Listening in
By Dave Birch posted Aug 30 2010 at 4:45 PM[Dave Birch] Who should we be listening to when formulating digital identity strategy? Consumers? Experts? Politicians? Lobbyists? Consultants? Consider, for example, the issue of privacy. This is complicated, sensitive, emotive. And some of the voices commenting on it are loud. Take a look at the "Wal-Mart story" -- the story that Wal-Mart are going to add RFID tags to some of their clothing lines -- that has naturally attracted plenty of attention. One particular sets of concerns were founded on the idea that consumers could not have the tags "killed" and so would be tracked and traced by... well, marketeers, advertisers, sinister footsoliders of the New World Order, the CIA and so on. So what is the truth?
The tags are based on the EPC Gen 2 standard, which requires that they have a kill command that would permanently disable them. So the tags can, in fact, be disabled. Wal-Mart does not plan to kill the tags at the point of sale (POS), only because it is not using RFID readers at the point of sale.
[From Privacy Nonsense Sweeps the Internet]
As a consumer, I don't want the tags to be turned off, because that means that the benefits of the tags are limited to Wal-Mart and not shared with me. I'd really like a washing machine that could read the tags and tell me if I have the wrong wash cycle. And there are plenty of other business models around tags that might be highly desirable to consumers.
If it adds £20 to the price of a Rolex to implement this infrastructure, so what? The kind of people who pay £5,000 for a Rolex wouldn't hesitate to pay £5,020 for a Rolex that can prove that it is real. Imagine the horror of being the host of a dinner party when one of the guests glances at their phone and says "you know those jeans aren't real Gucci, don't you?". Wouldn't you pay £20 for the satisfaction of knowing that your snooping guest's Bluetooth pen is steadfastly attesting to all concerned that your Marlboro, Paracetamol and Police sunglasses are all real.
[From Digital Identity: The Rolex premium]
So does the existence of convenience, business model, consumer interest and practicality mean I have no privacy concerns? Of course not! So what is a reasonable way forward?
Wal-Mart is demanding that suppliers add the tags to removable labels or packaging instead of embedding them in clothes, to minimize fears that they could be used to track people's movements. It also is posting signs informing customers about the tags.
[From Wal-Mart to Put Radio Tags on Clothes - WSJ.com]
That seems like a reasonable compromise: make it easy for people to cut the tags off if they don't want them. So is that the end of the story? I don't think it is.
What could possibly violate our privacy with tracking pants in a store to make sure there aren’t too many extra-large sizes on the shelves?
[From Privacy wingnuts « BuzzMachine]
The thing is, I agree with Jeff Jarvis here that some people are, indeed, "wingnuts". But that does not mean that there are no genuine concerns and it does not mean that anyone who is concerned about privacy (eg, me) is a wingnut. But what it does mean, I think, is that we need to implement new identity technologies in a privacy-enhancing fashion and make the "privacy settlement" with the public more explicit so that there is an opportunity for informed comment to shape it. It seems to me that some fairly simple design decisions can achieve both of these goals, something that I've referred to before when using Touch2id as an example.
Stephan Engberg is a member of the Strategic Advisory Board of the EU ICT Security & Dependability Taskforce and a person who I always take seriously.
To me Touch2Id is a disaster - teaching kids to offer their fingerprints to strangers is not compatible with my understanding of democracy or of what constitutes the basis of free society. The claim that data is “not collected” is absurd and represents outdated legal thinking. Biometric data gets collected even though it shouldn’t and such collection is entirely unnecessary given the PET solutions to this problem that exist, e. g chip-on-card.
[From IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer]
First of all, Touch2ID doesn't teach "kids" anything, since kids aren't allowed to have it. That's sort of the point of it. You have to be 18 to get the card. Secondly, even if the shopkeeper did somehow tamper with the terminal to collect the fingerprints... so what? The shopkeeper doesn't know who they belong to, since the cards do not carry identifying information. Ah, but the shopkeeper could take a picture of the person in the shop, match it against Facebook photographs and then store it with the fingerprint... yes, well, once you start thinking like that, there's no way forward. You may as well argue that we've no way of knowing whether Touch2ID is in fact a front for Al-Qaeda and is collecting the fingerprints of people who buy alcohol in order to round them up in the future.
I'm not commenting to shill for Touch2ID -- they are perfectly capable of defending themselves -- but I do think that their approach (pseudonymous match-on-card) is the right way forward in an imperfect world. Then we can have interoperability at the virtual identity level. Stephan goes on to say that some people think he is an extremist. I don't. In fact, I agree with what he says about the importance of Privacy Enhancing Technologies (PETs) in wider society.
Strong PETs must be applied to ensure principles such as net neutrality, demand-side controls and semantic interoperability. If they aren’t, I am personally convinced that within 20 or 30 years we will no longer have anything resembling democracy - and economic crises will worsen due to Command & Control inefficiencies and anti-innovation initiatives
[From IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer]
This is why I have been so outspoken about the previous British government's hopeless national identity management strategy, because such as strategy has to built on PETs, not built on management consultant waffle about privacy. Sorry, that was unfair. Not all management consultants produce waffle about privacy. In fact, I've just been reading a July 2010 survey on Consumers and Convergence from the well-known Swiss co-operative KPMG International that contains some very interesting results about privacy and some thought-provoking comment on the same. It says this about Personally-Identifiable Information (PII):
Consumers have a paradoxical view of privacy. Consumers of all ages express more anxiety about data privacy than they have previously, but they’re also more willing than ever to give up PII if they get something of value in return. Nearly eight out of ten global consumers (79 percent) said they are concerned about unauthorized access of PII. But nearly six in ten (58 percent) said they would be willing to allow their online usage and profile information to be tracked if it resulted in lower costs.
It also contains some very interesting comparisons between G7 and BRIC countries on attitudes to privacy. At the end of it, though, I can't help feeling that consumers' attitudes about privacy are still too immature, confused and ill-informed to guide us. We (ie, the identity industry) need to integrate PETs into systems whatever consumers think: if we do and then we don't want to use them, fine, but if we don't, then we can't go back.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
Comments