[
Dave Birch] It's all very well people like me going on about keys, certificates and zero-knowledge proofs but what are the problems that an identity infrastructure has to solve down at the coal face, so to speak. Here's an example from a newspaper I happened to be reading (
The Daily Telegraph "Money" section, 13th March 2010). I won't repeat the entire story, which concerns an elderly, partially-disabled woman who had UKP500 stolen from her bank account at
Santander. The bank discovered the fraud, to their credit, and asked the women to come to the branch so that they could sort things out. However, they demanded that she product either a valid passport, a valid driving licence with a picture on it or a birth certificate. She (along with countless other people) had none of these. Despite the fact that she had had an account with them for many, many years, the process derailed The charity Age Concern, quoted in the article, noted the expense of obtaining new passports for people who have no intention of travelling anywhere and also noted that elderly people are sometimes asked to produce utility bills (to get a mobile phone contract, say) that they do not have because they live in care homes or with relatives and that there is a further serious problem where they ask family members to deal with financial services, government and other organisations on their behalf. If you can't prove who you are to the bank where you have had an account for decades, how on earth is your daughter supposed to deal with the bank on your behalf?
One practical suggestion might be for Age Concern to operate a service to provide fake passports to its members. It could do this at low cost, and since fake British passports do not have to be particularly high quality to suffice (the bank just photocopies them anyway), this could provide a simple and cost-effective means to help their members.
Dubai airport is not just a two bit arrival and departure lounge for a small Arab country. It is a veritable cross roads for global airline traffic – one of the 10 most important international hubs in the world. Yet its passport scanning machines failed to recognise that all 11 passports were not just fakes but quite awful fakes.
[From Snowblog - What the Dubai murder says about airport security]
I doubt the elderly lady's local bank branch has "passport scanning machines" of any description, so my suggestion is entirely practical. On the other hand, if we decide to opt for legal solutions, what should we do? If we are going to have a shot at improving the identity infrastructure to the benefit of society, then it has to work in these cases, which are hardly rare or extreme. This simple, practical case should serve as a benchmark: how can an older person use whatever system is proposed in order to ring up a bank and get something done with their own money.
In this light, how does the banking industry manage identity in the future... Would you have predicted 15 years ago that we’d still be using IDs and Passwords today? Will we still be using them 15 years from now?
[From Predicting the Future of Identity | Future Banking Blog]
Actually fifteen years ago I did predict, more than once, that we wouldn't be using passwords by now. I thought then, and I still think now, that passwords aren't really security of any kind. Never mind elderly people trying to remember passwords on the phone, I can't remember passwords on the phone. I was speaking one of my card providers recently, having called to query a declined transaction, and was genuinely shocked to be asked for my password. I had no memory of having set a password on this account at any time in the past, so had to go through the whole set-up all over again. (Which was pretty annoying, but not as annoying as being asked for my card number yet again, ten seconds after I had punched all sixteen digits into the keypad!!).
As I sat down to write the rest of this post, the combination of prosaic, archaic and potentially catastrophic palaver that is the process of opening an account in modern Britain was once again raising blood pressure in our household. Having got annoyed with the poor customer service from one of our credit card issuers, I cancelled the card (a card, incidentally, that I spend around £3,000 per month on, since I travel a lot for business) and appealed to the twitterverse for suggestions as to alternatives. A testament to my middle class status, the most popular suggestion was the John Lewis Partnership Card that delivers shopping vouchers for Waitrose and John Lewis, so I went off to their web site and immediately applied. Hurrah! It said something like "congratulations, you're accepted". My happiness was short lived, as it soon became apparent that they weren't going to send me a card at all, but a form to fill out and sign. Whatever. When it turned up I signed it, my wife signed it and I sent it back, then went away on business.
My wife phoned me after a few days wondering where her new card was. When I got back, I discovered that my card had arrived but hers had not. So I gallantly gave her mine (one of the great advantages of PIN cards over signature or biometric cards), and started going through the rest of the backlog of mail. Eventually I came across a letter to me explaining that John Lewis could not send my wife her card without further proof of identity because of know-your-customer and anti-money laundering regulations. My wife has only lived in the UK since 1986 and has only had a Barclays account for 20 years, so you can see why they might be suspicious. She follows a pattern well-known to FATF investigators of international organised crime: live at the same address for the last 15 years, use your Barclaycard to buy food at the same Waitrose every week and work for Surrey County Council, presumably a known hot-bed for narco-terrorism.
In order to prove her identity, and therefore get her card, she had to (in hommage to the founding of the John Lewis partnership in 1929) post them her council tax bill and last month's bank statement. International terrorists would find these completely impossible to forge <sarcasm="on"> as they contain advanced anti-counterfeiting watermarks, holograms and embossing </sarcasm="off">. Of course, this being 2010, you might have thought that my wife would merely have to log in to John Lewis using her Barclays' dongle and Barclays would federate her identity (which they must have already established to the satisfaction of financial regulators) but I'm afraid even these rudimentary steps toward an identity infrastructure have yet to be taken.
In summary: everyone's time and money continues to be wasted and we are no closer to having an identity infrastructure for the 21st century than we were at the dawn of the web.