About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« October 2010 | Main | December 2010 »

7 posts from November 2010

Stux on you

By Dave Birch posted Nov 29 2010 at 8:58 PM

[Dave Birch] The media are full of cyberwar at the moment. I'm sleeping safely in my bed knowing that we now have a cyberwar strategy. But there does appear to have been one cyberwar attack that has already succeeded. The story about Stuxnet is fascinating, especially now that the Iranians have admitted that it worked.

President Mahmoud Ahmadinejad admitted Monday that "several" uranium enrichment centrifuges were damaged by "software installed in electronic equipment," amid speculation Iran's nuclear activities had come under cyberattack.

[From France24 - Iran admits uranium enrichment hit by malware]

So whoever wanted to stop the Iranians from enriching uranium (the Americans, the Saudis, the Israelis etc) found a cheaper and more efficient way to do it than launching cruise missiles or dropping bunker busting bombs.

Continue reading "Stux on you" »

Moving transactions online

By Dave Birch posted Nov 25 2010 at 11:45 AM

[Dave Birch] Well I managed to get myself invited to the launch of Forum friend Sir Bonar Neville-Kingdom's new book. As the government's technology outreach czar, he makes a point of having his personal assistant Patricia use all forms of new information and communication technology. He has, of late, been dictating tweets for her to place on the Twitter and now, to ensure that these valuable insights into the heart of British government IT policy are preserved for posterity, they have been gathered together in "The Twitters of Sir Bonar Neville-Kingdom". I wasn't sure about the current regulations concerning the photographing of key civil servants, but I managed to sneak a few pictures and have put them on Flickr for the general public to peruse. Here are a few of them so that you can see what was going on (I spotted known activists in the crowd and am perfectly prepared to hand my footage over to the relevant authorities on the condition of pseudonymity).

Given Sir Bonar's famous "ring of soup" formulation for government identity management services, I was keen to ask him how he sees the evolving balance between privacy and surveillance. In particular, I was curious about his views on Umair Haque succinct note that

The internet itself isn't disempowering government by giving voices to the traditionally voiceless; it's empowering authoritarian states to limit and circumscribe freedom by radically lowering the costs of surveillance and enforcement.

[From The Social Media Bubble - Umair Haque - Harvard Business Review]

Unless we take steps to build an identity infrastructure that embodies certain protections, encodes certain balances, then I think it is perfectly reasonable to anticipate a path whereby governments become authoritarian by default, simply becuase they can and not because of any directed or debated policy. I don't think that you have to be some kind of privacy nutter to find this a concern: unfortunately, I was not able to put this point to Sir Bonar because he had to leave for a pressing bottle of claret, but I perhaps I will be able to catch up with him again in the not-too-distant future.

Continue reading "Moving transactions online" »

Masters key

By Dave Birch posted Nov 23 2010 at 5:43 PM

[Dave Birch] This whole internet thing is getting more and more complicated. I'm trying to work out what government policies toward the internet are, so that I can help our clients to develop sound long-term strategies with respect to digital identity. To do this, we need to understand how the security environment will evolve and what the government's attitude to security is. Should people be allowed to send data over the internet without interference? The US government thinks so.

Since 2007, Congress has inserted a total of $50 million of earmarks into the State Department's budget to fund organizations dedicated to fighting Internet censorship.

[From Rebecca MacKinnon: No quick Fixes for Internet Freedom - WSJ.com]

Uh oh. This cannot be popular with people in favour of internet censorship, such as U2's boss.

U2 manager Paul McGuinness said that the only reason the music industry had tanked over recent years was not because outfits like U2 peddled the same boring crap that they did in the 1980s, but because of the introduction of broadband.

[From Comment: Broadband only useful for pirates - U2 manager screams blue murder | TechEye]

Setting aside the fact that the British music industry earned more money than ever before last year, U2 are totally wrong to expect the rest of society to pay to uphold their business model in face of all technological change. Bono is wasting his time calling for Chinese-style internet censorship in order to maximise record company profits, or at least he is if the US government is going to continue funding the opposition.

Continue reading "Masters key" »

China syndrome

By Dave Birch posted Nov 17 2010 at 12:05 PM

[Dave Birch] What should government policy on identity be? Not specifically our government, or EU governments, or any other government, but governments in general. Or, let's say, governments in democratic countries. OK, that's a very big question to tackle. Let's narrow it down to make a point: what should government policy on the internet be? No, that's still too big and perhaps to vague. Let's focus down further on a simple internet question: should the government be allowed to see what is going through the internet tubes. Of course! One of their jobs is to keep me safe from drug-dealing Nazi terrorist child pornographers who formulate devilish plots with the aid of the web.

According to reports, the FBI is asking for the authority to require all Internet communications platforms build in a "backdoor" allowing law enforcement easy wiretapping access

[From Should Government Mandate "Backdoors" for Snooping on the Internet? | Center for Democracy & Technology]

In parallel, the FBI is talking to technology companies about how they could be making it easier for criminals to see your credit card details and for the government to read to your e-mail.

Robert S. Mueller III, the director of the Federal Bureau of Investigation, traveled to Silicon Valley on Tuesday to meet with top executives of several technology firms [including Google and Facebook] about a proposal to make it easier to wiretap Internet users.

[From F.B.I. Seeks Wider Wiretap Law for Web - NYTimes.com]

This, superficially, sounds likes a good idea. Who could object? We don't want the aforementioned Nazi drug-dealing child pornographers plotting terrorist acts using the interweb tubes with impunity. No right-thinking citizen could hold another view. But hold on...

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

[From U.S. enables Chinese hacking of Google - CNN.com]

It's not that simple, is it? If you create a stable door, then sooner or later you will find yourself bolting it long after the horse has had it's identity stolen. What I can't help but wonder about in this context is whether the content actually matters: suppose you can't read my e-mail, but you can see that a lot of mail addressed to Osama bin Laden is coming from my house? Surely that would be enough to put me under suspicion and trigger some other law enforcement and intelligence activity?

Continue reading "China syndrome" »

Front end

By Dave Birch posted Nov 12 2010 at 12:28 PM

[Dave Birch] We've often looked at the natural strategy of using identity infrastructure as the "front end" to payment infrastructure. To put it simply, if you have an id card in your pocket (or, more likely, your phone) wherever you go, then what's the point of carrying other cards around? Well, one reason is that if you only have one ring to rule them all, and that ring is lost, you're in schtuck (I think there's an idea for a book there somewhere). This is a valid concern.

A junior, who wishes to remain anonymous to protect her identity, had her ID card number stolen.

[From Identification card theft becomes a documented issue on campus - News]

Now, of course, in a developed nation (such as Germany, for example) this shouldn't matter, since there is nothing remotely secret about ID card numbers and they cannot be used to effect any transactions -- you need the smart ID card for that. But when the ID number is attached to something that has no inherent security, like a piece of cardboard, then it can be the root of mischief.

A week later, she decided to check her account balance at the Help Desk. The help desk printed her receipts, and she realized her laundry money account had decreased from $21 to $2.

"I saw a lot of Marvin's, but I hadn't ordered from Marvin's at all this year," the student said.

"I looked at the transactions to compare them," she said. "When I was in Chicago, my card was being used here, and once of my receipts said that I had charged for Marvin's at 6:46 p.m., when I had also bought food at the Hub at 6:48 p.m."

[From Identification card theft becomes a documented issue on campus - News]

This is the inevitable consequence of 1-factor authentication, just like magnetic stripes on credit cards. Fortunately, the story has a modern, happy ending.

Public Safety, who traced the Marvin's orders to a cell phone number, caught the perpetrator.

[From Identification card theft becomes a documented issue on campus - News]

Too funny: the master criminal who copied the ID card number down used his own mobile phone to order food using the number. Still, it's a serious point, and it has been discussed with relation to some of the national smart ID schemes that we have advised on: there's a reasonable concern that ID cards might be a target for crime if they can be used for payments, which is true, if the ID cards have no security. But suppose the ID cards have not only a chip on to prevent counterfeiting, but also a biometric cardholder verification method.

The much talked about Unique Identity Project (UID) is not just about providing citizens with biometric cards. In fact, the new identity cards can be used for multiple purposes and can even replace the debit or credit cards one day.

[From UID cards can replace bank cards - CIOL News Reports]

So, once again, let's be clear about these implications. An effective digital identity infrastructure sitting on top of a standardised "payments cloud" will completely reshape the sector. It will substantially reduce the cost and complexity of starting a new payment scheme, and will further substantially reduce the cost and complexity of running a new payment scheme.

Continue reading "Front end" »

My multiples

By Dave Birch posted Nov 4 2010 at 3:47 PM
[Dave Birch] I watched a strange TV show on a plane back from the US. I was about a woman with "Multiple Personality Disorder" (remember that book Sybil -- not the one by Benjamin Disraeli -- from years ago). I make no comment about whether the disorder is real or not (the TV show wasn't that interesting) but there's no doubt in my mind that when it comes to the virtual world, multiple personalities are not only real, but desirable.

Here's a good reason for not having your Facebook account in your real name (as I don't):

Five interviewees who traveled to Iran in recent months said they were forced by police at Tehran's airport to log in to their Facebook accounts. Several reported having their passports confiscated because of harsh criticism they had posted online about the way the Iranian government had handled its controversial elections earlier this year.

[From Emergent Chaos: Fingerprinted and Facebooked at the Border]

I've already created a new Facebook identity and posted a paen to Iran's spiritual leaders just in case I am ever detained by revolutionary guards and forced to log in. But will this be enough? Remember what happened to film maker David Bond when he made his documentary about trying to disappear? The private detectives that he had hired to try and find him simply went through Facebook:

Pretending to be Bond, they set up a new Facebook page, using the alias Phileas Fogg, and sent messages to his friends, suggesting that this was a way to keep in touch now that he was on the run. Two thirds of them got in contact.

[From Can you disappear in surveillance Britain? - Times Online]

So even if you are careful with your Facebook personalities, your friends will blab. As far as I can tell, there's no technological way around this: so long as someone knows which pseudonym is connect to which real identity, the link may be uncovered. Probably the best we can do is to make sure that the link is held by someone who will demand a warrant before opening the box.

Continue reading "My multiples" »

Recognising the problem

By Dave Birch posted Nov 1 2010 at 11:15 PM
[Dave Birch] An interesting series of talks at Biometrics 2010 reminded me how quickly face recognition software is improving. The current state of the art can be illustrated with some of the examples given by NIST in their presentation on testing.
  • A 1:1.6m search on 16-core 192Gb blade (about $40k machine) takes less than one second, and the speed of search continues to improve. So if you have a database of a million people, and you're checking a picture against that database, you can do it in less than second.
  • The false non-match rate (in other words, what proportion of searches return the wrong picture) best performance is accelerating: in 2002 it was 20%, by 2006 it was 3% and by 2010 it had fallen to 0.3%. This is an order of magnitude fall every four years and there's no reason to suspect that it will not continue.
  • The results seem to degrade by the log of population size (so that a 10 times bigger database delivers only twice the miss rate). Rather fascinatingly, no-one seems to know why, but I suppose it must be some inherent property of the algorithms used.

We're still some way from Hollywood-style biometrics where the FBI security camera can spot the assassin in the Superbowl crowd.

What is often overlooked is that biometric systems used to regulate access of one form or another do not provide binary yes/no answers like conventional data systems. Instead, by their very nature, they generate results that are “probabilistic”. That is what makes them inherently fallible. The chance of producing an error can be made small but never eliminated. Therefore, confidence in the results has to be tempered by a proper appreciation of the uncertainties in the system.

[From Biometrics: The Difference Engine: Dubious security | The Economist]

So when you put all of this together, you can see that we are heading into some new territory. Even consumer software such as iPhoto has this stuff built in to it.

face-rec

It's not perfect, but it's pretty good. Consumers (and suppliers) do, though, have an unrealistic idea about what biometrics can do as components of a bigger system.

But Microsoft's new gaming weapon uses "facial and biometric recognition" that creates a 3D model of a player. "It recognises a 3D model that has walked into the room and automatically logs that player in," Mr Hinton said... "It knows when they are sneakily trying to log into their older brother's account and trying to cheat the system... You can't do it. Your face is the ultimate detection for the device."

[From Game console 'rejects' under-age players | Herald Sun]

This sounds sort of fun. Why doesn't my bank build this into its branches so that when I walk in?

Continue reading "Recognising the problem" »