About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« June 2010 | Main | August 2010 »

6 posts from July 2010


By Dave Birch posted Jul 28 2010 at 10:15 PM

[Dave Birch] I rather like LinkedIn, and use it reasonably often. It's proved a convenient way to build up my network of professional contacts in a very dynamic and useable form. Well, I say "my" professional contacts...

A recent judgement in the UK courts has forced a former employee of Hays to hand over details of the business contacts build up through LinkedIn.com whilst he was employed by them. The decision is one of the first in the UK to show the tension between businesses encouraging their employees to use social networking websites whilst trying to claim that the contacts should remain confidential at the end of their employment.

[From Bombay Crow: Who owns your online networking contacts?]

I have a slightly old-fashioned policy towards LinkedIn. When I get a connection request, I won't accept unless it is someone that I've spoken to (or, preferably, met in person). The validity of this policy was demonstrated during the week, when I read the story of the security consultant who set up a fake LinkedIn site for an imaginary woman called "Robin Sage" who supposedly worked in cybersecurity for the US Navy. In less than a month, she amassed nearly 300 social-network connections among security specialists, military personnel and staff at intelligence agencies and defense contractors.

Her profile was a ruse set up by security consultant Thomas Ryan as part of an effort to expose weaknesses in the nation's defense and intelligence communities - what Mr. Ryan calls "an independent 'red team' exercise." It is not the first time "white-hat" hackers have carried out such a social-engineering experiment, but military and intelligence security specialists told The Washington Times that the exercise reveals important vulnerabilities in the use of social networking by people in the national security field.

[From Fictitious femme fatale fooled cybersecurity - Washington Times]

The story also revealed another sad truth, a reflection on human nature. Men will do anything for an attractive woman, without even bothering to check whether she's real or not.

Ms. Sage's connections invited her to speak at a private-sector security conference in Miami, and to review an important technical paper by a NASA researcher. Several invited her to dinner. And there were many invitations to apply for jobs

[From Fictitious femme fatale fooled cybersecurity - Washington Times]

Jobs! You'd think one of the first, basic checks that someone might make is that their employment target is real! Yet we're told that social networking means that employers know all about us all the time.

“We’re hearing stories of employers increasingly asking candidates to open up Facebook pages in front of them during job interviews,”

[From The Web Means the End of Forgetting - NYTimes.com]

This would be fantastic, if it were true. I would love to work for someone so dumb that they think that what's on a Facebook page has any reputational capital value at all. In half-an-hour my kids could easily make up a Facebook page that would present them as the best candidate ever for whatever job. If employers are hiring people this way, they deserve what they get.

Continue reading "Linked" »

Simple cases

By Dave Birch posted Jul 26 2010 at 10:58 AM

[Dave Birch] I've been looking at a survey undertaken by UK Online's "myopinion" panel in connection with the Technology Strategy Board's VOME project that Consult Hyperion are involved in.

Researchers from the Information Security Group (ISG) at Royal Holloway, University of London worked together with UK online to conduct a survey of privacy attitudes and behaviours. Focusing on our concerns about privacy while using the internet, the survey reveals that online identity theft is currently the greatest fear for internet users.

[From Online identity theft is the greatest fear for internet users]

The great majority of respondents (almost all of them, in fact) use the Internet daily from home, work or school. In this group, their top concerns about privacy are:

  1. "Online identity theft"
  2. "Spying on online activity"
  3. Payment card data being intercepted.
  4. Merchant mischarging.
  5. Having to provide too much personal information when purchasing online.

I noticed an odd gender imbalance, in the sense that women report being more concerned about privacy than men do, but men were much more likely than women were to actually do anything about it, presumably because doing something means (to a large extent) technological activities such as turning on firewalls.

Continue reading "Simple cases" »

Things aint what they used to be

By Dave Birch posted Jul 20 2010 at 5:00 PM

[Dave Birch] It's pretty obvious that RFID is going to transform a variety of retail supply chains, adding value to the services delivered to the end customers.

Izzy's Ice Cream Café in St. Paul, Minnesota is putting to use RFID technology for giving real time updated on flavors available in its dipping cabinet. It offers more than 100 flavors but serves only 32 in its dipping cabinet at any point of time. The cabinet comes equipped with readers capturing every flavour's corresponding labels embedded with an RFID tag. The reader captures information 22 times every second and is sent to a system which updates website of the parlour so that customers get to know what is available even before they enter the store. Coloured dots are projected on the wall of the store or TV behind the counter so that the customers get to know the flavours available.

[From The RFID Weblog: RFID chip and ice creams]

Now this is a great use of the technology and I'm sure it's only one of the ways in which retailers will find that RFID provides a platform for better management, better service and entirely new services. Nevertheless,iIt's a step from this kind of use of RFID to the idea of an "Internet of things" has been around for a while.

The "Internet of things" (can't we think of a better name? the everynet? the allnet? -- what about "skynet", or has that been used somewhere before?) has two essential components: the concept that everything is connected to everything else, and the concept that everything can distinguished from everything else. Universal connection and universal identification. If we take the former for granted and take the Electronic Product Code (EPC) as an example of the latter, we can immediately see that this will create as many problems as it solves (which is not a reason for not doing it, since it also creates many opportunities). It's easy to see why. Suppose that your phone reads the EPC from my underpants. So what? Now your phone knows that I am wearing either Gucci underpants or a pair of Primark underpants with a Gucci chip in them to impress the ladies. If such phones and such tags were to exist, what would actually happen? What would be the impact on society of knowing what everything is and where everything is all the time.

Continue reading "Things aint what they used to be" »


By Dave Birch posted Jul 12 2010 at 2:11 PM

[Dave Birch] It's taken me a while to sit down and read through the US Government's National Strategy for Trusted Identities in Cyberspace (USTIC) paper that is out for comment. I've tried not to read it just as a technical expert (what do they mean by strategy? what do they mean by trust? what do they mean by identity? what do they mean by cyberspace?) but as someone who wants to see real change in the identity landscape and a step change in the security of online transactions. Can the USTIC help this agenda? The document says early on that it is about a user-centric identity ecosystem, a world-view that I entirely support, so let's take a look.

One not entirely trivial point before we start: one thing that did annoy me about the document was that it uses the phrase "digital identity" to mean what I would call a "virtual identity". That is, it defines a digital identity as the set of attributes that represent an individual in a transaction, whereas I would define the virtual identity as the set of attributes that represent a digital identity in a transaction because it is the digital identity that is the bridge between the real and virtual worlds, the connection between individuals and what the US strategy calls "non-person entities" and their representation in electronic form. (I can see I'm losing this battle, but I'm not going to give up easily.) So I'm going to use my (more precise) terminology in discussing the strategy.

The document describes an identity ecosystem for use by individuals, business and government that attempts to balance the requirements for identification and "reputation" in a forward-looking manner. It talks about creating a user-centric identity ecosystem, which it defines as an ecosystem that will allow individuals to select the interoperable credential appropriate to a specific transaction. In other words, it lets people select between different virtual identities on a per transaction basis, something that we have long advocated. Now, obviously, the individual's choice of credential cannot be entirely unconstrained. I can well imagine being allowed to log in to Citibank using a Barclay's Bank identity but not being allowed to log into Citibank using, say, my Twitter login. Similarly, I can well imagine using my Facebook identity to get access to some basic government information about benefits but having to use my mobile phone in someway to confirm my identity to log in to obtain, let's say, the results of the medical test -- more on this example later.

I emphasised this last example, by the way, in the light of the news that PayPal and Microsoft are already conducting an "identity mash up" with a medical company.

Medtronic, PayPal, Southworks, and Microsoft recently worked together to demonstrate the ability for people to use their PayPal identities for participating in a Medtronic medical device trial, rather than having to create yet another username and password... the name, address, birth date, and gender claims provided by PayPal are relied upon by Medtronic and its partners as being sufficiently authoritative...

[From Mike Jones: self-issued » Using Consumer Identities for Business Interactions]

From the point of view of the UK, where the national identity card scheme has just been scrapped and there is no alternative identity infrastructure in place, there is much to be admired in the US approach. The idea of creating an ecosystem that is built around the idea of public and private sector co-operation, individual choice, opportunities for innovation and market-based practicality should be a matter of priority here as well because if it is not, then efforts such as Martha Lane Fox's Manifesto for a Networked Nation will remain gimmicks: what's the point of making the population use the web if they can't do transactions?

Government should “think internet first” in designing services and provide support for those who need help using its online services.

[From David Cameron Supports Digital Champion’s Ambition – Make UK First Nation Where Everyone Can Use the Web « Raceonline2012's Blog]

Right now, I can't even use the same login identity for the DVLA and HMRC (the only two online government transactions I ever do).

Continue reading "USTIC" »

Law 2.5 or 3.0 or whatever

By Dave Birch posted Jul 8 2010 at 11:06 AM

[Dave Birch] Now, as I'm fond of saying, the whole real/virtual thing is a bit fuzzy. One of the areas where this is frequently demonstrated is crime...

the Habbo Hotel folks have now asked Finnish police to investigate 400 cases of "theft" in their world. Seriously. Of course it is a bit more complicated than that. They're really upset about phishing scams that let scammers get users login information, which they then use to get into their account and transfer the virtual goods away. But that's not really "theft" and it's a misnomer to call it that.

[From Yet Again, Real Police Called Into Virtual World Over (Not Really) Theft Of Virtual Items | Techdirt]

Correct. This isn't theft any more than copying an MP3 is theft, but it is closer to what we might think of as theft in that it's fraud, but it's fraud that prevents the rightful owner of the virtual goods from enjoying their use (which is not the case when a teenager copies a friends CD).

And, really, if Habbo Hotel users are getting phished so frequently, perhaps the Habbo developers should focus on building a better login system that is not so susceptible to simple phishing scams..

[From Yet Again, Real Police Called Into Virtual World Over (Not Really) Theft Of Virtual Items | Techdirt]

This is correct. It it wrong to expect the rest of society to pay to support a business model that is founded on technology that is not fit for purpose. You wouldn't let carmakers sell vehicles without locks to save money while simultaneously lobbying for higher spending on the police to prevent car theft.

But here's an interesting thought experiment. If there were a working digital identity infrastructure, would it be possible to build a working law enforcement system on top of it? I think the answer is yes, because crime and punishment would both be founded on the management of reputation. Think of the example of eBay stars: if I am a top seller on eBay, then taking away my stars is a serious punishment, much worse than fining me money or, in some cases, locking me up.

Continue reading "Law 2.5 or 3.0 or whatever" »

There isn't an app for that

By Dave Birch posted Jul 6 2010 at 1:03 PM

[Dave Birch] Hurrah! My bank, Barclays, tell me that they have a new and improved mobile bank service. Fantastic. I go to the iTunes App Store. Nothing there. Odd. Turns out that the new and improved mobile bank service is just the web service but on a mobile phone. Oh well.

With odd serendipity, this came up at the recent Mobey Forum meeting in Helsinki. While watching a demonstration of Nokia Money, I got a text message from my son who was in London visiting his girlfriend and had run out of money. He asked me if I could send him £10 to get a train home. I was forced to reply that I could not, because we live in the UK and not in an advanced country such as Kenya, where phone-to-phone money transfer is commonplace. I fired up my iPhone and went to the Barclays page, only to discover that I couldn't log in and send him some money because I don't know my 12 digit user code (or whatever it is called) and I didn't have my dongle anyway (it was back home on my desk). (In case you are worried, the day was saved because he was able to go back to his girlfriend's house and borrow the money from her parents.)

Now, this demonstration of the utter hopelessness of mobile financial services in the UK took place under the watchful eye for Mobey Forum executive director Liisa Kannainen, who promptly showed me how she had responded to an earlier, similar, request from one of her children...


Yes, she still uses the same paper-based Nordea Transaction Authorisation Number (TAN) system introduced in Finland for remote banking years ago, And it still works fine. So to send her kids money, she logs in on the phone and is prompted for the next TAN. She types it in and then crosses it off. Works perfectly. And she always has her TAN list with her in her purse, whereas as I never have my dongle with me away from home.

What I do have with me all the time is, of course, my mobile phone. As do almost all of the population. Surely it would make sense for both Nordea and Barclays to move to some standard mobile phone-based 2FA scheme. And then we could move to a standard set of authentication "levels". For small transactions, just have the phone. For larger transactions, enter PIN into the phone. For very large transactions have the take your voiceprint, then enter a PIN. Something like that. And if we could use it log in for banking, then why couldn't we use it to log in for other things as well

Continue reading "There isn't an app for that" »