About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

16 posts categorized "Government"

Moving transactions online

By Dave Birch posted Nov 25 2010 at 11:45 AM

[Dave Birch] Well I managed to get myself invited to the launch of Forum friend Sir Bonar Neville-Kingdom's new book. As the government's technology outreach czar, he makes a point of having his personal assistant Patricia use all forms of new information and communication technology. He has, of late, been dictating tweets for her to place on the Twitter and now, to ensure that these valuable insights into the heart of British government IT policy are preserved for posterity, they have been gathered together in "The Twitters of Sir Bonar Neville-Kingdom". I wasn't sure about the current regulations concerning the photographing of key civil servants, but I managed to sneak a few pictures and have put them on Flickr for the general public to peruse. Here are a few of them so that you can see what was going on (I spotted known activists in the crowd and am perfectly prepared to hand my footage over to the relevant authorities on the condition of pseudonymity).

Given Sir Bonar's famous "ring of soup" formulation for government identity management services, I was keen to ask him how he sees the evolving balance between privacy and surveillance. In particular, I was curious about his views on Umair Haque succinct note that

The internet itself isn't disempowering government by giving voices to the traditionally voiceless; it's empowering authoritarian states to limit and circumscribe freedom by radically lowering the costs of surveillance and enforcement.

[From The Social Media Bubble - Umair Haque - Harvard Business Review]

Unless we take steps to build an identity infrastructure that embodies certain protections, encodes certain balances, then I think it is perfectly reasonable to anticipate a path whereby governments become authoritarian by default, simply becuase they can and not because of any directed or debated policy. I don't think that you have to be some kind of privacy nutter to find this a concern: unfortunately, I was not able to put this point to Sir Bonar because he had to leave for a pressing bottle of claret, but I perhaps I will be able to catch up with him again in the not-too-distant future.

Continue reading "Moving transactions online" »

Masters key

By Dave Birch posted Nov 23 2010 at 5:43 PM

[Dave Birch] This whole internet thing is getting more and more complicated. I'm trying to work out what government policies toward the internet are, so that I can help our clients to develop sound long-term strategies with respect to digital identity. To do this, we need to understand how the security environment will evolve and what the government's attitude to security is. Should people be allowed to send data over the internet without interference? The US government thinks so.

Since 2007, Congress has inserted a total of $50 million of earmarks into the State Department's budget to fund organizations dedicated to fighting Internet censorship.

[From Rebecca MacKinnon: No quick Fixes for Internet Freedom - WSJ.com]

Uh oh. This cannot be popular with people in favour of internet censorship, such as U2's boss.

U2 manager Paul McGuinness said that the only reason the music industry had tanked over recent years was not because outfits like U2 peddled the same boring crap that they did in the 1980s, but because of the introduction of broadband.

[From Comment: Broadband only useful for pirates - U2 manager screams blue murder | TechEye]

Setting aside the fact that the British music industry earned more money than ever before last year, U2 are totally wrong to expect the rest of society to pay to uphold their business model in face of all technological change. Bono is wasting his time calling for Chinese-style internet censorship in order to maximise record company profits, or at least he is if the US government is going to continue funding the opposition.

Continue reading "Masters key" »

China syndrome

By Dave Birch posted Nov 17 2010 at 12:05 PM

[Dave Birch] What should government policy on identity be? Not specifically our government, or EU governments, or any other government, but governments in general. Or, let's say, governments in democratic countries. OK, that's a very big question to tackle. Let's narrow it down to make a point: what should government policy on the internet be? No, that's still too big and perhaps to vague. Let's focus down further on a simple internet question: should the government be allowed to see what is going through the internet tubes. Of course! One of their jobs is to keep me safe from drug-dealing Nazi terrorist child pornographers who formulate devilish plots with the aid of the web.

According to reports, the FBI is asking for the authority to require all Internet communications platforms build in a "backdoor" allowing law enforcement easy wiretapping access

[From Should Government Mandate "Backdoors" for Snooping on the Internet? | Center for Democracy & Technology]

In parallel, the FBI is talking to technology companies about how they could be making it easier for criminals to see your credit card details and for the government to read to your e-mail.

Robert S. Mueller III, the director of the Federal Bureau of Investigation, traveled to Silicon Valley on Tuesday to meet with top executives of several technology firms [including Google and Facebook] about a proposal to make it easier to wiretap Internet users.

[From F.B.I. Seeks Wider Wiretap Law for Web - NYTimes.com]

This, superficially, sounds likes a good idea. Who could object? We don't want the aforementioned Nazi drug-dealing child pornographers plotting terrorist acts using the interweb tubes with impunity. No right-thinking citizen could hold another view. But hold on...

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

[From U.S. enables Chinese hacking of Google - CNN.com]

It's not that simple, is it? If you create a stable door, then sooner or later you will find yourself bolting it long after the horse has had it's identity stolen. What I can't help but wonder about in this context is whether the content actually matters: suppose you can't read my e-mail, but you can see that a lot of mail addressed to Osama bin Laden is coming from my house? Surely that would be enough to put me under suspicion and trigger some other law enforcement and intelligence activity?

Continue reading "China syndrome" »

Travel advisory

By Dave Birch posted Mar 2 2010 at 8:27 PM

[Dave Birch] When we think about electronic identity, we tend to think in terms of the identity structures that we are familiar with from the physical world, so we talk about passports and borders. But the current system of passports, visas and border controls doesn't work terribly well -- see the discussions ad infinitum about the recent Dubai death squad's comedy disguises and simple faked passports -- so I'm not sure it's much of a basis for exploration. Why do I say this? Well, because I've been to a few presentations about the various systems involved recently and have been trying to understand some of the dynamics to help our customers develop some longer-term strategies around identity.

One of the problems is that there is so much going on. Start with moving on from SIS. The SIS2 (Schengen Information System 2) will store biometrics to prevent visa fraud. After a three year transitional period, SIS2 must check with the new Visa Information System (VIS). VIS will require fingerprints and these will be matched via AFIS (so that if, say, a Moroccan person applies for visas in both French and German consulates then this will be known). The fingerprints are currently kept for five years. The Central VIS will connect via a new secure network (S-TESTA) to the national VIS systems and these national systems are connected in turn to the national consulates overseas. Are you with me so far?

What's the point? Well, it's so that when a non-EU person applies for a visa in Schengen country, the details will be passed up to the central system and then they will be checked when the passport is presented at Schengen border control. The purpose of all this is to defeat a common immigration fraud, which is that a bona-fide Chinese businessman (say) gets a visa to come to a Schengen country, and gives it to someone else. That person enters Schengen and then sends the passport and visa back to China by DHL. The next Chinese person enters Schengen, and then posts it back again... Will SIS2 fix this? Surely the problem will shift to the feeder documents. It's impossible to imagine that an EU consulate somewhere can accurately verify and validate passports from 196 countries, but let's put that to one side for a moment. There are plenty of people who think that SIS will end up causing more problems than it is solving.

The number of computers with access to the Schengen Information System has doubled to 500,000 thanks to the extension of the EU.

[From Half a million PCs can access Schengen's 'secure' database • The Register]

Since half a million PCs around Europe can access the system, that means that to all intents and purposes everything on the system is public.

Statewatch, a group that monitors civil liberties in Europe, said it was aware of a case in Belgium where personal information extracted from the system by an official was sold to an organised criminal gang.

[From 500,000 EU computers can access private British data | Technology | The Observer]

There's another system coming online as well, the Euro Border Surveillance System, or Eurosur. This aims to reduce illegal migrants entering EU by sea, particularly aimed at Mediterranean). Good luck on that one. Spain has had some positive results from using satellite tracking (positive in the sense that the immigrants go to Italy instead) but I'm sure Eurosur will help further.

Then there's the new e-passport. As has been discussed many times before, the current e-passport is a complement to the physical passport: that's why it's a chip inside the passport, not a chip instead of a passport. Almost everywhere you go in the world, the chip is not used, but in the future it may be. There's security, naturally. The e-passports have Basic Access Control (BAC), which we've also discussed before. BAC locks the passport so that you have to physically read the passport MRZ in order to read the data from the chip (this is not strictly true, by the way, because the MRZ data isn't random, but that's a detail). Extended Access Control (EAC) is the next step: for one thing, it stops people from cloning the chips. But it adds additional functionality as well so, from 28th June 2009, member states have been required to issue EAC e-passports only.

Back to the difference between the chip and the book. If the e-passport is going to store data that isn't on the passport (eg, your fingerprints) then these must be encrypted so that they can only be read by authorised authorities. An EAC passport will therefore only give up data to readers that it can authorise through the use of asymmetric cryptography (the reader must present a certificate signed by a recognised authority) and the passport can then encrypt and sign its own data. There's something called Active Authentication as well, so the e-passport contains a key pair: the secret private key and the not secret public key (which appears in Data Group 14, DG14, in the data).

Unfortunately, shifting to EAC adds complexity because there are now two trust chains: the data trust chain (so that the readers can verify the passport data) and the terminal trust chain (so that the passport can verify the reader data). You can imagine that co-ordinating both of these chains across the globe has turned out to be something of a problem: every reader has to have every valid certificate from every country in it. The Brussels Interoperability Group (BIG) is responsible for harmonising the e-passport specification throughout the EU and has also been responsible for the certificate policies, protection profiles, conformance tests and interoperability tests. At ID World, Bob Carter from IPS said that the most difficult job was trying to work out how to exchange certificates between countries and he is, of course, right. One thing that is not yet in place is the protection profile from readers (a lesson from chip and PIN deployment in the UK: there's no point having secure chips and wholly insecure readers).

It would be nice to be able to set a date when we might move to a wholly e-passport world, but to get there we have to get rid of visa stickers. There's a name for this too: ESTA (Electronic System for Travel Authorisation). If this could be achieved, then there is no need to have manned border control, since introducing people into the loop could not improve the system in any way. This is a very appealing prospect to governments, but I think there is a real concern here: if a criminal is able to get a legitimate visa certificates, smart card, e-stamp or whatever else and is never questioned by a human security official, then once they are inside the perimeter they can operate with impunity.

Continue reading "Travel advisory" »

Panic buying

By Dave Birch posted Feb 16 2010 at 9:00 AM

[Dave Birch] For reasons that are uninteresting to discuss, I happened to be involved in a meeting about the UK ID card scheme. Now, to be clear, I am not against ID cards, but I am against this one. I don't want it scrapped on economic grounds, I want it scrapped because it is the wrong card for the 21st century in a supposedly advanced country.

For those concerned about the implications ID cards would have on our privacy, abandoning the scheme for budgetary reasons alone is not so much winning the argument as putting it on ice.

[From ID cards: there’s more than money to lose | spiked]

One part of the conversation was what might be salvaged from the scheme given the £100 million or so that has been spent on management consultants and the contracts that have already been signed with suppliers. The assumption was, as it was put to me, that since suppliers are much smarter than the government, these contracts would cost a fortune to cancel.

Home secretary Jacqui Smith has revealed that scrapping ID cards would cost £40m in compensation for suppliers. The Tories, who have promised to stop the initiative should they win the next general election, have attacked Smith for engineering a “poison pill” defence of the government's ID card proposals.

[From Scrapping ID cards would cost £40m - 24 Mar 2009 - Computing]

So given the initial conditions, instead of just wishing away the rather pointless internal passport that has been created at vast expense, is there something else we could do with the systems in place? Let's not panic and scrap it, wasting even more public money.

Continue reading "Panic buying" »

Indian summer

By Dave Birch posted Jan 11 2010 at 8:16 AM

[Dave Birch] The Indian government has ambitious plans to issue a billion Unique Identifiers (UIDs) in the next few years, thus creating a national population register. There were many reasons for this, but one was social inclusion.

The upper and middle classes have many forms of identity but the poor often have none

[From ‘The idea is to be inclusive. The upper and middle classes have many forms of identity but the poor often have none’]

This is something that can get overlooked in the discussion about identity cards. One of the reasons why an identity card of the type conceived by the British government is so uninteresting to people like me is that I already have plenty of other forms of primitive identity documentation (ie, identity documentation that doesn't work online)such as a driving licence. So the marginal benefit of an additional expensive mini-passport is vanishingly small. But if I didn't have something like a driving licence, then how could I prove who I am? This may not matter when my horizon extends no further than my village. But suppose I want to get a mobile phone, or a mobile money account, something that will improve my lot in life significantly? Then the lack of documentation is a real barrier and means exclusion. Yes, of course the security services and law enforcement agencies want an national ID register, but the issue about the relationship between identity and inclusion is genuine, and important.

Lamenting that lack of identity proof often resulted in harassment and denial of services to the poor and marginalised, Prime Minister Manmohan Singh on Wednesday urged all ministries and departments to support the initiative to provide a unique identity number to all Indian citizens in order to improve the delivery mechanism of the government’s pro-poor schemes and programmes.

[From Back UID scheme for sake of poor: PM to ministries]

A great deal of government help targeted at the poor never reaches the intended recipients.

Continue reading "Indian summer" »

What a cunning stunt

By Dave Birch posted Oct 28 2009 at 9:19 PM

[Dave Birch] I am, very literally, green with envy. I count myself as a reasonably good speaker, and I try to use narrative and historical examples to explain key principles. But nothing beats a good demo, and I saw an excellent one today, one that I wish I'd thought of!

At the Intellect conference on Identity & Information in London today, Edgar Whitely from the LSE gave a terrific presentation. He was pointing out that the principle of data minimisation in identity systems is important, but he did it in a particularly arresting way.

Here's what he did.

He showed this recent newspaper photograph of the British Home Secretary, Alan Johnson, showing off his new ID card and holding it up to the camera. This version comes from The Guardian....

Alan Johnson reveals the design of the British national identity card

Alan Johnson reveals the design of the British national identity card. Photograph: Stefan Rousseau/PA

As you can see in the picture, for reasons that will be not fully explained in a moment, the UK ID card has the holder's full name, date of birth and place of birth on it. These three data points are sufficient to uniquely identify the overwhelming majority of the population. So Edgar went to the Identity & Passport Service birth certificate ordering service and put in the details from the Home Secretary's card. He then paid his £10 and... with a suitably theatrical flourish, Edgar produced the copy of the Home Secretary's birth certificate that he had been sent in the post. Note that Edgar hadn't done anything wrong. As James Hall, the head of IPS who was on the same panel, pointed out, in the UK anyone can order a copy of anyone's birth certificate. He said that if you are a celebrity then hundreds of people will order copies of your birth certificate every year, which had never occurred to me. I'm sure James is right, but it does seem a little odd that people who want to commit identity theft will simply have to look at their mark's ID card to get started.

Edgar hadn't used the birth certificate to open a bank account or get a driving licence or anything, he was just making the point that if we don't adopt the right principles (eg, data minimisation) for identity systems, then we run the risk of making identity theft worse. It was a great presentation and a super stunt. Well done.

Anyone familiar with my deranged rantings about psychic ID (ie, virtually nobody) will be familiar with the general point: a characteristic of a 21st-century ID scheme is that it should only give up information necessary to enable a transactions, nothing more or less. So, if you are authorised to ask my ID card whether I am over 18 or not, that's all it should tell you. Not my name, not my address, not my age or date of birth. Just whether I am over 18 or not and that's it.

The current ID card scheme does not have this key characteristic, not for any functional reason but because the ID card and passport were jumbled up for a political purpose -- the purpose being, as far as I know, to make it harder for an incoming administration to scrap the scheme -- that constrains the design and implementation. Since the government wants the ID card to be used as a travel document within in the EU, it has to have certain human-readable information on it. That's why it gives away the key data points that make it tempting for criminals to kick-start their identity theft antics.

Continue reading "What a cunning stunt" »

Another model that the UK could try

By Dave Birch posted Oct 13 2009 at 6:18 PM

[Dave Birch] I'm going provide a case study on the use of multi-application smart cards with EMV "chip and PIN" software on them that I think contains some useful nuggets for us in the UK to ponder over, because the case study is about combining payment (EMV) and digital signature (PKI) applications on the same card.

Identity folks will have to understand a little about the payment folks' EMV standard to understand the dynamics. There are actually three flavours of EMV, the international card scheme standard for chip transactions. These are Static Data Authentication (SDA), Dynamic Data Authentication (DDA) and Combined Data and Application Cryptogram (CDA). Most of the cards out on the streets in the UK are SDA cards without enciphered PIN (the PIN is not encrypted from the PIN pad into the card).

SDA cards are cheapest, which is why our banks issue them, but they can be cloned and used in terminals that are offline, so they are a security risk. DDA cards are not vulnerable in this way, but they are more expensive, both because the cards are more sophisticated -- they have a cryptographic co-processor to handle asymmetric cryptography and take longer to "personalise" -- but UK banks will have to replace SDA with DDA by end of 2010 (indeed, Consult Hyperion work with banks to help them to migrate in a cost-effective way). CDA cards cost the same as DDA, but still need to be planned for.

For technical reasons, CDA cards are more secure than DDA cards. Why? Because CDA protects against the "wedge attack". It is possible to insert a device that would let a genuine DDA card generate a legitimate digital signature but then intercept the request for an application cryptogram and return a bogus one for a different amount to the terminal. The terminal would carry on regardless. This is not possible with CDA since both the DDA signature and cryptogram are delivered by the card at the same time.

OK, so all this is well-known, but why does it matter to the digital ID world? Well, if a bank goes to the expense of issuing DDA or CDA cards, then the presence of re-usable cryptographic software and the cryptographic co-processor mean that it is a minimum of cost and complexity for the card to carry an additional PKI application as well as the EMV application. Almost all of the PKI application's "guts" are already on the card because they are used by the EMV application. What's more, the card can generate its own key pairs (which is very good for security) and then, provided you have the infrastructure, third parties can sign the card's public key(s) to create a wide variety of public key certificates to deliver interesting services. The card can store these certificates if it has enough memory or store pointers to the certificates online somewhere if it doesn't.

Here's a real example.

Continue reading "Another model that the UK could try" »

Isn't this stuff serious?

By Dave Birch posted Jul 10 2009 at 7:04 PM

[Dave Birch] OK, so I'm in a tiny minority but I think that security and privacy are important. I think that the state of security and privacy in the digital world demand a proper strategy, of which some form of digital identity infrastructure is a critical part. That's why I'm always glad to see the government appointing people to tackle the difficult issues around the technology infrastructure that our future depends on. When I was googling something else, I discovered that Paul Murphy is Britain's "Minister for Digital Inclusion". This is a real post, not something I made up for the blog. In addition to pottering about at UK online centres (of which there are 6,000 in the U.K.!) his brief includes "data security and information assurance". Imagine my surprise, then, when I read that:

Paul Murphy states that he is "not a technical person".

[From Minister for Digital Inclusion gets Strategic - Convergence Conversation]

Shouldn't we get someone who is?

Continue reading "Isn't this stuff serious?" »

Time for a National Privacy Card scheme

By Dave Birch posted Apr 2 2009 at 9:21 PM

[Dave Birch] There was a bit of media attention around the recent report on government databases from the Joseph Rowntree Foundation (the authors include Forum friends William Heath and Angela Sasse) but I'm not sure that the government was listening. The report was quite strong on the extent of the problem within government:

A quarter of all government databases are illegal and should be scrapped or redesigned, according to a report.

[From BBC NEWS | UK | Call to scrap 'illegal databases']

The way to protect personal data most effectively, particularly in large organisations such as the government, is not to store it in the first place. This may seem unworldly. After all, I want Tesco to provide me with a good service, so why shouldn't I give up some of my personal data in order to get it? Setting aside the issue of whether what I bought in Tesco yesterday is "my" data or not, I am perfectly happy to have, and wield, my Tesco Clubcard. After all, it's not in my real name and Tesco never ask me for data I don't want to give them, so I'm more than happy for them to record what I buy. And, to their credit, I can say with hand on heart that I have never once received junk mail, spam or unsolicited phone calls for the imaginary alter-ego who shares my home, from which I deduce that Tesco have kept to their side of the bargain and not disclosed "my" data to a third party. So why am I concerned about the government having big databases of stuff about me?

Continue reading "Time for a National Privacy Card scheme" »