About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« August 2010 | Main | October 2010 »

4 posts from September 2010

It's not all sexy stuff

By Dave Birch posted Sep 28 2010 at 12:50 PM

[Dave Birch] I'm giving a talk on identity services as a potential new business for mobile operators, and I'm trying to make the point that there are routine, everyday, prosaic applications for this kind of thing: it's not all about opening bank accounts and reporting deaths. Every single day I take part on transactions that are made complicated, expensive and unsatisfying because of the lack of an identity infrastructure. How many times in an average week do you press the "forgot your password" button? I do it all the time. Here's the standard pattern:

1. Get e-mail from British Gas asking for a meter reading (we still have dumb meters -- more on this in a future post).

2. Read meter.

3. Click on link in e-mail to submit reading.

4. It asks for e-mail address and password, so enter e-mail address and then click on "forgot your password".

5. It says I'm not registered, so then I have to go and register. I use the same password that I use for everything else.

6. But my password has to be between 8 and 16 characters (they take security seriously) so then I have to think of another one (which I am certain to forget again next time).

6. Then I can log in and give the reading.

7. But I get "We're sorry but access to your online account is temporarily unavailable. Please try again in a few minutes."

8. Next day get an e-mail from British Gas apologising for problems with online system. (This isn't really anything to do with identity, but it was nice of them, so I thought I'd report it.)

The process should have been:

1. Get e-mail to remind me to read meter (British Gas must have my e-mail on file somewhere to do this).

2. Read meter.

3. Clink on link in e-mail to submit reading.

4. Since the system knows the e-mail address it can prefill this and then ask for my login code from my Barclays dongle (or mobile phone, or whatever).

Bingo. Secure log in, with no effort, since my card and dongle are next to the computer.

Incidentally, and apropos of nothing, I was curious why the system was a bit crap, so I googled British Gas CRM to see if other customers were complaining, and I found this:

A good CRM system can provide automated, reliable and accurate billing and cope with high levels of customer switching and multiple service offerings. This is what British Gas set out to do with Project Jupiter in 2001, when it commissioned Accenture to install a new £317 million SAP billing system. Unfortunately, the well-documented problems with Jupiter resulted in a spike in customer complaints, loss of market share and a £182 million legal battle between British Gas and Accenture that looks set to rumble on for several years.

[From British Gas sorts out billing issues and prepares for smart metering - Interviews - Features : Utility Week]

Anyway, back to the topic. We must, as a matter of urgency, start moving to an identity and authentication infrastructure that puts a stop to this time- and money-wasting replication at every service provider.

Continue reading "It's not all sexy stuff" »

Why are we waiting?

By Dave Birch posted Sep 20 2010 at 1:31 PM

[Dave Birch] It isn't only dreamers like me who want to see an effective digital infrastructure in place.

Law enforcement worldwide should focus on developing an international identity verification system, according to INTERPOL secretary general Ronald K. Noble.

[From INTERPOL: International ID verification system needed]

I agree, although I imagine my vision of this infrastructure and Interpol's may differ in a few details. But governments, irrespective of the law enforcement agenda, should be enthusiastic too. In a September 2010 research notes on "eIDs in Europe", Deutsche Bank say that

At the European level a number of electronic identity cards (eIDs) and the qualified electronic signature (QES) do already exist. Together they possess the potential to form another of the foundations of the internal market for financial services – especially for opening accounts.

Deutsche Bank go on to say that

A further obstacle will be that the design of ID cards does not fall within the competence of the EU and varies greatly from one member state to the other. To date, there are e.g. no harmonised European definitions for the topic of "identity" or "identification". This means that in the medium term the issue for the trailblazers in this segment is likely to be enhanced cooperation.

(Note to foreign readers: remember when reading that paragraph that "competence" in EU-speak does not mean the same thing as it does in normal language: they don't mean that the Commission would be hopeless at designing eID systems, although I'm sure they would be, but that it is not their problem -- it is a problem for national governments to solve.)

So how do we move forward then? Is it time for an ESTIC, a version of the US National Strategy for Trusted Identities in Cyberspace (NSTIC) that adds European values to the technical infrastructure to create something that the public and private sectors can use to transform (I mean this seriously) service delivery? This would rest on corporate identities (eg, your bank identity) being extended across corporate boundaries and into government -- as is already the case in Scandinavia -- and implies a much greater degree of public-private sector co-operation than we have seen to date.

Continue reading "Why are we waiting?" »

There's whiskey in the jar-o

By Dave Birch posted Sep 15 2010 at 10:18 AM

[Dave Birch] There's a problem in Korea with the production of counterfeit whiskey, so the legitimate whiskey producers have an application in the Korea Telecom service. When the whiskey is bottled, the caps have an RFID tag added to them. This is coded with a URL and an identifier. When a customer, or a shopkeeper, or a policeman, or in fact anyone else wants to check whether the whiskey is real or not, they touch the cap with their phone and the URL launches a web site that knows the provenance of the identifier and can tell you when and where it was bottled as well as some other information. When the customer opens the bottle, the tag is broken and can no longer be read.

Most cell phones today contain a SIM card, which can be swapped with the ones developed by SKT to read the radio waves emitted by the tags attached to medical supplies, whiskey and other products to ensure its authenticity. SK Telecom recently announced the development of a universal subscriber identity module, or USIM, embedded with a 900 megahertz RFID reader.

[From RFIDNews | Real or fake? Use your cell phone and find out.]

Note the architecture. It's the enabled USIM that turns the phone into (presumably)an EPC Gen 2 reader.

It was difficult to tell from the machine translation, but I think that Hitachi and KDDI have just announced that KDDI have a new mobile phone for the corporate market that incorporates an ISO/IEC18000-6 Type C RFID reader/writer.

Hitachi installs UHF belt RFID reader of micro and low power consumption that develops the technology/writer in corporate cellular phone “E05SH” of KDDI.

[From RFID by UHF from KDDI & Hitachi by Wireless Watch Japan]

It will be great when this integration is extended to the consumer market. Now, some people find this sort of thing scary. If you don't believe me, go and have a look at some of the videos on "We, the people, will not be chipped". But I think a phone that can check up on other people's stuff might be fun. After all, 900MHz is much longer range than NFC (several metres for industrial readers). So if you're at a boring party and you're wondering whether the hostesses dress is a real Chanel or a knock-off, you can find out from across the room. Or if you want to snoop around a neighbour's house but can't actually be bothered to go into other rooms, it's ideal. But, as I pointed out some time ago,

Suppose RFID is used to implement Electronic Product Codes (EPCs) for luxury goods. If I see a Gucci handbag on sale in a shop, I will be able to point my Bluetooth EPC-reading pen (these already exist) at it and read the EPC, which is just a number. My mobile phone can decode the number and then tell me that the handbag is Gucci product 999, serial number 888. This information is, by itself, of little use to me

[From Digital Identity: The Rolex premium]

Indeed. There has to be a database to establish provenance, and it is that database that is at the core of the Korea Telecom business model.

Continue reading "There's whiskey in the jar-o" »

Market failure

By Dave Birch posted Sep 13 2010 at 11:25 PM

[Dave Birch] I was in a meeting today discussing some ideas for introducing a sort of trust service, that could fit in a framework along the lines of NSTIC but as a commercial proposition. You know the general idea: a private-sector, for-profit issuer of trust identities. The customer and the segment aren't relevant (and I wouldn't tell anyway), but I wanted to reflect back something I was thinking about the market. The idea that I was involved in exploring assumes, as do many similar ideas, a "two-sided market".

In this market paradigm users and relying parties both interact with each other with the help of a platform. The platform (e.g. single players like Facebook/Google/ Paypal/etc or a network of cooperating parties) optimizes both the proposition towards users and the relying parties. The relying parties are business (including banks) and governments, all with clear business needs: relying parties achieve better e-services for their customers and lower cost of operation... If there is value, a market can come and the growth will come by itself when the trust is organized properly. It’s just a matter of getting the industry act together.

[From Innopay - Payment Consultants - home]

The problems that "e-identity" businesses might try and solve fall into the this two-sided (aka "chicken and egg") structure, and this has so far proved a barrier. This isn't because there aren't problems to solve: here's some examples of how straightforward the business problems are.

  1. I wanted a new credit card from a UK card issuer and I couldn't use my Barclays Bank "identity" to get it. Surely this should be one of the simplest problems to solve? I just called John Lewis to find out why a chip and PIN transaction in Waitrose had been declined (a problem with the network apparently) and it took me longer to "log in" than to deal with the issue: I had to punch in my card number, date of birth, last 4 digits of phone number and then when I got through to person I had to give my name and the first two letters of my secret word. Surely card number followed by CAP/DPA OTP is all that is required?
  2. I can't use my Barclays identity to log in to Barclaycard.
  3. The British government presumably trust Barclays, since they regulate them, but when I log on to sort out taxes or get my car tax I have to use completely different username/password combinations (ie, no security) instead of just linking my government "identities" to my Barclays identity for authentication purposes.

So despite having all of the technology already in place and deployed, there is no functioning two-sided market. I wonder if it's because it's just too complicated to either explain to senior management or make it accessible to the general public?

Continue reading "Market failure" »