About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« December 2009 | Main | February 2010 »

4 posts from January 2010

In a bit of a State

By Dave Birch posted Jan 26 2010 at 7:57 AM

[Dave Birch] If you build a stable door, then one day you will inevitable find yourself locking it while your horse disappears over the horizon. There's been no better illustration of this in recent times than the recent hulabaloo about Google in China. Apparently, Chinese "hackers" were found it rather easy to break into the e-mail accounts of human rights activists and so forth, because Google had been forced to build a system to do precisely that.

That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.

[From Google attack part of widespread spying effort]

So companies are forced to build a stable door, and then when the inevitable happens, people appear shocked. The root problem is, naturally, that there is no underlying strategy: we fight using the technology of the next war but the tactics of the last one, as someone once said but I couldn't find out who by googling. If you want proof of this, you only need consider the US government's official response to the incident in a speech by the Secretary of State, Mrs. Clinton, that cofnirmed one of my most basic criticisms of government policy in this cyber age:

The speech made it obvious that State Department officials do not have a coherent view on online anonymity. On the one hand, they want to crack down on intellectual property theft and terrorists; on the other hand, they want to protect Iranian and the Chinese dissidents. Well, let me break the hard news: You can't have it both ways and the sooner you get on with "anonymity for everyone" rhetoric, the more you'll accomplish.

[From Is Hillary Clinton launching a cyber Cold War? | Net Effect]

In fact, US (and other governments') policy in this area isn't just confused and pointless, it's actually dangerous. While I was googling for references, I discovered that the always sensible security expert Bruce Schneier had used this story to make the same point.

The news here isn't that Chinese hackers engage in these activities or that their attempts are technically sophisticated -- we knew that already -- it's that the U.S. government inadvertently aided the hackers.

[From U.S. enables Chinese hacking of Google - CNN.com]

You can't have privacy without security, as the relatively old saying goes. Ah, you might object, but there's a greater good argument: security without privacy is the only way society can fight the bad guys. We must be able to read people's Google mail accounts because we need to track down criminals and terrorists. And, indeed, this is sort of true. If you know that Osama bin Laden is sending me e-mail, then you might want to investigate me a little further. And I imagine that obtaining the contents of all of my e-mails, from Google, might be a convenient way to do it (although, of course, if I am a terrorist and I know that government is able to read my mail, then I will send misleading e-mail and use an alternative secure channel to conference my confederates). Anyway, you think I'm a bad guy so you want to be able to go to Google and get all my mail. This already happens, in fact.

Prosecutors obtained a CD-ROM disk from Google Inc. this week of Mr. Tannin’s e-mail messages from Nov. 20, 2006, through Aug. 12, 2007. The two funds collapsed in June 2007. Mr. Cioffi, 53, and Mr. Tannin, 48, were indicted for fraud, and Mr. Cioffi also was charged with insider trading, the first managers accused of criminal charges from a company that collapsed in the financial crisis. The hedge funds’ failure cost investors $1.4 billion.

[From E-mail Shows Fear of ‘Blow-Up Risk’ at Bear Fund - DealBook Blog - NYTimes.com]

To be honest, I'm not sure what the fuss is about. If you send something in an e-mail, then as far as I am concerned you have no reasonable expectation of privacy. If you wouldn't put it on a postcard, then you shouldn't put in an e-mail (was it Phil Zimmerman of PGP who first said that?). If these hedge fund guys really wanted to send secret messages to each other then they could have used anonymous comments on an obscure blog, rolling IM accounts changing in a pattern known only to them or, ahem, encryption. Havent't they ever watched the world's best TV drama, "The Wire"?

So I'm not saying that prosecutors shouldn't try to go and get these e-mails. But should they get them from Google? I have a book on my shelf somewhere -- the title won't come to mind -- which says that, essentially, the government doesn't regulate books because it can't and it does regulate TV because it can (this was a few years ago). Surely this is what is going on here. It might be harder to nail those guys without a copy of their Google e-mail, but is it plausible that without the Google e-mail they will get off? Well, in this case they got off because of the e-mails, as far as I can see.

the prosecution blew it — on two counts. First, in devising the original indictment for conspiracy and securities fraud against the two defendants, Ralph Cioffi and Matthew Tannin, it relied on damning snippets of lengthy e-mail messages that when viewed in their entirety proved to be highly ambiguous. Second, the prosecution made a reductionist opening argument claiming the men were nothing more than out-and-out liars, needlessly raising the bar in terms of what it had to prove to jurors

[From Bear Stearns Trial: How the Scapegoats Escaped - DealBook Blog - NYTimes.com]

Suppose you are a policeman. If Osama bin Laden is sending me e-mail every day, but you can't get the contents of those e-mails from Google or BT, is that worse for society than Osama bin Laden being able to read all of your e-mails? The mere fact that I'm getting e-mail, text message or care packages from a cave in Afghanistan is enough for you to put me under surveillance and from then on other methods can take over. Look, I don't know what the answer is either, but I do know that there is a question, and therefore understand that there is a danger

Continue reading "In a bit of a State" »

Indian summer

By Dave Birch posted Jan 11 2010 at 8:16 AM

[Dave Birch] The Indian government has ambitious plans to issue a billion Unique Identifiers (UIDs) in the next few years, thus creating a national population register. There were many reasons for this, but one was social inclusion.

The upper and middle classes have many forms of identity but the poor often have none

[From ‘The idea is to be inclusive. The upper and middle classes have many forms of identity but the poor often have none’]

This is something that can get overlooked in the discussion about identity cards. One of the reasons why an identity card of the type conceived by the British government is so uninteresting to people like me is that I already have plenty of other forms of primitive identity documentation (ie, identity documentation that doesn't work online)such as a driving licence. So the marginal benefit of an additional expensive mini-passport is vanishingly small. But if I didn't have something like a driving licence, then how could I prove who I am? This may not matter when my horizon extends no further than my village. But suppose I want to get a mobile phone, or a mobile money account, something that will improve my lot in life significantly? Then the lack of documentation is a real barrier and means exclusion. Yes, of course the security services and law enforcement agencies want an national ID register, but the issue about the relationship between identity and inclusion is genuine, and important.

Lamenting that lack of identity proof often resulted in harassment and denial of services to the poor and marginalised, Prime Minister Manmohan Singh on Wednesday urged all ministries and departments to support the initiative to provide a unique identity number to all Indian citizens in order to improve the delivery mechanism of the government’s pro-poor schemes and programmes.

[From Back UID scheme for sake of poor: PM to ministries]

A great deal of government help targeted at the poor never reaches the intended recipients.

Continue reading "Indian summer" »

Jorge Krug, Banrisul

By Dave Birch posted Jan 5 2010 at 12:34 PM

[Dave Birch] Jorge F. Krug is the head officer of the IT Security Division of Banrisul, State Bank of Rio Grande do Sul, Brazil, and has a seat in a number of IT associations and committees, including Brazilian Bank Association (FEBRABAN)’s Digital Certification Committee, Sucesu-RS (Society of Computer Science and Telecom Users of the Rio Grande do Sul State), ASBACE (Brazilian Association of State and Regional Banks). Mr. Krug is also the head of AC-RS (Rio Grande do Sul State Digital Certification Authority). In this podcast he talks about the introduction of the Banrisul EMV card with PKI on board, a project previously discussed in detail on this blog.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

Continue reading "Jorge Krug, Banrisul" »

Body surfing

By Dave Birch posted Jan 4 2010 at 9:24 PM

[Dave Birch] At the excellent Mobile Industry Healthcare Summit in London I saw some very good presentations about the impending revolution in the health sector as wireless technology of one form or another begins to miniaturise, power-manage and self-configure. It's that internet of things again, with everything talking to everything else, this time connecting patients, machines, doctors, medicine and everything else.

I was particularly interested in the low-power (under 1v) short-range (couple of metres) "body area networks" that are under development by a number of companies (such as Toumaz, for example). I think I will amend the Consult Hyperion technology timeline that we use to help customers to plan their IT strategies so that it separates personal area networks (PANs) from BANs from now on, especially as a new standard (which is IEEE 802.15.6) is under development for BANs and is expected sometime in 2010. The driver for this is that PANs requires too much power (the "smart bandage" that I saw at the event has a 7 day lifetime with no external power) and the PAN protocols do not handle the requirements of the sector terribly well. The BAN protocol is specifically designed for low data rate and intermittent connections and will one day connect your pacemaker to your iPhone to your insurance company.

They're not here yet, but these things will come, and I rather like the idea of my band-aids chatting to each other and dropping a note to my doctor if things aren't healing properly. Of course, I would expect their communications to be encrypted and digitally-signed since I wouldn't want counterfeit medical equipment in the loop. But I'm sure the technology will be used for other things as well: some positive (helping monitor fitness regimes) and some stupid (such as having your body and your clothes have a dialog).

I also saw a presentation about some medicines that are taken internally (pills) that contain RFID tags that only activate once the pill has dissolved (ie, is in your stomach). The idea is to help to monitor old people to make sure that they are taking the right medicine at the right times. Fascinating stuff, and particularly fascinating to me because I am interested in the identity infrastructure that will be needed to support safe, smart healthcare.

Continue reading "Body surfing" »