About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« May 2011 | Main | July 2011 »

2 posts from June 2011

Confronting the issue

By Dave Birch posted Jun 24 2011 at 4:23 PM

There's an interesting choice of words in the O’Reilly Radar publication on "ePayments 2010". The report's subtitle is "Emerging Platforms, Embracing Mobile and Confronting Identity". I thought that this is expressive: the payments industry is "confronting" identity.

...even as consumers come to expect online systems to know more about them in order to facilitate transactions and reduce friction in accomplishing tasks, they are likely to want to maintain control over which online services have access to distinct aspects of their identity.

Very well put. It illustrates a point that I find myself making in more and more discussions these days: that if the players in the payments industry don't deal with the identity problem, then someone else will.

Identity is critical in many ways: It ensures the right degree of user personalization, enables the reliable billing of services used across a platform, and provides a strong foundation of trust for any transaction occurring on the platform.

[From Making Sense of Ever-Changing Payment Technologies: The Year of APIs and the Reshaping of the Payment Ecosystem - pymnts.com]

Patrick is right to highlight the key role of identity in constructing the future payments infrastructure, although I would draw a slightly different diagram to illustrate the relationship. He has drawn identity on top of payment services, whereas as I would draw them side-by-side to show that some commerce applications will use identity and some will not, some commerce applications will use payments and some will not. This isn't just a payments issue, of course. It's rapidly becoming a major block on the development of the online economy. There's a Chernobyl coming, and the recent fuss about Sony and Sega will appear utterly trivial in comparison. I'm not smart enough to know where or when it will happen, but it will happen. If I had to take a wild guess, I might be tempted to predict the epicentre if not the cause or symptoms.

I trust Facebook to give the messages that I type to my ‘friends’. I trust Facebook with the login details to my Yahoo email account... Even in the last week at least four of my friends have been link-jacked in Facebook – whereby their accounts start spewing malicious links onto the walls of their friends.

[From Trust co-opetition is the key to avoiding disintermediation « in2payments]

It's the interlinking via social networking that is precisely the danger, because that means when something goes wrong is goes connectedly wrong and gets out of control in unpredictable ways. Something has got to be done to make identity mischief substantially more difficult. But how?

We need online identities anchored in hardware cryptography. Everybody who does financial cryptography understands that for anything of value, you can’t store the keys in software. You need hardware protected keys, with a cryptoprocessor to operate on them, and very importantly, a trusted UI to the human that doesn’t involve hackable software. EMV is a good basis for this

[From The Case for EMV Chip Cards in the US? — Payments Views from Glenbrook Partners]

Hear hear. I'd say that it was the chip with a crypto co-processor that is the basis (EMV is just an application running on such a chip) but the point holds. So where are these chips today? Well, they exist in your chip and PIN card is a sort of autistic form, with limited communication and narrow bandwidth through which we can reach the smart core. And they exist in your mobile phone, in the form of the UICC, where they have high bandwidth, constant connectivity, a UI, huge memory and an ecosystem beyond the device. And they will soon exist in your mobile phone, set-top box and elsewhere in the Secure Element (SE). (As an aside, in some models the SE will be resident in the UICC, so there may only be one physical chip.)

Therefore, there is an opportunity to roll-out an SE-based infrastructure, perhaps in the NSTIC architecture, that sets us down the path to identity security. I'm surprised that, in Europe at least, the mobile operators haven't already got together to develop their joint response to NSTIC and begun work on the business models that it spawns. The mobile operator is a naturally identity and attribute provider and they already have the tamper-resistant hardware (ie, UICCs) out in the market. They know the customer, they know the network, they know the device. I should be logging on to everything using my handset already, not messing about with passwords and secret phrases and mother's maiden name.

From the point of view of the UK, where the national identity card scheme has just been scrapped and there is no alternative identity infrastructure in place, there is much to be admired in the US approach.

[From Digital Identity: USTIC]

This may be another area where the ease of use afforded by NFC makes for a big difference in the shape of the marketplace and the trajectory of the stakeholders. There were some early experiments in SIM-based secure PKI, but they were very, very clunky because they needed SMS or Bluetooth to connect the handset to the target device, like a PC or a kiosk (or a POS). But in the new world of NFC, what could be simpler: use menu on phone to select identity, tap and go online. And since the SE can handle the proper cryptography, my phone can tell whether it is talking to the real Barclays as well as Barclays working out whether it is talking to my phone. The NSTIC framework, when combined with the security and ease-of-use of NFC in mobile phones, may not be whole solution, but it's certainly a plausible hypothesis about what that solution may grow from.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

It's all fun and games, until... no, wait, it is all fun and games

By Dave Birch posted Jun 4 2011 at 4:08 PM

Consult Hyperion has been working on a project called VOME with the UK Technology Strategy Board. The idea of the project is to help people who are specifying and designing new, mass-market products and services (eg, Consult Hyperion's clients) to understand privacy issues and make better decisions on architecture.

VOME, a research project that will reveal and utilise end users' ideas and concepts regarding privacy and consent, facilitating a clearer requirement of the hardware and software required to meet end users' expectations.

[From Technology Strategy Board | News | Latest News | New research projects help to ensure privacy of data]

Part of the project is about finding different ways to communicate with the public about privacy and factor their concerns into the requirements and design processes. Some of these ways involve various kinds of artistic experiments and it's been fun to be involved with these. We've already taken part in a couple of unusual experiments, such as getting amateur writers to produce work about privacy from different perspectives.

More recently we have been working with Woking Writers’ Circle on the production of a collection of short stories and poems entitled ‘Privacy Perspectives’.

[From Media - Consult Hyperion]

As one of the technical team, I have to say that it's very useful to be forced to try to think about things like privacy-enhanced technology, data protection and risk in these different contexts. One the artistic experiments underway at the moment, primarily aimed at educating teenagers and young people about the value of their personal data, is the development of a card game that explores the concept. The card game experiment, lead by Dr. David Barnard-Wills from Cranfield University, has reached the point where the game needs playtesting. So... we all met up in London to play a couple of games of it.

Turned out that not only had the chaps developed the game way further than I had imagined, but they've invented a pretty good game. Think the constant trading of "Settlers of Catan" with the power structures of "Illuminati" mixed with game play of "Crunch". I liked it.

You get cards representing personal data of different kinds. Depending on who you are (each player is a different kind of business: bank, dating agency, insurance company etc) you want different datasets and you want to link them together into your corporate database. A dataset is a line of three or more data items of the same kind. Here's a corporate database with two datasets in it: the green biographical data 2-2-3 and the orange financial data 3-3-3, these will score at the end of the game.

There are event cards, that pop up each round to affect the play, and some special cards that the players get from time to time. Check out the database I ended up with in the game that my colleague and I won! I was the bank, so I was trying to collect financial data in my database but I was also trying to collect social data (purple) in my hand.

We had great fun, and we all contributed a ton of ideas. The game is being refined for a new version in a month or two, so we'll try it again then and I'll let you know how it's going! I don't know if the guys are actually going to turn it into a commercial product (that isn't really the point of it) but I'd say they are on to a winner. My tip: instead of calling it "Privacy", call it "Super Injunction".

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]