About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« January 2011 | Main | March 2011 »

5 posts from February 2011

Not magic bullets, but bullets nonetheless

By Dave Birch posted Feb 23 2011 at 2:14 PM

How do you identify people? This is a difficult problem. Let's set aside what you need to identify people for, and just concentrate on large scale solutions.

The Indian government is trying to give all 1.2 billion Indians something like an American Social Security number, but more secure. Because each “universal identity number” (UID) will be tied to biometric markers, it will prove beyond reasonable doubt that anyone who has one is who he says he is. In a country where hundreds of millions of people lack documents, addresses or even surnames, this will be rather useful. It should also boost a wide range of businesses.

[From India: Identifying a billion Indians | The Economist]

The "but more secure" is obvious, because otherwise "something like" a US SSN will be as disastrous as a UK National Insurance number as a viable means of identifying individuals.

The study found that rather than serving as a unique identifier, more than 40 million SSNs are associated with multiple people. 6% of Americans have at least two SSNs associated with their name. More than 100,000 Americans have five or more SSNs associated with their name.

[From One In Seven Social Security Numbers Are Shared]

So what do we mean by "more secure"? How do you go about uniquely identifying people? In the case of India, it means a biometric universal ID (UID). Once the word "biometric" appears, people seem to think there is now a magic bullet against identity theft and fraud and they want to use it for everything (which is why I have previously argued that - given convenience - the market will automatically shift to demand the highest level of assurance of identity for every transaction, whether it requires it or not).

Securities and Exchange Board of India (SEBI)... has constituted an internal group with members from various departments to examine the modalities for making UID applicable for KYC norms and to formulate their views. This information was given by the Minister of State for Finance, Shri Namo Narain Meena in written reply to a question raised in Rajya Sabha today.

[From Press Information Bureau English Releases]

This kind of behaviour builds a tower on shifting sand, introducing a single point of failure into all systems. In fact, it introduces exactly the same single point of failure into all systems, which is why I like the NSTIC approach of multiple identity providers (of which the government in merely one, and a non-priviledged one at that). In India, biometrics have not had a good start. The first attempts to register people for the UID saw only a fifth of the attempts succeed.

Though the department conducted proof-of-concept (pilot project) on over 266,000 people in Mysore and Tumkur districts, only 52,238 UIDs could be generated.

[From Pilot project yielded few UIDs - The Times of India]

Is there something unusual about Indian biometrics? I suspect not. I suspect that biometrics are being used in systems designed by management consultants who have been watching Hollywood movies rather than by technologists who understand the appropriate modalities and bounds. You wouldn't get that sort of thing here in the UK. No, wait...

Biometric face scanners at Manchester Airport have been switched off after a couple walked through one after swapping passports.

[From Aircargo Asia Pacific - Face scanners switched off at Manchester]

I've been through the e-passport face scanners at LHR a few times (I don't use the IRIS scheme after it rejected me three trips in a row) and I can't say I haven't wondered whether it is real or not. We all know that iris scanning is more secure.

A woman from eastern Europe who was deported from the UAE re-entered weeks after her departure using a new identity... To prevent her from returning, her eyes were scanned before she left. But, according to her testimony in court this week, she returned to the UAE through Dubai International Airport using a forged passport and a different name. She said her eyes were scanned upon entry.

[From Iris scan fails to stop returning deportee - The National Newspaper]

Hhhmmm. It seems as if building big databases of biometrics may not be the way forward for the time being. Is there any other way to make biometrics more practical at a large scale? I'm sure there is. Perhaps a good place to start would be to marry some capability and convenience. One thing that we know from examples around the world is that customers like biometrics because of convenience. So what else is convenient? I know: contactless, wireless and RIFD technology.

Standard Chartered is issuing RFID chips to select customers at its newest Korean location, eliminating the need for affluent individuals to wait in lines at the branch. When a customer holding an RFID tag enters the facility, the system immediately notifies the branch manager and a relationship manager who can greet the customer personally at the door.

[From RFID Chips Spell End to Branch Lines for High-Value Customers | The Financial Brand: Marketing Insights for Banks & Credit Unions]

Ah, but when you get to the counter, how does the bank know that you are indeed the valued customer and not an imposter, intent on transferring funds off to Uzbekistan? Well, you could ask the customer to put their finger on a pad, or look at a camera, or speak into a microphone, or what ever, and then send the captured biometric to the RFID device for matching. Instead of rummaging through a giant database, the system can now do an efficient 1-1 comparison offline. If the device returns the correct, digitally-signed response, then the customer is verified. No PINs, no passwords: the combination of biometrics, contactless and tamper-resistant chips can deliver a workable solution to a lot of problems.

How smart?

By Dave Birch posted Feb 17 2011 at 12:37 PM

I had an interesting conversation with the CTO of a multi-billion company at the Mobile World Congress in Barcelona. He, like me, felt that something has been going wrong in the world of identity, authentication, credentials and reputation as we try to create electronic versions of physical world legacy constructs instead of starting from a new sets of requirements for the virtual world and working back. He was talking about machines, though, not people.

Robots could soon have an equivalent of the internet and Wikipedia. European scientists have embarked on a project to let robots share and store what they discover about the world. Called RoboEarth it will be a place that robots can upload data to when they master a task, and ask for help in carrying out new ones.

[From BBC News - Robots to get their own internet]

RoboEarth? No! Skynet, please. And Skynet needs to share an identity infrastructure with the interweb tubes, because of the rich interaction between personal identity and machine identity that will be integral to future living. The internet of things infrastructure needs an identity of things infrastructure to work properly. Our good friend Rob Bratby from Olswang wrote, accurately, that

The deployment of smart meters is one of the most significant deployments of what is often described as ‘the internet of things’, but its linkage to subscriber accounts and individual homes, and the increasing prevalence of data ‘mash-ups’ (cross-referencing of multiple databases) will require these issues to be thought about in a more sophisticated and nuanced way.

[From Watching the connectives | A lawyer's insight into telecoms and technology]

I can confirm from our experiences advising organisations in the smart metering value chain that these issues are certainly not being thought about in either sophisticated or nuanced ways.

“The existing business policies and practices of utilities and third-party smart grid providers may not adequately address the privacy risks created by smart meters and smart appliances,

[From Grid Regulator: The Internet & Privacy Concerns Will Shape Grid: Cleantech News and Analysis «]

Not my words, the Federal Energy Regulatory Commission in the US. Too right. The lack of an identity infrastructure isn't just a matter of Facebook data getting into the wrong hands or having to have a different 2FA dongle for each of your bank accounts. It's a matter of critical infrastructure starting down the wrong path, from which it will be hard to recover after the first Chernobyl of the smart meter age, the first time some kids, or the North Korean government, or a software error at the gas company shuts down all the meters, or publishes all of the meter readings in a Google maps-style mashup so that burglars can find out which houses in a street are empty, or the News of World can get a text alert when a sleb gets home, or whatever.

My CTO friend was, I'm certain, right to suggest that we need to start by working out what we what identity to look like in general and then work out what the subset of that in the physical world needs to look like. If we do start building an EUTIC or a UKTIC to complement NSTIC then I think it should work for smart meters as well as for dumb people.

Theoretically private

By Dave Birch posted Feb 10 2011 at 9:21 PM

The Institute for Advanced Legal Studies hosted an excellent seminar by Professor Michael Birnhack from the Faculty of Law at Tel Aviv University who was talking about "A Quest for a Theory of Privacy".

He pointed out that while we're all very worried about privacy, we're not really sure what should be done. It might be better to pause and review the legal "mess" around privacy and then try to find an intellectually-consistent way forward. This seems like a reasonable course of action to me, so I listened with interest as Michael explained that for most people, privacy issues are becoming more noticeable with Facebook, Google Buzz, Airport "nudatrons", Street View, CCTV everywhere (particularly in the UK) and so on. (I'm particularly curious about the intersection between new technologies -- such as RFID tags and biometrics -- and public perceptions of those technologies, so I found some of the discussion very interesting indeed.)

Michael is part of the EU PRACTIS research group that has been forecasting technologies that will have an impact on privacy (good and bad: PETs and threats, so to speak). They use a roadmapping technique that is similar to the one we use at Consult Hyperion to help our clients to plan their strategies for exploiting new transaction technologies and is reasonably accurate within a 20 year horizon. Note that for our work for commercial clients, we use a 1-2 year, 2-5 year, and 5+ year roadmap. No-one in a bank or a telco cares about the 20 year view, even if we could predict it with any accuracy -- and given that I've just read the BBC correspondents informed predictions for 2011 and they don't mention, for example, what's been going on in Tunisia and Egypt, I'd say that's pretty difficult.

One key focus that Michael rather scarily picked out is omnipresent surveillance, particularly of the body (data about ourselves, that is, rather than data about our activities), with data acted upon immediately, but perhaps it's best not go into that sort of thing right now!

He struck a definite chord when he said that it might be the new business models enabled by new technologies that are the real threat to privacy, not the technologies themselves. These mean that we need to approach a number of balances in new ways: privacy versus law enforcement, privacy versus efficiency, privacy versus freedom of expression. Moving to try and set these balances, via the courts, without first trying to understand what privacy is may take us in the wrong direction.

His idea for working towards a solution was plausible and understandable. Noting that privacy is a vague, elusive and contingent concept, but nevertheless a fundamental human right, he said that we need a useful model to start with. We can make a simple model by bounding a triangle with technology, law and values: this gives three sets of tensions to explore.

Law-Technology. It isn't a simple as saying that law lags technology. In some cases, law attempts to regulate technology directly, sometimes indirectly. Sometimes technology responds against the law (eg, anonymity tools) and sometimes it co-operates (eg, PETs -- a point that I thought I might disagree with Michael about until I realised that he doesn't quite mean the same thing as I do by PETs).

Technology-Values. Technological determinism is wrong, because technology embodies certain values. (with reference to Social Construction of Technology, SCOT). Thus (as I think repressive regimes around the world are showing) it's not enough to just have a network.

Law-Values, or in other words, jurisprudence, finds courts choosing between different interpretations. This is where Michael got into the interesting stuff from my point of view, because I'm not a lawyer and so I don't know the background of previous efforts to resolve tensions on this line.

Focusing on that third set of tensions, then, in summary: From Warren and Brandeis' 1890 definition of privacy as the right to be let alone, there have been more attempts to pick out a particular bundle of rights and call them privacy. Alan Westin's 1967 definition was privacy as control: the claims of individuals or groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.

This is a much better approach than the property right approach, where disclosing or not disclosing, "private" and "public" are the states of data. Think about the example of smart meters, where data outside the home provides information about how many people are in the home, what time they are there and so on. This shows that the public/private, in/out, home/work barriers are not useful for formulating a theory. The alternative that he put forward considers the person, their relationships, their community and their state. I'm not a lawyer so I probably didn't understand the nuances, but this didn't seem quite right to me, because there are other dimensions around context, persona, transaction and so on.

The idea of managing the decontextualisation of self seemed solid to my untrained ear and eye and I could see how this fitted with the Westin definition of control, taking on board the point that privacy isn't property and it isn't static (because it is technology-dependent). I do think that choices about identity ought, in principle, to be made on a transaction-by-transaction basis even if we set defaults and delegate some of the decisions to our technology and the idea that different persona, or avatars, might bundle some of these choices seems practical.

Michael's essential point is, then, that a theory of privacy that is formulated by examining definitions, classsifications, threats, descriptions, justifications and concepts around privacy from scratch will be based on the central notion of privacy as control rather than secrecy or obscurity. As a technologist, I'm used to the idea that privacy isn't about hiding data or not hiding it, but about controlling who can use it. Therefore Michael's conclusions from jurisprudence connect nicely connect with my observations from technology.

An argument that I introduced in support of his position during the questions draws on previous discussions around the real and virtual boundary, noting that the lack of control in physical space means the end of privacy there, whereas in virtual space it may thrive. If I'm walking down the street, I have no control over whether I am captured by CCTV or not. But in virtual space, I can choose which persona to launch into which environment, which set of relationships and which business deals. I found Michael's thoughts on the theory behind this fascinating, and I'm sure I'l be returning to them in the future.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Having another go

By Dave Birch posted Feb 8 2011 at 9:28 PM

The UK's last attempt to introduce a national identity infrastructure, the national ID card, failed pretty badly and left everyone involved under a cloud (except for the management consultancies who billed tens of millions of pounds to the project).

The Home Office slipped out the final report of the Independent Scheme Advisory Panel (ISAP) this week, more than a year after it was written. The ostensibly independent report, which reveals how the ID system had been compromised by poor design and management, was submitted to the Home Office in December 2009.

[From Henry Porter - Home Office suppressed embarrassing ID cards report]

The report says that there are no specifications for usage or verification (which we knew - this was one of my constant complaints at the time) and, revealingly, that (in section 3.3) that "it is likely that European travel" will emerge as the key consumer benefit. This, I think, is an interesting comment. As I have pointed before in tedious detail, what the Identity & Passport Service (IPS) built was, well, a passport. It had no other functionality and, given the heritage, was never going to have. Hence my idea of renaming it "Passport Plus" and selling it to frequent travellers (eg, me) as a convenience.

As an aside, the report also says (in section 5.5) the "significant" number of change requests after the contracts had been awarded would likely increase risk, cost and timescale. Again, while this is a predictable comment, it is a reflection on the outdated consultation, specification and procurement processes used. Instead of a flagship government project heralding a new economy, we ended up with the usual fare: incomplete specifications, huge management consultant bills, massive and inflexible supply contracts.

The report repeated the same warnings ISAP had given the Home Office every year since the system blueprint was published in December 2006 by Liam Byrne and Joan Ryan, then Home Office Ministers, and James Hall, then head of the Identity and Passport Service (IPS).

[From Home Office suppressed embarrassing ID cards report - 1/7/2011 - Computer Weekly]

How did it all go do wrong? Liam Byrne should have known something about IT as he used to work for Accenture, as did James Hall (Joan Ryan was a sociology teacher who later became famous for having claimed for more than £1,000,000 in MP's expenses). Yet somehow the "vision" that emerged was profoundly untechnological, backward-looking and lacking in inspiration. What's different now?

Well, a key change is that the new administration is heading more along the lines of the US (with USTIC) and the Nordics, where people use their bank IDs to access public services. We're working on a project with Visa Europe and our good friend Fred Piper at Royal Holloway to develop a pilot implementation right now.

Consult Hyperion, working with Visa Europe and Codes & Ciphers, is the industry lead for a Technology Strategy Board funded research project; Sure Identity, for Secure Authentication of Online Government Services. This innovative pilot scheme will investigate the security and cost benefits of consumers using new bank-issued electronic Visa debit cards to securely access online government services

[From Digital Systems - DS KTN Member receives funding from Trusted Services Competition for research into the secure authentication of online Government Services - Articles - Technology Strategy Board]

It's possible to at least imagine some form of "UKTIC" that is interoperable with the US version, certainly to the extent that an American with a US bank account might be able to open a UK bank account, things like that. And it's possible to imagine a kind of EUTIC that sets certain minimums in place so that UKTIC can interoperate with France TIC and Germany TIC and so on. I already have one or two ideas about where UKTIC may differ from USTIC. Let's go back to the EFF's comments on USTIC.

A National Academies study, Who Goes There?: Authentication Through the Lens of Privacy, warned that multiple, separate, unlinkable credentials are better for both security and privacy. Yet the draft NSTIC doesn’t discuss in any depth how to prevent or minimize linkage of our online IDs, which would seem much easier online than offline, and fails to discuss or refer to academic work on unlinkable credentials (such as that of Stefan Brands, or Jan Camenisch and Anna Lysyanskaya).

[From Real ID Online? New Federal Online Identity Plan Raises Privacy and Free Speech Concerns | Electronic Frontier Foundation]

If we were to make UKTIC something like USTIC but with the addition of a class of unlinkable credentials that might be mandated for certain uses, then we could take a really important step forward: instead of a physical national identity card, the administration could trumpet and virtual national privacy card. (Actually, I'd be tempted call it a Big Society Card in order to get funding!)

And I've got my bronze swimming certificate

By Dave Birch posted Feb 1 2011 at 11:05 AM

When I'm talking about identity, I sometimes joke that our ill-thought out perspectives on the topic have led to the bizarre situation that in the UK it is much easier to get a job with a bank than an account. In The Daily Telegraph for 29th January 2011, I read under the headline "False CV Fooled Bank" that:

A fraudster used a false CV [claiming degrees from Oxford and Harvard] to gain a £165,000 per annum job at a City investment bank.

I assumed that everybody made up stuff on their resumes, but it turns out that it's against the law, so the culprit, Mr. Peter Gwinnell, was prosecuted and given a suspended sentence (I assume he'll skip over this on his next CV). We keep being told that employers use Facebook profiles nowdays (I hope they use mine: it says that I am the most intelligent person alive today and that Nelson Mandela queued for my autograph) so perhaps CVs will soon be a thing of the past. Just out of curiosity I googled Mr. Gwinnell and found that as well as his empty LinkedIn profile, the bald fact of his departure is there on the web.

PETER GWINNELL Appointment terminated as director on 15 Feb 2010 (Document)

[From AHLI UNITED BANK (UK) PLC of W1H 6LR in LONDON UNITED KINGDOM]

To be honest, if an employer wanted proof of my A-Level in Mathematics or O-Level in British Constitution or the Degree I scraped through with in 1980, I'd be hard pressed to provide it. I don't have the faintest idea where the relevant certificates are. I suppose I could ring the University and ask them to send me a letter, but how would the employer know I hadn't forged the letter. And how would Southampton University know that it is me calling? Or, for that matter, how would they know that I hadn't forged the O-Level in British Constitution certificate?

When I started my first job after university, I don't remember being asked to provide any such proof. Come to that, I don't remember being asked to prove who I was either. In those days, all you needed was a national insurance number. But if employers are going want proof, like the actual certificates, then there will be a bit of a premium on the certificates. Once the certificates are worth something, they will be stolen. This is what happens in China.

Local officials said the files were lost when state workers moved them from the first to the second floor of a government building. But the graduates say they believe officials stole the files and sold them to underachievers seeking new identities and better job prospects — a claim bolstered by a string of similar cases across China.

[From Files Vanished, Young Chinese Lose the Future - NYTimes.com]

How are we going to deal with this digitally? It shouldn't be that complicated for Harvard to create a digital certificate to attest to the fact that the owner of a particular identity did, in fact, graduate. If there were some sort of device or token, perhaps some form of card, that contained my educational identity (ie, key pair) then Harvard could simply sign the public key with their private key and the whole problem is fixed (glossing over, of course, where this device or token might come from, and so on).

Something does have to be done though. The current system is simply a joke. It's quite funny when someone cons a bank into giving them a senior position despite knowing nothing about banking (imagine!) but one of the areas that really bothers me, and probably should bother you too, is the ease with which medical credentials are forged.

A conman from Lancashire who posed as a vet and nearly killed a pony by botching its castration has been jailed for two years. Russell Oakes also masqueraded as a doctor, carried out an intimate examination and charged for false diagnoses, Liverpool Crown Court heard. The 43-year-old, of Hesketh Bank, admitted 41 charges of fraud, forgery and perverting the course of justice.

[From BBC News - Bogus Lancashire vet jailed after botched castration]

How did he do this? Was he a master forger, capable of producing an authentic-looking medical school diploma using specially-aged paper, his engraving skills and authentic ink procured from the correct German manufacturer? No, of course not: this is a post-modern crime.

He bought a fake university certificate off the internet, the court heard.

[From BBC News - Bogus Lancashire vet jailed after botched castration]

Now imagine an alternative infrastructure. I am asked to prove that I have a degree from Southampton University. I log on to the university using my OpenID id.dave.com and answer some questions, provide some data, to satisfy the university that I am, indeed, the relevant dave. My OpenID profile includes a public key, so the university creates a public key certificates, signing that key and some standard data that they provide. I can now give this certificate to anyone, and they can check it by verifying the signature using the published Southampton University public key, resolving the certificate chain in the usual way.

the BBC suffered another embarrassment today after a man interviewed on Radio 4's World at One who claimed to be a Liberal Democrat MP was revealed to be an imposter.

[From Radio 4 follows Jeremy Hunt gaffe by interviewing fake MP | Media | guardian.co.uk]

How would the proposed infrastructure help here? The system has to be so easy to use that a harassed BBC researcher can use it. Come to that it has to be so easy that military installations, the police and other can use it too.

During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD's military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area

[From Schneier on Security: The Security Threat of Forged Law-Enforcement Credentials]

Step forward the mobile phone. Every single one of the people who were "verifying" IDs in these stories has a mobile phone, so there's no need to look any further. The military policeman's mobile phone should be able to check your ID. And your mobile phone should be able to check his ID. And if you're both using mobile phones, both IDs can be checked simultaneously. We already know that symmetry is an important property of an identity infrastructure: the bank needs to be able to check it's me, but I need to be able check it's the bank. And the mobile phone can do both. So next time Peter shows up for an interview, the interviewer can simply tap Peter's NFC phone against their NFC phone and see a full list of his credentials.

(Law enforcement has special additional issue though: sometimes, the policeman doesn't want to reveal that he's a policeman, but that's a topic for another day.)