About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« March 2010 | Main | May 2010 »

5 posts from April 2010

Cloudy with a chance of PKI

By Dave Birch posted Apr 26 2010 at 8:25 PM

[Dave Birch] I had a lovely time chairing the panel on mobile payments at the April meeting of Mobile Money at the GSMA. I was lucky to have a great set of panelists, including Neil Daly who is the Mobile Money Director at the GSMA. Neil made a terrific presentation, but I can't tell you about it because all of this slides were marked "confidential" and I don't want to get into trouble. So, anyway, what does all of this have to do with identity? Well, during the excellent panel discussion, John Lunn from Paypal, whose opinions I always take seriously, made (I think) a profound point. He said that as payments are disappearing into the cloud, they are going to merge, so that mobile payments and internet payments and all other payments (including retail payments) become the same thing, essentially. He's not the only person who thinks this.

Most consumers still pay offline, like in restaurants or stores. But I have no doubt that in future all these businesses will be connected to the Internet and then, virtually all payments will be made online.

[From Globes [online] - Israel business news - For PayPal, it is only the beginning]

A few days later, at the Future of Money This makes for some interesting thinking, because the use of new devices and new networks to access the cloud data means that all sorts of new services can be provided. But it also means that the evolution of digital money and digital identity will be wholly interconnected because the problem of all payments will resolve down to identifying the payment "account" associated with the individuals (or the individual and the merchant) and then authenticating that they are who they claim to be. Once these steps have been taken, then moving a few bytes around to execute the payment is not much of an effort. (Almost) anyone can do it and absolutely everyone can use it.

A software platform—perhaps in the cloud-- can lower those costs by investing in linking to the multitude of software programs that handle various elements of payments. By exposing APIs, this software platform then makes it possible for entrepreneurs to quickly integrate into most relevant aspects of the payments business... A great deal of innovation can be unleashed once these APIs are exposed.

[From Why the Payments Industry Needs a Catalyst to Drive Payments Innovation - pymnts.com]

Following along this line of thinking, where are the high added-value nodes in the new value network? If anyone can provide the engine, anyone can access the APIs, anyone can come up with ideas for using the new payments platform, what is there that not anyone can do? One fruitful area for exploration might be security.

Continue reading "Cloudy with a chance of PKI" »


By Dave Birch posted Apr 16 2010 at 8:38 AM

[Dave Birch] What with an imminent election in the UK, there's been more talk about e-government and the future of online services.

A MyGov dashboard that allows every citizen to personalise the explosive growth of government services on the web was proposed today by Gordon Brown... Brown said MyGov, which will eventually replace DirectGov, will end the current frustration of web users needing to identify themselves separately for different public services.

[From Gordon Brown proposes personalised MyGov web services | Technology | guardian.co.uk]

Whoa! Hold on a minute. How are the recalcitrant inhabitants of Middlesborough, forced online by the redoubtable Ms. Martha Lane Fox, going to identify themselves to their MyGov page, and how will this identification and relevant credentials be federated to the various government transactional services it will link to?

By the way, here's my mock-up of what the MyGov dashboard might look like.

Continue reading "MyGovID" »

Dying for mail

By Dave Birch posted Apr 9 2010 at 10:42 AM
[Dave Birch] I found the South-by-Southwest (SXSW) interactive sessions that I went to, without exception, first class. It may be because of the spectrum of people that they attract, or it may just be something in the Austin air, but I got caught up in a number of exceptionally stimulating discussions, all of which gave me new things to think about. Here's an example: I signed up for a session on Digital Wills run by Corvida Raven from she-geeks. She ran an outstanding session, and I can't resist blogging around it despite the morbid tone of some of the discussions that resulted from it! First of all, let me say that this is an aspect of the online world that I have been interested in for some time. I wrote a piece about it for The Guardian way back in 2004, reflecting on the fact that I had been making a will and had gone and got a booklet about it (I think from the bank, but I can't remember) and I was remarking that it didn't seem to cover my data.

It wasn't mentioned in the booklet of sample will elements I was using. That covered topics such as houses and kids, but it should have had additional specimen clauses along these lines: "I leave the 100GB external Firewire drive containing all of my emails and the back-ups of all of my personal documents, my iPhoto library and my iTunes to my wife. This volume was encrypted by Mac OS X using AES-128 and the password is the name of the band we saw together on our first date followed by the age of our first female cat when she died."

This may seem silly, but could become a serious problem in the future. My wife will need my username and password for Barclays, BT, British Airways and our family blog - and there was nothing about that in the booklet, either.

[From Second sight, Dave Birch | Technology | The Guardian]

This isn't a sophisticated enough solution, of course. What we really need, as a society, is proper security and privacy technology and we are an awfully long way from seeing this introduced at all, let alone introduced into probate law or custom and practice. Nothing much has changed since my article, as Cory Doctorow reinforced last year.

What I found surprising all through this process was the lack of any kind of standard process for managing key escrow as part of estate planning.

[From Tales from the encrypt: the secrets of data protection | Technology | guardian.co.uk]

There are clearly some business opportunities here, and not only for lawyers! Some organisations have already decided to take the digital afterlife seriously.

Facebook may not have been the first to create a specialized policy for deceased users, but it was one of the highest profile because of the way it handled the issue. Instead of merely agreeing to let a family member take control of the account, the company instead decided to take things a step further and let people turn someone's account into a memorial.

[From Death and social media: what happens to your life online?]

This is nice, but it seems to be still fairly rare. Take e-mail as a fairly standard requirement. If you die, Yahoo will delete your e-mail. But I may not want my e-mail to be deleted. Can I ask Yahoo not to delete my e-mail? No. But hold on, how do they know I am dead? If I just give my Yahoo password to my wife, then presumably she can carry on using it or archive the messages or even delete them. But what I if leave her the password and tell her not to delete them but just to save them for posterity and not read them? This is all getting a bit complicated.

Continue reading "Dying for mail" »

Practical identity

By Dave Birch posted Apr 7 2010 at 12:19 PM
[Dave Birch] It's all very well people like me going on about keys, certificates and zero-knowledge proofs but what are the problems that an identity infrastructure has to solve down at the coal face, so to speak. Here's an example from a newspaper I happened to be reading (The Daily Telegraph "Money" section, 13th March 2010). I won't repeat the entire story, which concerns an elderly, partially-disabled woman who had UKP500 stolen from her bank account at Santander. The bank discovered the fraud, to their credit, and asked the women to come to the branch so that they could sort things out. However, they demanded that she product either a valid passport, a valid driving licence with a picture on it or a birth certificate. She (along with countless other people) had none of these. Despite the fact that she had had an account with them for many, many years, the process derailed The charity Age Concern, quoted in the article, noted the expense of obtaining new passports for people who have no intention of travelling anywhere and also noted that elderly people are sometimes asked to produce utility bills (to get a mobile phone contract, say) that they do not have because they live in care homes or with relatives and that there is a further serious problem where they ask family members to deal with financial services, government and other organisations on their behalf. If you can't prove who you are to the bank where you have had an account for decades, how on earth is your daughter supposed to deal with the bank on your behalf?

One practical suggestion might be for Age Concern to operate a service to provide fake passports to its members. It could do this at low cost, and since fake British passports do not have to be particularly high quality to suffice (the bank just photocopies them anyway), this could provide a simple and cost-effective means to help their members.

Dubai airport is not just a two bit arrival and departure lounge for a small Arab country. It is a veritable cross roads for global airline traffic – one of the 10 most important international hubs in the world. Yet its passport scanning machines failed to recognise that all 11 passports were not just fakes but quite awful fakes.

[From Snowblog - What the Dubai murder says about airport security]

I doubt the elderly lady's local bank branch has "passport scanning machines" of any description, so my suggestion is entirely practical. On the other hand, if we decide to opt for legal solutions, what should we do? If we are going to have a shot at improving the identity infrastructure to the benefit of society, then it has to work in these cases, which are hardly rare or extreme. This simple, practical case should serve as a benchmark: how can an older person use whatever system is proposed in order to ring up a bank and get something done with their own money.

In this light, how does the banking industry manage identity in the future... Would you have predicted 15 years ago that we’d still be using IDs and Passwords today? Will we still be using them 15 years from now?

[From Predicting the Future of Identity | Future Banking Blog]

Actually fifteen years ago I did predict, more than once, that we wouldn't be using passwords by now. I thought then, and I still think now, that passwords aren't really security of any kind. Never mind elderly people trying to remember passwords on the phone, I can't remember passwords on the phone. I was speaking one of my card providers recently, having called to query a declined transaction, and was genuinely shocked to be asked for my password. I had no memory of having set a password on this account at any time in the past, so had to go through the whole set-up all over again. (Which was pretty annoying, but not as annoying as being asked for my card number yet again, ten seconds after I had punched all sixteen digits into the keypad!!).

As I sat down to write the rest of this post, the combination of prosaic, archaic and potentially catastrophic palaver that is the process of opening an account in modern Britain was once again raising blood pressure in our household. Having got annoyed with the poor customer service from one of our credit card issuers, I cancelled the card (a card, incidentally, that I spend around £3,000 per month on, since I travel a lot for business) and appealed to the twitterverse for suggestions as to alternatives. A testament to my middle class status, the most popular suggestion was the John Lewis Partnership Card that delivers shopping vouchers for Waitrose and John Lewis, so I went off to their web site and immediately applied. Hurrah! It said something like "congratulations, you're accepted". My happiness was short lived, as it soon became apparent that they weren't going to send me a card at all, but a form to fill out and sign. Whatever. When it turned up I signed it, my wife signed it and I sent it back, then went away on business.

My wife phoned me after a few days wondering where her new card was. When I got back, I discovered that my card had arrived but hers had not. So I gallantly gave her mine (one of the great advantages of PIN cards over signature or biometric cards), and started going through the rest of the backlog of mail. Eventually I came across a letter to me explaining that John Lewis could not send my wife her card without further proof of identity because of know-your-customer and anti-money laundering regulations. My wife has only lived in the UK since 1986 and has only had a Barclays account for 20 years, so you can see why they might be suspicious. She follows a pattern well-known to FATF investigators of international organised crime: live at the same address for the last 15 years, use your Barclaycard to buy food at the same Waitrose every week and work for Surrey County Council, presumably a known hot-bed for narco-terrorism.

In order to prove her identity, and therefore get her card, she had to (in hommage to the founding of the John Lewis partnership in 1929) post them her council tax bill and last month's bank statement. International terrorists would find these completely impossible to forge <sarcasm="on"> as they contain advanced anti-counterfeiting watermarks, holograms and embossing </sarcasm="off">. Of course, this being 2010, you might have thought that my wife would merely have to log in to John Lewis using her Barclays' dongle and Barclays would federate her identity (which they must have already established to the satisfaction of financial regulators) but I'm afraid even these rudimentary steps toward an identity infrastructure have yet to be taken.

In summary: everyone's time and money continues to be wasted and we are no closer to having an identity infrastructure for the 21st century than we were at the dawn of the web.

Continue reading "Practical identity" »

Dog's life

By Dave Birch posted Apr 1 2010 at 5:01 PM

[Dave Birch] There was a news story in the UK recently about the very sad death of a young woman who was lured to a remote spot by a man who met her on Facebook. The man was pretending to be a teenage boy. Facebook became the focus of the story, with the usual calls for something to be done. So is the sky falling in because of social networking?

You could just as easily argue that criminals are easier to catch because of Facebook, or any other new technology. The police can use them too, can’t they? Doesn’t social networking make it easier for the police and others to work together? Couldn’t Twitter help detectives? Can’t detectives subscribe to RSS feeds on cases of interest? (Frankly, I doubt it, but you get my point.)

[From 15Mb: yet another blog from Dave Birch » Blog Archive » The “Ford Mondeo Killer”]

People might think they're anonymous, but they're not. A rational policy on law and order would surely try to get more criminals to carry out their crimes online, because it's easier to catch them in the virtual world than in the real one.

When a YouTube video came to its attention on Friday in San Francisco, the FBI had a Philadelphia man in custody the next day

[From How the FBI busted one YouTube nutjob in under a day]

It's the same logic as with money laundering. If you raise high barriers by making people prove who they are before going online then they will either go to great lengths to avoid the rules (thereby enriching middlemen) or just avoid going online, in which case they cannot be tracked or traced at all. I wrote an article for SPEED ("Moving money and securities worldwide") magazine's Spring issue, noting that if criminals were to abandon suitcases full of 500 euro notes for platinum pieces in Everquest (frankly unlikely, but there you go) then surely it would be easier for law enforcement officers to masquerade as half-orc barbarians in Norrath than as criminals in the real world and therefore follow the money.

Continue reading "Dog's life" »