About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« August 2009 | Main | October 2009 »

6 posts from September 2009

The ten minute version

By Dave Birch posted Sep 29 2009 at 9:07 AM

[Dave Birch] A diversion. I filled in a questionnaire about digital identity (for reasons not germane to this post) so I thought it might be mildly interesting to post my answers and see if they attract any comment.

  • Who are you? (Name, job role and organisation)
  • Dave Birch, Director, Consult Hyperion
  • What does the term ‘digital identity’ mean to you?
  • It's the bridge between virtual identities that exist only inside computers and things in the real world.
  • s your digital identity ‘you’? Why? You may also want to comment on whether your ‘digital identity’ is an individual understanding or composed of group, community and organisational identities?
  • My digital identity isn't me, although it may be created by me. In general use, I imagine that people will have a small number of digital identities, just as they have 3 or 4 credit and debit cards, but each of these may support a large number of virtual identities. These virtual identities will, by and large, embody relationships.
  • What skills and competencies do we need to manage our digital identity?
  • We need to implement the "front end" in familiar ways while hiding the OpenID, PKI and all the rest of it. It should be a simple of matter of "who do you want to be today" and choosing from a menu on your mobile phone screen. I do not believe that the average person has either the competenices or, frankly, the inclination to manage their identities (and privacy) properly, so we (ie, responsible professionals) need to construct and infrastructure that will do it for them.
  • What do you see as the current issue/s of concern surrounding digital identity
  • The tension between the unlimited possibilities of technology and the limited vision of politicians, regulators, designers. Since virtual identities do not behave as mere electronic simulations of "real" identities, but can in fact do far more, we need people with vision who can understand what technology can deliver.
  • What do you see as future issue/s of concern in the area of digital identity?
  • Managing multiple digital identities in ways that make sense, so that there's a narrative around identity and privacy that can underpin future social, commercial and government relationships.
  • Which tools and services do you use to manage your digital identity? For example do you separate personal and professional identities?
  • I do separate personal and professional identities. I have different e-mail addresses, different blogs and now different OpenIDs. Sometimes I even comment on things anonymously. Personally, I think this is a natural way to work -- my kids do it implicitly when they IM me, e-mail their grandma and Facebook their friends.

i expect my responses were a little different from most people, partly because I spend a lot of time thinking about this sort of thing but also partly because I have quite a strong model of the relationship between real and virtual identities and I locate digital identity there.

Continue reading "The ten minute version" »

Who says?

By Dave Birch posted Sep 23 2009 at 10:05 PM

[Dave Birch] According to a letter I saw a while ago in The Daily Telegraph, British supermarkets won't accept a British armed forces ID cards as a proof of age, but they will accept foreign ID cards that they cannot read. Or not. It depends what for.

The student's French ID card was not deemed to be sufficient proof of her age for the staff at Sainsbury's, even though the chain does accpet the card from foreign workers who wish to work in the UK.

[From Sainsbury's denies French student]

So you can use your foreign ID card to get a job at Sainsbury's but not to buy a bottle of champagne. Bizarre, but predictable: this is what happens when we jumble up credentials and identification, absent any well-formed rules for understanding or verifying them. It reminded me of the discussion from a few weeks back concerning the distinction between actual security and security theatre. Here's a simple example: you go to open bank account and the bank asks to see identity, so you show them a passport. If it is a British passport, they can phone a Home Office hotline to see if it is real, whether it has been reported stolen and so forth. If it is, say, a Bulgarian passport, they cannot possibly tell whether it is real or not, so they just photocopy it and file the copy away somewhere, just as the British Attorney General should have done with her maid's work permit (since it is an offence is to not to keep a copy of such documentation). Thus, if you are a criminal then you will always choose to use a Bulgarian passport. Honest citizens are inconvenienced, criminals aren't. This isn't so much security theatre as security pantomime, as the BBC have highlighted.

The banks are worried it is still too easy to use a counterfeit passport from abroad to open a bank account, or to get an overdraft or credit card.

[From BBC NEWS | Business | Fake passports prompt fraud fear]

Well, I suppose they could always not open the account unless they can understand and verify the identification documents. The fact is, it's really, really hard for anyone to understand foreign credentials of any kind. Remember the amusing story of the mystery Polish serial traffic offender being tracked by the Irish police?

It was discovered that the man every member of the Irish police's rank and file had been looking for - a Mr Prawo Jazdy - wasn't exactly the sort of prized villain whose apprehension leads to an officer winning an award... Prawo Jazdy is actually the Polish for driving licence and not the first and surname on the licence.

[From BBC NEWS | Northern Ireland | The mystery of Ireland's worst driver]

This does nicely illustrate a key advantage of digital identity over physical identity: this would never happen. If my reader can't understand your card, that's the end of the discussion. There's a nice binary outcome. Where the results depend on human interpretation of shades of grey, surely the system will always throw up crazy outcomes.

An innocent South Tyneside man was arrested because his MoT certificate was a paler shade of green. Michael Cook, from South Shields, had gone to the Driver and Vehicle Licensing Agency (DVLA) centre in Newcastle to renew his car tax. Staff thought his two-week-old MOT certificate was a forgery because it was a lighter shade than his previous one, and the police were called.

[From BBC NEWS | England | Tyne | Arrest over wrong colour MoT form]

Essential to a functional identity system, then, is a cheap and simple "box" for checking whether the card is valid. You put your French ID card, British Forces ID card or Tesco Clubcard into the box at the checkout and the light goes green or red. That's it.

Continue reading "Who says?" »

Extracting the P

By Dave Birch posted Sep 18 2009 at 2:47 PM

[Dave Birch] Forum friend Toby Stevens of EPG started something of a discussion by putting forward a few conjectures about what might happen to the UK identity card and passport schemes, systems and structures come the expected opposition victory in the forthcoming general election. I don't want to say anything about the rights or wrongs of the current schemes, systems and structures but I want to comment on an observation about the current situation. There is no engineering, technical or security reason for the "I" and "P" to be together in the Identity & Passport Service (IPS). As far as I am concerned, the ID card and the Passport are conceptually distinct. The British government might in time issue ID numbers to everyone on the planet, all six or seven billion of them, because the purpose of the ID scheme is to record that you are known, uniquely, to the British government. That's all. It's a mistake to mix a jumble of biographical details, pointers to government records and other things into the same records. There may be some credentials attached to that you may want to demonstrate to third parties (eg, you have the right to work in the UK, you are over 18, you are registered in the governments new Independent Safeguarding Authority database -- the IS_NOT_PAEDOPHILE attribute) but these are not part of the database. On the other hand, a passport means that you are a British citizen and can travel overseas (and other countries might want to put visas in it, which is another distinguishing characteristic). There will be people who have ID cards but not passports and vice versa. But they both have to be unique. So what to do?

Continue reading "Extracting the P" »

4D Secure

By Dave Birch posted Sep 16 2009 at 8:42 PM

[Dave Birch] One of the things that I thought might happen this year is that the US government standard for ID cards might begin to spread into the commercial sector, simply because of the impact of standardisation. I wasn't the only person who thought this, by the way.

In 2009, common access card programs will get another chance to conquer the enterprise market due to the government’s drive to implement PIV cards for all employees and contractors, the availability of standards and compatible products, the spread of standards beyond the federal government to state and local entities as well as government-linked enterprises. Most importantly, security convergence will finally receive market traction.

[From ContactlessNews | Look for renewed interest in enterprise common access card programs in 2009]

I should say that I thought this was a good thing. The PIV might not be an exact match with some corporate requirements, but on the other hand a standard means lower costs and an emerging ecosystem. So, if we want to improve corporate security, do we start designing our own, optimal solution, or go with the grain of what's out there on the basis that it's much, much better than nothing?

Continue reading "4D Secure" »

What identity is important?

By Dave Birch posted Sep 8 2009 at 5:46 PM

[Dave Birch] A couple of days ago I was in a discussion concerning the discrepancy between what enlightened experts (eg, me) think about identity management and what governments, civil servants and IT vendors think about identity management. One of the points I made, which I think I can defend, is that the "common sense" notion of identity, rooted in our pre-industrial social structures and pre-human cortex, is not only not very good at dealing with the properties and implications of identity in an online world but positively misleading when applied to system and service design. The fact is that virtual identity and "physical" identity are not the same thing, and they differ in ways that we are only beginning to take on board. Here's an interesting reflection on the difference between physical and virtual identity.

I used to work on campus 5 days a week, but working at home more has coincided with the advent of blogs and twitter. My professional and personal profile on campus is now much higher than it was when I attended every day, but largely sat in my office, and occasionally ventured out for coffee.

[From Establishing Our Online Identity « Ramblings of a Remote Worker]

Interesting. An online identity in a context that makes it worth more than an offline identity, because it is more connected. The Facebook economy, so to speak. Which leads me on to...

Continue reading "What identity is important?" »

Good morning, thing

By Dave Birch posted Sep 2 2009 at 9:16 AM

[Dave Birch] OK, so I know it sounds spooky and people are uncomfortable with RIFD-at-a-distance, but there would be some advantages to being "recognised" by machines. Think about the subject from a customer service perspective rather than a security, spying and generally creepy perspective. As, in fact, some people already have been.

The Financial Services Technology Consortium (FSTC) today announced the launch of a project whose goal is to help member banks adopt radio frequency identification technology (RFID).

[From FSTC | Financial Services Technology Consortium - Press & Articles]

Why would banks want to do that? Well, it is relatively easy to implement vicinity (let's say up to a couple of metres) read-only functionality along side the proximity (let's say up to a couple of centimetres) read-write functionality used in contactless identity cards, bank cards and NFC phones. The chip sets are readily available. Handled correctly, this is something that a great many customers would appreciate.

Imagine a world where, when you walk into your bank, messages and adverts pop up that address you by name.

[From What high street banking will look like in 2020]

While The Times might see this as something for 2020, more technologically advanced nations are already experimenting with the technology,

Now "Yes Bank" which is a commercial bank operating out of India has been piloting an RFID system so that bank employees can identify these rich fat customers and offer them personalized services. Under the pilot RFID banking cards have been offered to select customers apart from deployment of RFID interrogators and customized gate antennas at bank premises... The moment the elite customer arrives in the bank his details are flashed on the system which enables the relationship team to identify the concerned person so that they can accord him services in the best possible manner.

[From The RFID Weblog: RFID being used to give preferential treatment to rich clients in Indian banks]

I can readily imagine using a Tesco Clubcard with this technology, or a BA Executive Club card or a transit card. As a consumers, I want to get better service where possible and the idea that everything from shopping cards to airport display boards might know who I am and deliver personalised service because of that is rather appealing. At least, it's rather appealing provided that my identity is managed properly and my privacy is assured. This could be done at a physical level: you might, for example, have a Clubcard that only functions when you press a button on it.

This system creates a tiny, ultra-thin, pressure sensitive switch "which ensures that the device can only be read when the owner is pressing the switch", said Peratech.

[From British firm develops RFID security technology to prevent ‘skimming’ | 20 Aug 2008 | ComputerWeekly.com]

Well, I can see how that might work for a card, although it seems a bit of a hassle in practice. But what about other form factors, particularly form factors that might make it difficult for someone to physically reach the switch. For example:

In times where a lot of hue and cry is being raised over injecting humans with RFID tags here is a video of a guy who seems pretty cool about injecting RFID chip in his hand

[From The RFID Weblog: The Do It yourself Guide to implanting RFID Chip in your hand]

Connecting things up is easy, but disconnecting them is hard! The solution, surely, is not down at the physical layer but in the logical layer above it. Extending the future digital identity management infrastructure to the Internet of things has to be the way forward and if properly designed such an infrastructure could deliver more, I think, thank many people imagine. In particular, such an infrastructure could protect privacy through the judicious use of cryptography rather than through codes of practice or goodwill.

Continue reading "Good morning, thing" »