of people to be excluded...

In comparing the contents of two databases, such as an airline-passenger list and a no-fly list, for example, officials should be interested only in the names that appear on both lists. They have no need for the rest of the passengers’ names. Those mutual names can be found by first encrypting both lists using strong encryption.

[From Sharing information while preserving privacy is a technologically trivial challenge, researcher says -- Government Computer News]

Quite. And if the lists are encrypted, and don't need to be decrypted to make them work, then privacy is automatically improved without ombudsmen, best endeavours and the rest of it. A rudimentary understanding of the issues is all that is needed to deliver vastly better solutions.

Continue reading "Give us the chance to do better" »

Government interface

By Dave Birch posted May 19 2009 at 8:04 AM

[Dave Birch] For e-government to take off, it is transparently obvious that population scale identification and authentication infrastructure (beyond e-mail address and alphanumeric passwords) will have to be in place. If not, the pain associated with every single online interaction with the public sector will grow far beyond the point where the bulk of the population will want to get involved and there will be a hard limit on the efficiency of the delivery of public services. No-one, surely, can be against that. Yet we don't seem to making much progress towards this. Even in cases (in the UK) where online service delivery works very well indeed (eg, vehicle tax), it does so in silos.

Now, many people will (quite rightly) point out that there is a fundamental danger to the idea of using a single identity across all services. There's a particular danger to using to the same identity across public and private sector services.

In yet another security breach, the US State Department said 400 passport applicants, and maybe more, have had information stolen. Passport applications containing personal information, including Social Security numbers, were accessed and used to open fraudulent credit card accounts. A fraud ring bought information from a government employee. The information was used to apply for cards. Cards were intercepted by another insider in the post office before they were delivered. The passport applicants had no idea their identity had been stolen.

[From National ACH: Government Employees Selling Identities]

Now, that's the kind of fraud that imagine was dismissed out of hand by the government's management consultants when they were procuring the system. "Insiders in the Post Office connecting to insiders in the State Department? Oh, come on! That's like a Tom Clancy novel, it will never happen."

It this sort of thing -- and it seems to happen all the time -- that means that many people react against the very idea of a government identity or a government identity management system, although I draw a different conclusion: we need a better (privacy-enhancing) design for a government identity management system, perhaps building on the schemes used in countries such a Germany and Austria where identities are cyptographically-partitioned between service providers.

(Obviously, I trust the Government even less. I'd much rather have O2 manage my ID than the Home Secretary. SIMs are more secure, cheaper and better-managed than the UK's ridiculous Stalinist ID card system).

[From Dean Bubley's Disruptive Wireless: Thoughts on managed identity services by mobile operators]

What we want, surely, is the best of both worlds. I want my SIM to hold a number of identities, including government ones, that I can choose to use on a per-transaction basis. And I don't think it's far-fetched to expect this kind of modern infrastructure.

Continue reading "Government interface" »

The long and short of it

By Dave Birch posted May 1 2009 at 3:09 PM

[Dave Birch] I was at the European Patent Forum in Prague talking about biometrics in an enjoyable seminar on Privacy and Identity Theft, along with Ivo Teutloff from EPO and Max Snijder from the European Biometrics Group. The reason that the session was so enjoyable is that we'd each chosen to focus on different aspects of the topic. By coincidence, when I woke up and was sitting in my hotel room looking through my slides with BBC Breakfast TV in the background, the first item on the BBC news was the rise in card fraud, again. And this is in hand-in-hand with another massive increase in identity-related fraud in general.

A 40% increase in the number of people being impersonated indicates that the flat trend seen in 2008 (where identity fraud increased by only 0.06% from 2007) was exceptional. While last year's figures were a surprise, the sudden and significant increase in the first quarter of 2009 heralds an unwelcome return of identity fraud as the fraudsters' method of choice; as fraudsters assume creditworthy identities in order to swindle individuals and companies alike: stealing funds, goods and services at someone else's expense... During this quarter, a staggering 75% increase in facility takeover (also known as account takeover) frauds - where the fraudster gains access to, and plunders the legitimately obtained accounts of innocent victims - continued the steep upward trend seen throughout 2008.

[From Fraud trends and recession go hand in hand - CIFAS Online]

If biometrics could make a dent in that, you would think that banks would be rushing to implement them. After all, as CIFAS notes, the account takeover fraud explosion has been going on for some time. Plenty of time to plan and develop a biometric countermeasure, you might think.

UK account takeover fraud grows 207% year-on-year in 2008 - study [From UK account takeover fraud grows 207% year-on-year in 2008 - study]

Yet nothing much is happening. Identity theft is growing and, in the UK at least, the government's identity card scheme won't do anything to help. But why? Max made a very interesting point, which goes back to my current obsession, the "narrative". In his presentation, he pointed out that because the biometric sector had its origins in the identification problem, that is how they see the world. So they would see the retail payments problem as an identification problem, which leads to PayByTouch. On the other hand, other people (eg, me) see the retail payments problem as an authentication problem: so we need progress in what he called "anonymous" biometrics to get down to solving that particular problem. And he made a very positive suggestion that I had not considered before.

Continue reading "The long and short of it" »