[Dave Birch] I happened to be chatting to our friend Tony Poulos from the Telecommunications Manager's Forum about new service possibilities for mobile operators facing commoditisation and declining ARPUs, and one of the areas he got me to brainstorm was identity services.
One of the world’s leading experts in this field, David Birch, spent some time with me explaining how mobile operators, in particular, could actually become ‘smart pipes’ with financial transactions. The ‘secret sauce’ according to Birch, lies in the ability for operators to provide secure identification linked to the SIM providing private and public keys for multiple providers.
[From The 'secret sauce'? | Poulos Ponderings]
The mobile phone is the obvious "remote control" for identity, and I'm surprised that operators haven't moved into this space more aggressively (there are some exceptions, of course, such as Turkcell). This led me to think, again, about the nature of the value-added identity infrastructure that might be built.
One thing, I think, is clear: the goal shouldn't be to build a virtual version of the current identity "system". At the moment, the online world has a dynsfunctional identity layer: it's not really anonymous but it's not really absonymous either.
Implementing an Internet without anonymity is very difficult, and causes its own problems. In order to have perfect attribution, we'd need agencies -- real-world organizations -- to provide Internet identity credentials based on other identification systems: passports, national identity cards, driver's licenses, whatever. Sloppier identification systems, based on things such as credit cards, are simply too easy to subvert.
[From Schneier on Security: Anonymity and the Internet]
Bruce goes on to note that in the real world, half-baked identity management schemes actually make matters worse, not better. You can't argue that having people sort-of-identified is better than having them not identified at all. It isn't.
We have nothing that comes close to this global identification infrastructure. Moreover, centralizing information like this actually hurts security because it makes identity theft that much more profitable a crime.
[From Schneier on Security: Anonymity and the Internet]
This is why I am naturally somewhat suspicious of attempts to slap identity on the ends of the network rather than having identity management as a value-added service that is part of the network infrastructure and quite distinct from the issue of which identities will be managed (in other words, the web server has PKI built in, but it doesn't provide the identities, it facilitates identity providers to do so). Simple solutions to this difficult problem -- along the lines of the Chinese attempts to have "real-name registration" of Internet access by decreeing that everyone has to present their ID number when connecting -- don't work.
Mundie and other experts have said there is a growing need to police the internet to clampdown on fraud, espionage and the spread of viruses. "People don't understand the scale of criminal activity on the internet. Whether criminal, individual or nation states, the community is growing more sophisticated," the Microsoft executive said... He also called for a "driver's license" for internet users. "If you want to drive a car you have to have a license to say that you are capable of driving a car, the car has to pass a test to say it is fit to drive and you have to have insurance."
[From UN agency calls for global cyberwarfare treaty, ‘driver’s license’ for Web users | Raw Story]
It's a bad analogy for a start, because cars are covered by product liability laws and Microsoft's software isn't, but the law on driving licences doesn't stop cars from being stolen, used in crimes and being in accidents. If there were an Internet driver's license, the 419 scammer wouldn't apply for one, he'd make a fraudulent one just as he would in the physical world, and then use it to open bank accounts and so forth.
Many of the forgeries are “know your customer” documents such as utility bills and driving licences, which are then used to open bank accounts under false names.
[From Police war on fake ID factories as fraudsters net millions | News]
Ah, you might say, but in the Internet world we can use cryptography and similar geek tools to stop people from forging licences. In which case, the scammers will still get their licences.
An Irvington, N.J., man who operated a driving school pleaded guilty yesterday in federal court to bribing Pennsylvania driver's license examiners to obtain phony licenses for his customers... Authorities said Lominy began paying bribes to a PennDOT driver's license examiner, Alexander Steele, in early 2009 in exchange for Steele issuing licenses to his customers even though they weren't Pennsylvania residents and hadn't passed a written test or driving exam.
[From He admits bribing PennDOT examiners to issue fake licenses | Philadelphia Daily News | 04/02/2010]
I see reports of people being convicted for taking other people's tests for them for money in the UK from time to time as well. So, an Internet driving licence? I don't think this is a way to improve security. I might go further and say that compared to this, the Monster Raving Looney Party's manifesto commitment to ban envelopes and force everyone to communicate via postcards looks more practical.
All sealed private letters to be banned - we propose that all letters must be written on postcards, and emails to be routed through police stations. (After all honest citizens have nothing to hide)
[From Official Monster Raving Loony Party - manifesto proposals]