About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« September 2009 | Main | November 2009 »

6 posts from October 2009

What a cunning stunt

By Dave Birch posted Oct 28 2009 at 9:19 PM

[Dave Birch] I am, very literally, green with envy. I count myself as a reasonably good speaker, and I try to use narrative and historical examples to explain key principles. But nothing beats a good demo, and I saw an excellent one today, one that I wish I'd thought of!

At the Intellect conference on Identity & Information in London today, Edgar Whitely from the LSE gave a terrific presentation. He was pointing out that the principle of data minimisation in identity systems is important, but he did it in a particularly arresting way.

Here's what he did.

He showed this recent newspaper photograph of the British Home Secretary, Alan Johnson, showing off his new ID card and holding it up to the camera. This version comes from The Guardian....

Alan Johnson reveals the design of the British national identity card

Alan Johnson reveals the design of the British national identity card. Photograph: Stefan Rousseau/PA

As you can see in the picture, for reasons that will be not fully explained in a moment, the UK ID card has the holder's full name, date of birth and place of birth on it. These three data points are sufficient to uniquely identify the overwhelming majority of the population. So Edgar went to the Identity & Passport Service birth certificate ordering service and put in the details from the Home Secretary's card. He then paid his £10 and... with a suitably theatrical flourish, Edgar produced the copy of the Home Secretary's birth certificate that he had been sent in the post. Note that Edgar hadn't done anything wrong. As James Hall, the head of IPS who was on the same panel, pointed out, in the UK anyone can order a copy of anyone's birth certificate. He said that if you are a celebrity then hundreds of people will order copies of your birth certificate every year, which had never occurred to me. I'm sure James is right, but it does seem a little odd that people who want to commit identity theft will simply have to look at their mark's ID card to get started.

Edgar hadn't used the birth certificate to open a bank account or get a driving licence or anything, he was just making the point that if we don't adopt the right principles (eg, data minimisation) for identity systems, then we run the risk of making identity theft worse. It was a great presentation and a super stunt. Well done.

Anyone familiar with my deranged rantings about psychic ID (ie, virtually nobody) will be familiar with the general point: a characteristic of a 21st-century ID scheme is that it should only give up information necessary to enable a transactions, nothing more or less. So, if you are authorised to ask my ID card whether I am over 18 or not, that's all it should tell you. Not my name, not my address, not my age or date of birth. Just whether I am over 18 or not and that's it.

The current ID card scheme does not have this key characteristic, not for any functional reason but because the ID card and passport were jumbled up for a political purpose -- the purpose being, as far as I know, to make it harder for an incoming administration to scrap the scheme -- that constrains the design and implementation. Since the government wants the ID card to be used as a travel document within in the EU, it has to have certain human-readable information on it. That's why it gives away the key data points that make it tempting for criminals to kick-start their identity theft antics.

Continue reading "What a cunning stunt" »

Balancing security and privacy, part 97

By Dave Birch posted Oct 27 2009 at 6:41 PM

[Dave Birch] I popped along to a City Forum round table on the Information Intensive Society. I was late, because of public transport, so I didn't hear the chairman say that we were to stick to the Chatham House rule. As a consequence I started twittering what people were saying, as well as posting a picture! I apologise unreservedly -- but the medium really is the message, isn't it? Anyway, the subtitle for the meeting was "balancing security and privacy", which I think framed the whole discussion the wrong way: the subtitle should have been "obtaining security and privacy". I don't want them balanced, I want them both: this is what, to me, marks the difference between these debates in the "old" context and the "new" context.

I think this is why I found the discussion unsatisfying -- and I don't mean this as a criticism of the event, or of the organisers, even though one of the speakers actually did say "the Internet is the future". The problem is that there is a kind of assumption that privacy is an enemy of security and anyone who advocates more privacy is mutant commie scum (didn't you used to play Paranoia?). If you put forward any alternative view, then it is answered with the old "well, if you knew what I knew blah blah" and the debate goes nowhere.

Continue reading "Balancing security and privacy, part 97" »

The DNS of the industrial bourgeoisie

By Dave Birch posted Oct 19 2009 at 11:30 AM

[Dave Birch] I have a vague memory -- which five minutes googling cannot substantiate and I'm too lazy to go and find the book in the other room -- that somewhere in the Gulag Archipeligo by Aleksandr Isaevich Solzhenitsyn there is mention of Stalin's desire to have a more revolutionary telephone system where all calls had to go through a central exchange and be encrypted so that Stalin could listen to everyone else's calls but his would be encrypted to remain secret. The prisoners with relevant skills were supposed to be designing this while in the gulag. It never worked, of course, and the Soviet Union had appalling telecommunications infrastructure as a consequence because the communications revolution was halted by the dictatorship of the proletariat: there's some deep incompatibility between innovation and centralisation. I couldn't help thinking of this when I read about the calls by Eugene Kaspersky to have a more Stalinist internet:

The CEO of Russia's No. 1 anti-virus package has said that the internet's biggest security vulnerability is anonymity, calling for mandatory internet passports that would work much like driver licenses do in the offline world.

[From Security boss calls for end to net anonymity • The Register]

What he means by this is that he wants a technologically complicated and expensive solution to be implemented so that ordinary people are inconvenienced to the maximum while criminals can roam free (which is what would happen). Creating such an asymmetric solution is not the way forwards: for one thing, who would decide what to censor?

A little local controversy involving the Church of Scientology and its critics could lead to curbs on the right to anonymity of anyone using the web.

[From Scientology seeks to squash anonymity • The Register]

We already have experience of this "solution" in the UK. Laws giving a wide variety of bodies the ability to monitor CCTV, the internet, phone calls and everything else which were supposed to save us from international terrorism are used by local councils to stop people from trying to get their children into better schools and to check that people are recycling enough of their rubbish. I'm sorry, but creating a world in which anyone can read anyone else's e-mail, track anyone else's web browsing, see what anyone is reading is not the way stop Russian virus writers from taking over everyone's PCs. We need an identity infrastructure.

Continue reading "The DNS of the industrial bourgeoisie" »

Another model that the UK could try

By Dave Birch posted Oct 13 2009 at 6:18 PM

[Dave Birch] I'm going provide a case study on the use of multi-application smart cards with EMV "chip and PIN" software on them that I think contains some useful nuggets for us in the UK to ponder over, because the case study is about combining payment (EMV) and digital signature (PKI) applications on the same card.

Identity folks will have to understand a little about the payment folks' EMV standard to understand the dynamics. There are actually three flavours of EMV, the international card scheme standard for chip transactions. These are Static Data Authentication (SDA), Dynamic Data Authentication (DDA) and Combined Data and Application Cryptogram (CDA). Most of the cards out on the streets in the UK are SDA cards without enciphered PIN (the PIN is not encrypted from the PIN pad into the card).

SDA cards are cheapest, which is why our banks issue them, but they can be cloned and used in terminals that are offline, so they are a security risk. DDA cards are not vulnerable in this way, but they are more expensive, both because the cards are more sophisticated -- they have a cryptographic co-processor to handle asymmetric cryptography and take longer to "personalise" -- but UK banks will have to replace SDA with DDA by end of 2010 (indeed, Consult Hyperion work with banks to help them to migrate in a cost-effective way). CDA cards cost the same as DDA, but still need to be planned for.

For technical reasons, CDA cards are more secure than DDA cards. Why? Because CDA protects against the "wedge attack". It is possible to insert a device that would let a genuine DDA card generate a legitimate digital signature but then intercept the request for an application cryptogram and return a bogus one for a different amount to the terminal. The terminal would carry on regardless. This is not possible with CDA since both the DDA signature and cryptogram are delivered by the card at the same time.

OK, so all this is well-known, but why does it matter to the digital ID world? Well, if a bank goes to the expense of issuing DDA or CDA cards, then the presence of re-usable cryptographic software and the cryptographic co-processor mean that it is a minimum of cost and complexity for the card to carry an additional PKI application as well as the EMV application. Almost all of the PKI application's "guts" are already on the card because they are used by the EMV application. What's more, the card can generate its own key pairs (which is very good for security) and then, provided you have the infrastructure, third parties can sign the card's public key(s) to create a wide variety of public key certificates to deliver interesting services. The card can store these certificates if it has enough memory or store pointers to the certificates online somewhere if it doesn't.

Here's a real example.

Continue reading "Another model that the UK could try" »

What is a "suitable" ID for banking?

By Dave Birch posted Oct 12 2009 at 5:26 PM

[Dave Birch] There was a really interesting letter in The Daily Telegraph "Money" section (2nd October). I can't find it online to link to, so I hope they don't mind me quoting a couple of chunks here. The letter comes from someone who tried to open a bank account with HSBC, but who didn't have a current passport or driving licence.

When I explained this at a branch, it was suggested that I ask the police station for proof of identity. The police officers said they had never heard of such a thing unless I had a criminal record.

[From The Daily Telegraph "Jessica Investigates", 2nd October 2009]

That can't be right: you can only have a bank account at HSBC if you have a criminal record? The disappointed would-be bank account holder went back to their branch to ask for alternatives.

The counter person showed me a list of possible documents, but, as I am not a pensioner, nor in receipt of benefits, the only item on the list she could suggest I try was to get a letter from HMRC. I duly went to the local tax office, where the assistant said she wished banks would stop sending people there... they would not waste public money providing such letters for banks.

[From The Daily Telegraph "Jessica Investigates", 2nd October 2009]

The letter goes on to list the documents that the wannabe-HSBCer had presented, and had had rejected by the bank: an out-of-date passport, a birth certificate, a current payslip from an employer (the local council, for whom the person had worked for more than two decades), a work ID card (complete with microchip), utility bills, statements from another bank, house deeds and a voting card. Any one of these would have got you a job with the bank, but not, it seems, an account. Identity is broken, and the Conservative plan to scrap the national ID card scheme is a bad as the government's plan to keep it. What this country needs is a working national identity infrastructure.

Continue reading "What is a "suitable" ID for banking?" »

"Identity" theft and identity theft

By Dave Birch posted Oct 1 2009 at 10:02 PM

[Dave Birch] There's a fascinating, but slightly creepy, category of issue that makes for a good acid test of proposals for population-scale identity management. How does the "system" recover when an identity really is stolen? If there's another you out there, if you have an evil doppelganger, if an ex-partner is taking revenge... if there's someone out there who is pretending to be you (in fact, in virtual terms, is you) then who do you call? And when you call them, what are they going to do? This is a complicated issue. How do you establish that you really are you? And once you have established this, what do you do with the compromised virtual identity?

Continue reading ""Identity" theft and identity theft" »