About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

27 posts categorized "Connection & Disconnection"

Red army

By Dave Birch posted Dec 13 2010 at 11:00 PM

[Dave Birch] Oh no! According to tonight's news reports, the UK is bracing itself for cyberattack from the "hackers" supporting Julian Assange and Wikileaks. Apparently vital government services are at risk from the group called "Anonymous" launching distributed denial-of-service (DDOS) attacks. A bit like this guy, from the group "Not Anonymous At All":

A 17-year-old from Manchester has been arrested by the Metropolitan Police's e-crime unit (PCeU) on suspicion of being behind a denial of service attack against the online game Call of Duty.

[From Call of Duty DDoS attack police arrest teen • The Register]

He was, of course, traced from his IP address. I thought it was funny, in a way, that journalists and politicians refer to the LOIC kids as "hackers" when they are anything but. What's more, as I said when Charles Arthur was kind enough to invite me on to The Guardian's Technology Podcast, they have chosen a particularly funny way to join the Anonymous group of internet vigilantes: software that isn't anonymous in the least and that delivers their IP addresses to their intended victims, thus making it easy for them to be traced and arrested. This is, in fact, precisely what has happened.

A 16-year-old boy was arrested in the Netherlands in connection with a series of cyber attacks on Visa, MasterCard

[From Dutch teen arrested over cyber attacks on Visa, MasterCard]

My personal views about Wikileaks and the "Cable Gate" DDOS attacks are irrelevant. (I will say this: that if you don't like MasterCard then cancel your card and leave mine out of it). But they will certainly have an impact on thinking and the calls for "something to be done" mean change. Since there's no way to stop people from copying data (as the music industry has discovered), that's probably not a fruitful line of thinking. So what will happen?

What technology may lead to are "red" and "blue" internets. (Note that "blue and red" are here allusions to the military labelling of secure and insecure networks, they are nothing to do with blue and red pills in The Matrix.) Essentially, there will be secure and insecure internets both running over the same IP networks.

On the red, open, internet people and organisations will exchange encrypted data across an untrusted network. Some people may choose not to connect to the red internet at all and only crazy people (and organisations) will send unencrypted data to unauthenticated counterparties.

On the blue, closed, internet you will need to authenticate yourself before you are allowed to access anything and a digital identity infrastructure will deliver privacy (and in some cases anonymity) through cryptography, not through data protection registrars or privacy ombudsmen. In order to connect to the government, or Facebook, or Amazon, you will have to use the blue internet: they simply won't be connected to the red internet any more. At home, I will probably set my internet connection to blue only.

Now, some of you may be concerned that, as The Daily Telegraph told us, the Chinese government have a master key that can decrypt everything on the Internet, in which case the entire Internet will be -- very literally indeed -- red forever.

While sensitive data such as emails are generally encrypted before being transmitted, the Chinese government holds a copy of an encryption master key which could be used to break into redirected traffic.

[From China 'hijacks' 15 per cent of world's internet traffic - Telegraph]

But look on the bright side: since the Chinese have "a copy" of this mythical master key, someone else must have the original, and they will be able to read all of the Chinese government's e-mail and put that on Wikileaks too.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

There's whiskey in the jar-o

By Dave Birch posted Sep 15 2010 at 10:18 AM

[Dave Birch] There's a problem in Korea with the production of counterfeit whiskey, so the legitimate whiskey producers have an application in the Korea Telecom service. When the whiskey is bottled, the caps have an RFID tag added to them. This is coded with a URL and an identifier. When a customer, or a shopkeeper, or a policeman, or in fact anyone else wants to check whether the whiskey is real or not, they touch the cap with their phone and the URL launches a web site that knows the provenance of the identifier and can tell you when and where it was bottled as well as some other information. When the customer opens the bottle, the tag is broken and can no longer be read.

Most cell phones today contain a SIM card, which can be swapped with the ones developed by SKT to read the radio waves emitted by the tags attached to medical supplies, whiskey and other products to ensure its authenticity. SK Telecom recently announced the development of a universal subscriber identity module, or USIM, embedded with a 900 megahertz RFID reader.

[From RFIDNews | Real or fake? Use your cell phone and find out.]

Note the architecture. It's the enabled USIM that turns the phone into (presumably)an EPC Gen 2 reader.

It was difficult to tell from the machine translation, but I think that Hitachi and KDDI have just announced that KDDI have a new mobile phone for the corporate market that incorporates an ISO/IEC18000-6 Type C RFID reader/writer.

Hitachi installs UHF belt RFID reader of micro and low power consumption that develops the technology/writer in corporate cellular phone “E05SH” of KDDI.

[From RFID by UHF from KDDI & Hitachi by Wireless Watch Japan]

It will be great when this integration is extended to the consumer market. Now, some people find this sort of thing scary. If you don't believe me, go and have a look at some of the videos on "We, the people, will not be chipped". But I think a phone that can check up on other people's stuff might be fun. After all, 900MHz is much longer range than NFC (several metres for industrial readers). So if you're at a boring party and you're wondering whether the hostesses dress is a real Chanel or a knock-off, you can find out from across the room. Or if you want to snoop around a neighbour's house but can't actually be bothered to go into other rooms, it's ideal. But, as I pointed out some time ago,

Suppose RFID is used to implement Electronic Product Codes (EPCs) for luxury goods. If I see a Gucci handbag on sale in a shop, I will be able to point my Bluetooth EPC-reading pen (these already exist) at it and read the EPC, which is just a number. My mobile phone can decode the number and then tell me that the handbag is Gucci product 999, serial number 888. This information is, by itself, of little use to me

[From Digital Identity: The Rolex premium]

Indeed. There has to be a database to establish provenance, and it is that database that is at the core of the Korea Telecom business model.

Continue reading "There's whiskey in the jar-o" »

Things aint what they used to be

By Dave Birch posted Jul 20 2010 at 5:00 PM

[Dave Birch] It's pretty obvious that RFID is going to transform a variety of retail supply chains, adding value to the services delivered to the end customers.

Izzy's Ice Cream Café in St. Paul, Minnesota is putting to use RFID technology for giving real time updated on flavors available in its dipping cabinet. It offers more than 100 flavors but serves only 32 in its dipping cabinet at any point of time. The cabinet comes equipped with readers capturing every flavour's corresponding labels embedded with an RFID tag. The reader captures information 22 times every second and is sent to a system which updates website of the parlour so that customers get to know what is available even before they enter the store. Coloured dots are projected on the wall of the store or TV behind the counter so that the customers get to know the flavours available.

[From The RFID Weblog: RFID chip and ice creams]

Now this is a great use of the technology and I'm sure it's only one of the ways in which retailers will find that RFID provides a platform for better management, better service and entirely new services. Nevertheless,iIt's a step from this kind of use of RFID to the idea of an "Internet of things" has been around for a while.

The "Internet of things" (can't we think of a better name? the everynet? the allnet? -- what about "skynet", or has that been used somewhere before?) has two essential components: the concept that everything is connected to everything else, and the concept that everything can distinguished from everything else. Universal connection and universal identification. If we take the former for granted and take the Electronic Product Code (EPC) as an example of the latter, we can immediately see that this will create as many problems as it solves (which is not a reason for not doing it, since it also creates many opportunities). It's easy to see why. Suppose that your phone reads the EPC from my underpants. So what? Now your phone knows that I am wearing either Gucci underpants or a pair of Primark underpants with a Gucci chip in them to impress the ladies. If such phones and such tags were to exist, what would actually happen? What would be the impact on society of knowing what everything is and where everything is all the time.

Continue reading "Things aint what they used to be" »

Rob Schuurman, Nedap

By Dave Birch posted Nov 19 2009 at 3:31 PM

[Dave Birch] Rob Schuurman is the general manager of Nedap Healthcare, based in the Netherlands. They have developed award-winning products that use mobile phones and NFC to deliver practical, convenient security to a mass market. In this podcast, he talks about his practical experiences getting an NFC-based service into operation and shares some thoughts about the future of the technology in that sector.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

Continue reading "Rob Schuurman, Nedap" »

Air side

By Dave Birch posted Nov 9 2009 at 6:20 PM

[Dave Birch] The whole business of air travel is a laboratory for experimenting at the boundary between public and private identities, where national and international agreements interact with corporate alliances, outsourcing and value chains to produce a complex environment that needs and benefits from change. Speaking as a frequent traveller, and happy near-weekly user of Heathrow's Terminal 5, it seems to me that air travel has got considerably quicker, more efficient and simpler in the last couple of years. I print my boarding pass out at home, jump in a cab or on the train, nip through T5 to the lounge and then on to the plane -- the only hold-up in the whole process is the queue for security on the way out (sometimes this can be 10-15 minutes even at T5) and the queue for passport control on the way in.

However, the need to print a physical boarding pass, even using 2D barcodes rather than a magnetic stripe, and the lack of an efficient bag drop system means that despite the universal electronic ticket for air travel, more than two-thirds of passengers still went to a check-in desk. Where to look for the next improvement? Well, I'm sure like most people I think that the key technology that will change this is the mobile phone. If the mobile phone allows you to check in and obtain a boarding pass, and a kiosk at the airport allows you to self-tag (clearly there are some security issues around this) then the flow through airports would increase significantly and the costs would reduce accordingly.

In fact I saw a presentation for one of the companies that supplies infrastructure to airports recently an they were talking about their experiences with the mBCBP (mobile bar code boarding pass) -- they said that "we only care about Blackberry, iPhone and high-end smartphones", which means we can assume big, clear screens -- but still the current 2D barcode solutions don't carry enough data for the airlines to store more than three legs plus frequent-flier and other data.

So why am I looking at this space? One of the biggest players in the industry, IER, is advocating the "pass & fly" sticker solution and I saw them present on the Air New Zealand and Air France case studies which, I have to say, was rather impressive.

Continue reading "Air side" »

Touch and gone

By Dave Birch posted Jun 24 2009 at 10:14 PM

[Dave Birch] I ran a workshop on mobile proximity security day, and one of the things we touched on in the group is the EU's publication of their recommendations on the "identity of stuff" last week. They've published a 14-point action plan.

The European Commission has announced plans for Europe to play a leading part in developing and managing interconnected networks formed from everyday objects with radio frequency identity (RFID) tags embedded in them - the so-called "internet of things".

[From EU lays out plans for the "internet of things" - V3.co.uk - formerly vnunet.com]

These are real issues, and although I'm not making any comment on the value or otherwise of the specific recommendations, there's no doubt that the subject deserves more attention. There's an "identity of things" problem that came up (again) in a meeting I was in last week that I think is worth sharing. It comes from the world of NFC, where the problem revolves around contactless stickers, tags, posters and that kind of thing. It's the same problem that we looked at before, and it's worth reviewing because there's been no industry progress toward a solution.

A little background. The NFC Forum have announced their "N mark" which is a standard symbol to be applied to adverts, magazines, posters and such like. The idea is to show consumers (none of whom have ever even heard of NFC, let alone seen an NFC phone) where they can "tap" their phones to get some kind of service.

The NFC Forum has developed the “N-Mark” trademark so that consumers can easily identify where their NFC-enabled devices can be used. It is a stylized “N” and indicates the spot where an NFC-enabled device can read an NFC tag to establish the connection.

[From NFC Forum : N-Mark]

If you haven't seen it, it looks like this. A simple ecosystem in the offing: you put the N-mark on things, consumers come along and touch them with other things.

Continue reading "Touch and gone" »

At whose fingerprints?

By Dave Birch posted Feb 25 2009 at 6:41 PM

[Dave Birch] I went to the Social Market Foundation chat about biometrics sponsored by the Identity and Passport Service (IPS). The speakers -- Jim Wayman from San Jose State University, Peter Hawks and Hugh Carr Archer (Aurora) from our friends at IAFB, Farzin Deravi from the University of Kent and forum friend Toby Stevens from EPG -- got a good discussion going although personally I thought it was a little too short. I was very interested in some of the points being raised from the floor and would have appreciated more time for expert reflection from the panel.

Jim started his talk by referring to the "colourful" history of the future of biometrics, which appealed to my current obsession with paleo-futures at the CSFI, and made a couple of points that I think are worth opening up for discussion here. First of all, he made the key point that biometrics doesn't solve the problem of identification but once you have identified someone then you can use biometrics to link them to that identity. Biometrics is easy, identification isn't, and biometrics do not guarantee the validity of non-biometric data in database (this is why I keep promoting the "biometric only" plan from the UK National Identity Register). Secondly, he made me reflect on the difference between schemes where the "users" care about multiple uses or not. So, if I have a season ticket for the London underground, I don't care about my brother using it on the days that I'm not. But I don't want him using my credit cards on days that I do not. So why would you need a biometric for a bank card? Good point. I think that the answer is that if we want to use cards for larger transactions then we can't use PINs because PINs are too easily snaffled, but I'm going to think some more about this and post in the future.

Continue reading "At whose fingerprints?" »

The China syndrome

By Dave Birch posted Feb 10 2009 at 7:51 PM

[Dave Birch] A couple of days ago and I again mentioned the government's "break the glass" plan for a national identity scheme. In other words, what is the emergency plan to be followed should the integrity of the system itself fail. The point about the "break the glass" plan is a serious one. While I have no evidence that the government has such a plan, I'm sure they must do. If hackers, mafia extortionists or opposition MPs get into the database then someone has to be able to press a button to sound the alarm, to raise the drawbridge to other government systems and to initiate the meltdown process of re-issuing keys (or whatever else needs to be done).

What kind of meltdown might require the government to break the glass? Well, just for amusement purposes (since it could never happen, because the Home Security said that the ID card system will use "military" security) let's suppose that a disgruntled member of staff steals the entire biographical database. Let's say a fifty million individual records (5 x 10^7). Each individual record comprises 50 data items -- actually in the UK Identity Cards Bill it was slightly more than 50 -- so that's 5 x 10^1. Let's say each data item is 1KB. They're not, but whatever. So now we have a database of 5 x 5 x 10 x 10^7 or 25 x 10^8 or a couple of terabytes. That's it, a couple of a terabytes. I can buy a 2TB USB hard drive on Amazon right now for a couple of hundred quid and by the time the database is up and running, it will be fifty quid. So I can store the entire database for next to nothing, chuck it in my car and zoom off with it.

When they come in in the morning and notice it missing, there needs to be a big red button on the wall that they can smash the glass and press. Ah, you might say, it seems unlikely that a vetted civil servant will deliberately and flagrantly break the data protection act or whatever. Well I imagine that's what they thought in Chile, before a civil servant started publishing their national identity register on the Internet. We shouldn't let this kind of thing stop us from building a better identity infrastructure, but we should use it to help us build a better one, by which I mean one that depends on open peer review for its security.

Continue reading "The China syndrome" »


By Dave Birch posted Jun 10 2008 at 9:08 AM
[Dave Birch] Down at the European Technology Standards Institute (ETSI), I saw a good presentation by Jens Kungl from the 64 billion euro METRO Group, which operates 2,400 retail locations in 31 countries. He knows a bit about retail, and Metro have been experimenting with RFID for some time, so his opinions need to be taken seriously. He began by making (strongly) the point that the best way to scupper an RFID project in retail is to begin tracking people instead of goods. In my opinion, one of the dangers here (and there are genuine privacy concerns that need to be addressed) is the regulatory response, which may be over-anxious, mis-targetted or plain wrong. For example

The Washington legislation outlaws the use of RFID "spy technologies" to collect consumer information without the owner's consent. The only problem is, heavy corporate lobbying narrowed the scope of the law (before Governor Gregoire signed it) to cover only criminal acts such as fraud, identity theft, or "some other illegal purpose" (making it a Class C felony to do so). Collecting information from consumer RFID chips for marketing purposes in Washington—with or without the owner's consent or even knowledge—is still fair game.

[From Washington State passes RFID privacy law; where's Uncle Sam?]
Surely, collecting information for anything but the purpose for which is was intended is just wrong, and it doesn't matter why it's being collected. Anyway, the point of this post is that Jens said that the trigger for item-level tagging is the five euro cent tag and this has arrived sooner than they were planning, so they are going to begin item-level tagging earlier than they had originally planned (they are already rolling out pallet-level tracking). He also said something about two Watts at 868MHz, but he was losing me a bit there...

Continue reading "Metro-politan" »

NFC, privacy and identity infrastructure

By Dave Birch posted Jun 2 2008 at 12:22 PM

[Dave Birch] I've had a few e-mails from people about this paper by Colin Mulliner. This paper describes vulnerabilities in NFC implementations using "smart posters". It's the nature of the attacks, rather than exposure levels, that are worth looking at since, as Colin says,


The attacks demonstrated are trivial due to the manufacturer time to market (TTM) obsession, thereby shipping devices with trivial vulnerabilities, in Mulliner’s research they orbit around passive tags which are mostly abused as vectors for the any of the attacks demonstrated.

[From Attacks on NFC mobile phones demonstrated | Zero Day | ZDNet.com]

The attacks fall, broadly, into two categories. There are attacks on the implementation of the NFC tag standard in a current handset -- these remind us of a useful lesson about implementing new standards, but are not that significant in the long run -- and attacks on the way that tags work in the current NFC standards. The problem that Colin has focussed on here is that there is no way of knowing whether a tag is "real" or not: you wave your phone at a Royal Bank of Scotland advert at the train station, but the tag has been tampered with (shielded by a bogus tag, for example) so that your phone is redirected to a web site in the Ukraine which looks like RBS but is just going to use your entered username/password to log in to your account for nefarious purposes. Unfortunately, that's the way tags work: there is no way of preventing this and Colin is right to highlight both modifying original tags and replacing them with malicious tags as interesting security questions.

These questions relate to the better understood issue of product vs. provenance in the RFID world and, as we know, one way to solve that problem is by using digital identity: it's just that it's the identity of stuff in question, not the identity of people.

Continue reading "NFC, privacy and identity infrastructure" »