About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« November 2009 | Main | January 2010 »

7 posts from December 2009

Imperfect crime

By Dave Birch posted Dec 24 2009 at 10:15 AM

[Dave Birch] Some years ago at the Digital Money Forum, Richard Bartle from the University of Essex characterised the economy of virtual worlds as "people buying things that don't exist from people who don't own them" which was, frankly, a brilliant summary. There are also, sadly, a class of people stealing things that don't exist from people who don't own them and this is a crime, so it was with great interest I read that

A British man has been arrested and cautioned for stealing accounts for online game Runescape... A statement from the Police National e-crime unit said: "A 23-year-old man was arrested in Avon and Somerset... on suspicion of a number of computer misuse offences."... Once hi-tech thieves have these credentials they plunder the accounts, strip characters of their items and sell off the rare virtual goods for Runescape gold.

[From BBC News - Runescape creator pursues 'phishing thieves']

This is real identity theft. If criminals somehow get into my bank account and spirit the money away, I don't really care because it's the bank's problem and they will give me the money back. But if the criminals take over my Runescape character, that's a real personal violation. As I said before

a bank can easily restore my money, but it's much harder for Facebook to restore my reputation (apart from anything else, a reputation takes time to build). Which is the worse crime?

[From Digital Identity Forum: What identity is important?]

It's the latter, clearly. So perhaps the "standard" use case for strong authentication should be switched from logging on for home banking to logging on to Facebook, which takes us into the world of OAuth and OpenID instead of EMV and OTP. In this world, there's already plenty of work going on around authentication, credentials and federation that could provide key portions of the infrastructure that we know that we are going to need in the mass market.

Continue reading "Imperfect crime" »

Fit and counterfeit

By Dave Birch posted Dec 24 2009 at 10:15 AM

[Dave Birch] When the first Bank of England banknotes were issued in June 1694, they must have seemed pretty secure, with their fancy engraving and the handwritten signatures. It must have been a bit of a shock in August 1694 when the first counterfeits were detected. Or should I say that the first counterfeits bad enough to be detected were detected. One of the problems that plagued the Royal Mint at that time was that the machinery to make notes and coins was being stolen by corrupt employees and sold to the criminal underworld. The machines were not really producing counterfeits, because they were the same plates and dies as being used in the mint, they were producing unauthorised versions. Banknotes have evolved a bit since then, but given the regularity of the stories about North Korea "supernotes", the counterfeiters have kept pace.

North Korea has been producing “super notes,” counterfeit 100-dollar bills practically indistinguishable from legal tender, even since 2007 when the U.S. released North Korea from financial sanctions. North Korea has also tried to bring some of the notes into South Korea.

[From Daily NK - Super Notes Still in Production]

There's no need to get Korean ultraforgers on board so far as the new UK national identity card goes. In fact, our indigenous forgers have been doing an excellent job, selling first-class forgeries of the UK ID card even before the UK ID card existed. Why they are bothering is not entirely clear.

Darren McTeggart tried to use the £30 card to pick up a replacement credit card from a branch of Santander – formerly Abbey – in Manchester, where the scheme was rolled out on a voluntary basis last year. Mr McTeggart, one of the first people to get the card, said: “They said it was not on their list of approved ID.

[From Man can't prove ID with ID card - Telegraph]

I'm sure this is just a hiccough. But how are indigenous ultraforgers creating their dastardly fake ID cards? Are they breaking into the government's factories and stealing the chips? Have they got corrupt insiders working for them? Sadly, nothing that interesting. It's apparently so easy to forge documents like this that the police are now asking the companies who sell printers to report suspicious customers, much as banks have to do when opening new accounts.

U.K. police are trying to get wider participation from printer manufacturers and makers of specialist equipment in a voluntary program designed to cut off criminals from the tools they need to make fraudulent passports and ID cards.

[From UK Police Engage Print Industry to Stop Fake IDs - PCWorld Business Center]

Oh come on. You can't seriously tell me that criminals can just walk into PC World and buy printers that can produce a fake ID card? I don't believe that for a moment. Oh, wait...

The Met has shut at least 20 [fake ID] “factories” in the last 18 months and believes more than 30,000 fake identities are in circulation. Police examined 12,000 of them and established they were behind a racket worth £14 million. One £750 printer was withdrawn from sale at PC World after detectives revealed it could produce replicas of the proposed new ID card and EU driving licences.

[From Police war on fake ID factories as fraudsters net millions | News]

Whoops. I'm sure this isn't what former Home Secretary David Blunkett had in mind when he was outlined his plans for the national ID card way back whenever.

Continue reading "Fit and counterfeit" »

ID and payments

By Dave Birch posted Dec 23 2009 at 10:15 AM

[Dave Birch] At ID World, Jan van der Sluis from Unisys made a very good presentation pointing out that the future of payments and identity are intertwined, a point that often underlays some of the threads here and at the Digital Money blog. You might even go further and say that the future of payments is the future of identity: one could envisage -- whether you think it a good idea or not -- a simple universal payment scheme that is linked to a single universal identity, a kind of galactic PayPal in which everyone participates. There are undeniable efficiencies to such a proposition, with instantaneous and very, very inexpensive payments a key element. If all payments were effected by the change of a few bytes in a database, surely everyone would be better off?

This is hardly a new idea. The paleo-future of ID cards has often encompassed universal payments. Nothing is new under the sun or, in one case, under the Sun News, since the Las Cruces Sun-News in New Mexico ran this piece by Jack Lefler about the possibility of a cashless society more than 40 years ago:

Some bankers envision nationwide system In which a single identification card would be used in place of all checks and almost all cash.

[From Paleo-Future: A Cashless Future Society? (1968)]

Off the top of my head, I can immediately see three different ways to achieve this ancient vision:

  • decoupled debit (link the ID card to a bank account and process transactions through the bank networks);
  • multi-applications (put a bank payment application on the ID card chip), or
  • e-money (create a pre-paid natiomal e-purse that can be accessed using the ID card).

Now for many reasons, some of which I have written about before, that middle option is far from optimal because the complexity and co-ordination problems outweigh any benefit (you don't want criminals stealing ID cards, for example, when what they really want are payment cards). But suppose we decided to implement one or other of the other two?

Continue reading "ID and payments" »

What's in-store?

By Dave Birch posted Dec 8 2009 at 4:26 PM

[Dave Birch] I was looking something up and came across a post that I'd made about a report from TNS Global on the "New Future in Store" and I noticed that of a list of new technologies that they interviewed the European public about, fingerprint payments were rated top. This struck me as incongruous, given the commercial failure of fingerprint technology-based payment systems at POS, including in Europe.

Albert Heijn has currently decided not to follow up on the trial, citing ‘security issues and vulnerability to fraud’. The participants however were enthusiastic about the payment method and applauded the fact that they could complete their purchases without needing their debit cards, cash or loyalty cards.

[From The Paypers. Insights in payments.]

There was a similar trial in the UK, with the Co-Op, that was similarly discontinued. That's not to say that biometrics are of no interest to retailers, because there are some process that can be greatly be improved through the use of the technology.

The Co-operative Group is to use fingerprinting machines to track staff hours. The society plans to install biometric data collection terminals in its food stores over the next two years to record the working hours of its 55,000 staff.

[From thegrocer.co.uk | Articles]

This illustrates a general point from my talk at Biometrics 2009, which is that the commercial payback on biometrics as part of an overall identity management strategy looks much better when it comes to "staff" applications rather than "customer" applications. That's not to say that biometrics will not become a customer choice in the future.

Continue reading "What's in-store?" »

Digital division

By Dave Birch posted Dec 7 2009 at 8:22 PM

[Dave Birch] There was yet another debate about the "digital divide" in London, featuring the British government's technology tzarina, Martha Lane Fox (note for foreign readers: Martha Lane Fox was a co-founder of the famous internet enterprise Lastminute.com), who is charged with forcing a recalcitrant populace -- one-sixth of Britons say they don't want the web -- to log on to things. There are 10 million people in Britain who have never been on the Internet and the Digital Inclusion Task Force has to get 4 million of them "online" by 2012, otherwise... Actually, I don't know what the "otherwise" clause is, so had better move on.

At the debate, they were (essentially) talking about the divide between people who order books online from Amazon and people who don't, and I'm sure this is an important topic, but I'm not that interested in it. I once got into trouble in a meeting with a public sector customer because I said that people who weren't on the web generally didn't want to be, and since they could clearly afford Sky television and mobile phones, I didn't think that it really mattered that they chose not to buy broadband. But I digress.

Is there an interesting, and more important, digital divide? Yes, there is. And it's the digital divide between the developed world and the developing world. But it's not what you think and, as Tomi Ahonen frequently points out, it's got nothing to do with "one laptop per child" or submarine cables for internet access.

In the Industrialized World we have TVs, PCs, FM radios, fixed landlines and mobile phones to consider and compare and use and more than half of the population has one of each of those. In the Developing World, the only technology that reaches half the population is mobile telecoms, and all others are tiny in comparison. For the Emerging World, mobile is not only the first screen it is literally the only screen.

[From Communities Dominate Brands: The Digital Divide in Numbers: TVs, PCs, Internet users, Mobile around the world]

If we are going to deliver services to the mass of people in the developing world, services that are going to improve the lives of the mass of the population, then we need to focus those services on the mobile channel.

# The mobile device will be the primary connection tool to the internet for most people in the world in 2020.
# The transparency of people and organizations will increase, but that will not necessarily yield more personal integrity, social tolerance, or forgiveness.
# Voice recognition and touch user-interfaces with the internet will be more prevalent and accepted by 2020.

[From Pontydysgu – Bridge to Learning » Blog Archive » Digital Identities and Social Relations]

This seems like a reasonable projection given current trends and a bit of imagination and, personally, I think that the issue of transparency may well have the most impact, changing both businesses and government in ways that we haven't taken on board yet but that's an issue for another day. But take these points on board, particularly the reinforcing synergies between the mobile phone as the device, the mobile phone as the tool for opening up organisations and the mobile phone as locus for the voice interface (which, together with voice authentication, will transform identity and authentication).

Continue reading "Digital division" »


By Dave Birch posted Dec 3 2009 at 10:22 PM

[Dave Birch] Should people be allowed to have "anonymous" prepaid mobile phones (well, SIMs) or not? It's a simple question, but a complicated subject. And it's worth exploring because it helps us to have a real, focused discussion about practical privacy and security issues. The subject came up because of one of the current hot topics in the UK, which is the government's proposed "crackdown" (although "crackup" might be a better description) on the authorised copying of copyright material. Once the government has disconnected most broadband users in Britain through the "three accusations and you're out" policy, many desperate internet addicts will be driven to using mobile connections to continue online banking, reading about "I'm a celebrity get me out of here" behind the Murdoch paywall and playing World of Warcraft. At which point, the mobile operators will come under pressure to start disconnecting people as well. But as the always spot-on mobile industry analyst and Forum friend Dean Bubley notes

"On one hand, the government's trying to encourage internet connectivity — bridging the digital divide — but a lot of people in lower socioeconomic groups are on prepay, and the vast majority are anonymous," Bubley said

[From Mobile industry 'cannot identify pirates' - ZDNet.co.uk]

So the mobile operator won't be able to turn over the name and address of the supposed copyright pyrate. When the letter from Apple Corporation arrives at Vodafone asking them to turn over the name and address of the person who downloaded "Love Me Do", Vodafone won't be able to tell them (so presumably Vodafone will then be found in contempt of court or something and their internet access will be turned off).

So what to do? Well, one approach (followed in many countries) is simply to force all prepaid phones to be registered with the authorities. In the UK, the government might use its splendid new national identity register, for example, to ensure that all prepaid phones have a passport or national identity card connected to them them. And, as in Spain, take immediate action against those terrorists, money launderers, child pornographers and criminals who refuse to do so.

Spanish mobile operators last night cut off an estimated three to four million pre-pay mobile phones whose owners had not followed government instructions to register their devices.

[From Spain cuts off 3m pre-pay mobiles • The Register]

I can see exactly why law enforcement and government agencies object so strongly to anonymous mobile phones (although they still allow people to post letters anonymously) but I think they are wrong to react in this way. The truth is, the criminals will just use other peoples' phones and will be even harder to track and trace than they were before.

Consider the most prosaic of examples. Where I live, in a deprived part of Europe called "Surrey", a window in the house opposite to ours was smashed by a gang of feral youths. Sadly, we didn't see this happen so we unable to assist the local constabulary. But suppose I had seen it happen? I have, currently, four prepaid mobile phones about my person (they are used for various demos and experiments for work) so I would have just picked up one of these phones and called the police with the details of the incident and a description of the yobs.

But now suppose that my prepaid phones were now connected to me through the national identity register? Now there's no chance that I will pick up one of them and report the crime, because I'd be worried that my name and address would get (via the police or the database) to the gang in question.

This may be a silly example, but from battered women to corporate whistleblowers there are plenty of good reasons for allowing anonymity. We need this to be part of the infrastructure.

All this does prove, though, that there is a legitimate place for digital anonymity, and I hope that any identity management system required by the US government and others will allow anonymity and not prevent it.

[From Tech and Law: Technology, domestic violence, anonymity]

Note the important qualification here: there is a legitimate place for "digital anonymity". I would go further than that and say that without digital anonymity, we are creating the wrong kind of infrastructure for a successful and prosperous society. Now, your web site may choose to allow or decline access by digitally known, pseudonymous or anonymous identities. If you are a web site discussing Iranian democracy, you may well insist on the latter. If you are government department, you may insisit on the former. The infrastructure must cope with both.

Continue reading "Trans-mission" »


By Dave Birch posted Dec 2 2009 at 4:28 PM

[Dave Birch] Here at Consult Hyperion we've recommended to more than one non-US customer that they look at specifying PIV solutions. Why? Because PIV does almost all of what they want, and the cost and integration advantages make it a better short- to medium-term solution. But there's another less tangible reason for being interested in it: because once the US government has chosen something as a "standard", then that is where the energy will go, because the suppliers are rational people. The seal of approval is very, very important. Which is why I"m not the only one who has been reflecting on just how significant the US government's support for OpenID is. When this support was announced, Bob Blakely highlighted just how important an announcement it was.

But the identity world had its own big news today; the news is that the US Government has teamed up with the OpenID Foundation, the Information Card Foundation, the Kantara Initiative, and InCommon in creating the Open Identity Initiative.

[From Burton Group Identity Blog: US Government Identity News]

I was involved in some discussions with a government department a few months ago -- long before the US government announcement -- during which I suggested opening up some public services using OpenID. My reasoning was that we could experiment with "soft" OpenIDs provided by (to consumers) familiar services. If you asked a customer to log in to the DVLC using their Facebook "Identity", then I'm sure they would manage to do this with little training and no mention of trust infrastructures and the like. Once they are comfortable with this, then you can restrict access to "hard" OpenIDs (by which I mean 2FA OpenIDs).

The central point, though, was that the government could help to create an identity infrastructure built on a diverse selection of "private" digital identities. I think that, as Burton note, the US government's decision signals a genuine paradigm shift in this direction, a genuine change in the mental model are identity.

after years of government attempts to create identities and assign them to citizens (via such bad ideas as the UK National ID scheme and the US REAL-ID act), a government has finally recognized that individuals already HAVE identities, and that it’s a better idea, for most purposes, to use these identities than to establish a new government bureaucracy to create new identities

[From Burton Group Identity Blog: US Government Identity News]

Personally, I think that the government ought to be a "gold standard" identity provider as well as an identity oonsumer, but that's another issue.

Continue reading "Collision" »