About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« June 2009 | Main | August 2009 »

4 posts from July 2009

Bring it on

By Dave Birch posted Jul 29 2009 at 10:13 PM

[Dave Birch] As has been mentioned once or twice, the world of social networking provides a specific and immediate kind of weapons range for testing new ideas about identity and privacy. Facebook, in particular, seems to developing an emergent properties space where all sorts of experiments are already under way with the identity concepts at their core already one step removed from the common sense" view of identity . There is one class of experiment that I find particularly fascinating, and these are about matching and comparing the "grown ups" perspective against the "kids" perspective. US examples are always more acute because they involve law suits, so let's start there. Here's a fabulous example.

a suit was filed in Mississippi that alleges a school official—more specifically a teacher acting in her capacity as a cheerleading coach—demanded that members of her squad hand over their Facebook login information. According to the suit, the teacher used it to access a student's account, which included a heated discussion of some of the cheerleading squad's internal politics. That information was then shared widely among school administrators, which resulted in the student receiving various sanctions.

[From Cheerleader sues school, coach after illicit Facebook log-in - Ars Technica]

This follows on from other recent stories about employers demanding log in passwords for social networks and so forth. If my employer wanted my LinkedIn password, I would regard it is transparent evidence of their insanity and a clear flag that our working relationship had collapsed. But if you're a kid and it's a teacher asking, I suppose you might feel under pressure to comply with something that's obviously a breach of natural justice. Not surprising, in many ways, because it's always difficult for social mores to adjust to new technologies -- people used to be given instructions for answering the telephone -- and this stuff is still really, really new. People don't yet have sense of what is naturally right or wrong in the new environment.

So, people in authority behave inappropriately when faced with new technology. No big surprise. But what I found fascinating about this story -- and the lesson it contains about emerging "norms" around identity in a digital age -- was the reaction of some other kids faced with the same demand.

...several other students asked for their logins simply deleted their accounts using their cell phones, preventing this sort of intrusion; the schools apparently have a filter that blocks access to its Web interface from school computers.

[From Cheerleader sues school, coach after illicit Facebook log-in - Ars Technica]

In a way, I find this heartwarming. The kids aren't stupid: they live in that world and they can distinguish their multiple virtual identities. Faced with a privacy violation that undermines a virtual identity, they slash and burn. And the school's efforts to prevent them manipulating their virtual identities are fruitless.

Continue reading "Bring it on" »

Doctoring the evidence

By Dave Birch posted Jul 14 2009 at 2:27 PM

[Dave Birch] Health care is a very difficult environment to deal with, and no-one can underestimate the complexity and tensions in the space. I want my health details to remain absolutely private, but if I get run over by a bus then I want the doctor in casualty to have access to everything, instantly. There are basically two ways of doing this: storing my medical details with my doctor and letting other doctors access them, or taking my details and putting them in a big database for other doctors to access. In the UK, the government has naturally opted for the big database model. But as with big database models for everything else (eg, the Children's Index) that means that privacy is hard to preserve because things will always go wrong.

Dr Paul Golik, secretary of North Staffordshire LMC and a GP in Norton-in-the-Moors, Stoke on Trent... accessed the personal details of a number of other patients registered elsewhere, including, with their consent, staff at his practice – all without being detected... ‘It’s basically open – we might as well put our names and addresses on Google,’

[From Pulse - GPs' fears over new IT security loophole]

This is apparently the Conservative Party's plan anyway.

Health records could be transferred to Google or Microsoft under a Tory government.

[From Google or Microsoft could hold NHS patient records say Tories - Times Online]

Why do health records have to be transferred anywhere? Everyone has to be registered with a GP, so let the GPs choose whichever service providers they want to store the data provided they comply with certain interface requirements. Then when I go to GP B while on holiday, he can put his smart card in his laptop and look up my health details at GP A (it would be easy to do: just make [email protected] autorespond with my health record in XML encyrpted using the public key of the requesting doctor). Of course, there might still be ways for it to go wrong, provided people are involved somewhere. Even the Germans are having problems securing national health data, although in their cases they've buggered it up in a "fail safe" way and lost the keys so that no-one can read the data, rather the having everyone read the data which I suppose if you're going to make an error is the better way to do it.

Test runs with Germany's first-generation electronic health cards and doctors' "health professional cards" have suffered a serious setback. After the failure of a hardware security module (HSM) holding the private keys for the root Certificate Authority (root CA) for the first-generation cards, it emerged that the data had not been backed up.

[From Loss of data has serious consequences for German electronic health card - News - The H Security: News and features]

Oops.

Continue reading "Doctoring the evidence" »

Isn't this stuff serious?

By Dave Birch posted Jul 10 2009 at 7:04 PM

[Dave Birch] OK, so I'm in a tiny minority but I think that security and privacy are important. I think that the state of security and privacy in the digital world demand a proper strategy, of which some form of digital identity infrastructure is a critical part. That's why I'm always glad to see the government appointing people to tackle the difficult issues around the technology infrastructure that our future depends on. When I was googling something else, I discovered that Paul Murphy is Britain's "Minister for Digital Inclusion". This is a real post, not something I made up for the blog. In addition to pottering about at UK online centres (of which there are 6,000 in the U.K.!) his brief includes "data security and information assurance". Imagine my surprise, then, when I read that:

Paul Murphy states that he is "not a technical person".

[From Minister for Digital Inclusion gets Strategic - Convergence Conversation]

Shouldn't we get someone who is?

Continue reading "Isn't this stuff serious?" »

Interdisciplinary ideas

By Dave Birch posted Jul 2 2009 at 7:03 AM

[Dave Birch] Someone mentioned iris biometrics over coffee which reminded me again that, a couple of weeks ago, I had stimulating day out at the 2nd interdisciplinary workshop on Identity in the Information Society at the LSE. Many thanks to James Backhouse and the team for putting together such a great programme. I really enjoyed Kevin Bowyer's keynote on iris biometrics and wanted to highlight one or two of the points that he made. You can read the paper for yourself, but a few key findings were that:

  • Pupil dilation has an impact;
  • Contact lenses have an impact;
  • Sensor changes (ie, someone has been enrolled on one system and is being matched on another) have a significant impact (even when using the same software);
  • Irises change over time more than had been anticipated. The effect on false reject rates is small, but measurable,

In all of the cases, it is the match distribution that is changing: in other words, it's "fail safe" in that the system behaviour is such that false rejects go up but false accepts do not. So not too bad. But at population scale, the number of false rejects will still be enough be noticeable and dealing with the false rejects effectively (which might mean different things in different environments) will be central to the success of schemes.

Continue reading "Interdisciplinary ideas" »