Please adjust your set
By Dave Birch posted Jul 30 2011 at 6:11 PMThere will be no new posts here. From 1st August 2011 all posts will be at the "Tomorrow's Transactions" blog so please update your newsreader accordingly.
Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion
This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.
Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.
There will be no new posts here. From 1st August 2011 all posts will be at the "Tomorrow's Transactions" blog so please update your newsreader accordingly.
You can read this post on the Consult Hyperion "Tomorrow's Transactions" blog. Please point your newsreader at http://www.chyp.com/feeds/blog for all of the posts.
PLEASE NOTE that this will be the last entry posted here. From 1st August 2011 all posts will be at the "Tomorrow's Transactions" blog only so please update your newsreader accordingly.
You can read this post on the Consult Hyperion "Tomorrow's Transactions" blog. Please point your newsreader at http://www.chyp.com/feeds/blog for all of the posts.
You can read this post on the Consult Hyperion "Tomorrow's Transactions" blog. Please point your newsreader at http://www.chyp.com/feeds/blog for all of the posts.
I've been reading Emily Nagel's book "Anywhere". She's the CEO of Yankee Group and the book is about global connectivity revolutionising business. I hope she won't be offended if I say that it's an "airport book", but it's an accurate description, at least for me, because I read it on the plane. There's something that bothers me about it, though. It has lots of stories and examples and narrative about ways in which business is transformed as it goes online, but it doesn't have "identity" or "authentication" in the index and says nothing about the identity problems that will need to be solved in order to realise the full potential of connectivity. As I've often observed before, using my favourite Kevin Kelly classification, connection isn't the problem: it's the disconnection technologies that will shape the medium-term roadmap for transforming new technology into business models: once everything is connected to everything else, the business model shifts to the creation and management of subgroups within that single, giant internet of everything.
Here, things aren't going so well. By coincidence, the Saturday newspaper that I picked up after putting down Emily's book had a technology advice column, and there was a letter from a typical consumer in it. I paraphrase:
I have a long list of passwords for home banking, shopping, social networks, magazines and so on. I've put them all in a Word document. How can I encrypt it?
This is, in a nutshell, the state of the mass market today. We all have masses of passwords, we've been complaining about it since 1994, and nothing much seems to happen, largely (I think) because the costs of our time don't factor into business models. And yet... we don't seem to be evolving any better business models and we don't seem any closer to better identity infrastructure. Should we give up? No! I say we should remember William Samuel Henson.
It is sad that the name of William Samuel Henson is largely unknown today. A man of great vision, he petitioned Parliament for permission to set up an airline -- with a business model largely based on post -- flying to Egypt, India and China. Parliament turned his proposal down on the grounds that it was 1843 and no-one had invented airplanes yet. Henson knew this, obviously, but could see which way technology was evolving and correctly reasoned that just because he didn’t know how to get an airplane off the ground (he had been involved in numerous experiments around powered flight), that didn’t mean that no-one else would. And when they did, there would be a new business to build on aviation technology. So he started thinking about the businesses that would make sense and, since the post had just been invented in the UK, he looked at how that might work in the future.
This is a parable of our identity space now. We can't get the technology to work, but we know that someone will, so we're trying to think of business models (I should be clear in our case: we're trying to think of business models for our clients) that will make sense when the technology works. But we're thinking about web browsing and e-mail because these have just been invented and they're our equivalent of the post service. Maybe we should challenge ourselves harder to look at wider possibilities, start from the perspective of social networking, virtual worlds and Twitter rather than Alice sending her credit card details to Bob.
Facebook is better understood, not as a country, but as a refugee camp for people who feel today’s lack of identity-forging social experience.
[From Facebook: the heart in a heartless world | spiked]
I think many organisations should be focusing on the next phase of evolution of online business, and phase that will be fundamentally shaped by the emerging identity infrastructure. But we must be careful not to take what has just been invented (in this case, say, Facebook) and project it into the future as the key to new business models. We have to think more broadly to develop strategic roadmaps for business that can react to the general trends to exploit the technology downstream. An example? Well, it doesn't matter which social network we'll be using in five years time, we'll still need to authenticate ourselves in a more effective way that a Word file full of passwords. It isn't only me that thinks this.
The president wants consumers to use strong authentication, something more than user name and password, which will most likely add another security factor, say officials familiar with the project.
For example, user name and password is one-factor security, something you know. But additional factors can be added. A token or digital certificate can be a second factor, something you have, resulting in stronger two-factor authentication. If you add a fingerprint or other biometric, something you are, it’s increased to three-factor security.
[From NFCNews | Potential technologies that consumers may use for online ID]
There follows an interesting, but confused, list of options. I'd like to suggest a more straightforward taxonomy, based on a digital identity infrastructure (which doesn't exist, of course). The article, to my mind, confuses the distinct bindings between the virtual identities that exist in the Net and the real identities that are connected to. This is why it is useful to introduce the notion of digital identity in the middle. So then we get the two categories of things that might be used to solve the
Each of these will be a separate business that operates according to difference scale factors (scale in the first case, scope in the second). I don't know how to make them work, but someone will.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
I've been reading through the final version of the US government's National Strategy on Trusted Identities in Cyberspace (NSTIC). This is roughly what journalists think about:
What's envisioned by the White House is an end to passwords, a system in which a consumer will have a piece of software on a smartsphone or some kind of card or token, which they can swipe on their computers to log on to a website.
[From White House Proposes A Universal Credential For Web : The Two-Way : NPR]
And this is roughly what the public think about it
Why don’t they just put a chip in all of us and get it over with? What part of being a free people do these socialists not understand?
[From White House Proposes A Universal Credential For Web : The Two-Way : NPR]
And this is roughly what I think about it: I think that NSTIC isn't bad at all. As I've noted before I'm pretty warm to it. The "identity ecosystem" it envisages is infinitely better than the current ecosystem and it embodies many of the principles that I regard a crucial to the online future. It explicitly says that "the identity ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers (presumably including government bodies) to link an individual's transactions and says that by default only the minimum necessary information will be shared in transactions. They have a set of what they term the Fair Information Practice Principles (FIPPs) that share, shall we say, a common heritage with Forum friend Kim Cameron's laws (for the record, the FIPPs cover transparency, individual participation, purpose specification, data minimisation, use limitation, data quality and integrity, security and accountability and audit).
It also, somewhat strangely, I think, says the this proposed ecosystem "will preserve online anonymity", including "anonymous browsing". I think this is strange because there is no online anonymity. If the government, or the police, or an organisation really want to track someone, they can. There are numerous examples which show this to be the case. There may be some practical limitations as to what they can do with this information, but that's a slightly different matter: if I hunt through the inter web tubes to determine that that the person posting "Dave Birch fancies goats" on our blog comes from a particular house in Minsk, there's not much I can do about it. But that doesn't make them anonymous, it makes the economically anonymous, and that's not the same thing, especially to people who don't care about economics (eg, the security services). It's not clear to me whether we as a society actually want an internet that allows anonymity or not, but we certainly don't have one now.
The strategy says that the identity ecosystem must develop in parallel with ongoing "national efforts" to improve platform, network and software security, and I guess that no-one would argue against them, but if we were ever to begin to design an EUSTIC (ie, an EU Strategy for Trusted Identities in Cyberspace) I think I would like it to render platform, network and software security less important. That is, I want my identity to work properly in an untrusted cyberspace, one where ne'erdowells have put viruses on my phone and ever PC is part of a sinister botnet (in other words, the real world).
I rather liked the "envision" boxes that are used to illustrate some of the principles with specific examples to help politicians and journalists to understand what this all means. I have to say that it didn't help in all cases...
The "power utility" example serves as a good focus for discussion. It expects secure authentication between the utility and the domestic meter, trusted hardware modules to ensure that the software configuration on the meter is correct and to ensure that commands and software upgrades do indeed come from the utility. All well and good (and I should declare an interest a disclose that Consult Hyperion has provided paid professional services in this area in the last year). There's an incredible amount of work to be done, though, to translate these relatively modest requirements into a national-scale, multi-supplier roll-out.
Naturally I will claim the credit for the chat room "envision it"! I've used this for many years to illustrate a number of the key concepts in one simple example. But again, we have to acknowledge there's a big step from the strategy to any realistic tactics. Right now, I can't pay my kids school online (last Thursday saw yet another chaotic morning trying to find a cheque book to pay for a school outing) so the chance of them providing a zero-knowledge proof digital credential that the kids can use to access (say) BBC chatrooms is absolutely nil to any horizon I can envisage. In the UK, we're going to have to start somewhere else, and I really think that that place should be with the mobile operators.
What is the government's role in this then? The strategy expect policy and technology interoperability, and there's an obvious role for government -- given its purchasing power -- to drive interoperability. The government must, however, at some point make some firm choices about its own systems, and this will mean choosing a specific set of standards and fixing a standards profile. They are creating a US National Project Office (NPO) within the Department of Commerce to co-ordinate the public and private sectors along the Implementation Roadmap that is being developed, so let's wish them all the best and look forward to some early results from these efforts.
As an aside, I gave one of the keynote talks at the Smart Card Alliance conference in Chicago a few weeks ago, and I suggested, as a bit of an afterthought, after having sat through some interesting talks about the nascent NSTIC, that a properly implemented infrastructure could provide a viable alternative to the existing mass market payment schemes. But it occurs to me that it might also provide an avenue for EMV in the USA, because the DDA EMV cards that would be issued (were the USA to decide to go ahead and migrate to EMV) could easily be first-class implementations of identity credentials (since DDA cards have the onboard cryptography needed for encryption and digital signatures). What's more, when the EMV cards migrate their way into phones, the PKI applications could follow them on the Secure Element (SE) and deliver an implementation of NSTIC that could succeed in the mass market with the mobile phone as a kind of "personal identity commander".
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]