[Dave Birch] I was in a meeting today discussing some ideas for introducing a sort of trust service, that could fit in a framework along the lines of NSTIC but as a commercial proposition. You know the general idea: a private-sector, for-profit issuer of trust identities. The customer and the segment aren't relevant (and I wouldn't tell anyway), but I wanted to reflect back something I was thinking about the market. The idea that I was involved in exploring assumes, as do many similar ideas, a "two-sided market".

In this market paradigm users and relying parties both interact with each other with the help of a platform. The platform (e.g. single players like Facebook/Google/ Paypal/etc or a network of cooperating parties) optimizes both the proposition towards users and the relying parties. The relying parties are business (including banks) and governments, all with clear business needs: relying parties achieve better e-services for their customers and lower cost of operation... If there is value, a market can come and the growth will come by itself when the trust is organized properly. It’s just a matter of getting the industry act together.

[From Innopay - Payment Consultants - home]

The problems that "e-identity" businesses might try and solve fall into the this two-sided (aka "chicken and egg") structure, and this has so far proved a barrier. This isn't because there aren't problems to solve: here's some examples of how straightforward the business problems are.

1. I wanted a new credit card from a UK card issuer and I couldn't use my Barclays Bank "identity" to get it. Surely this should be one of the simplest problems to solve? I just called John Lewis to find out why a chip and PIN transaction in Waitrose had been declined (a problem with the network apparently) and it took me longer to "log in" than to deal with the issue: I had to punch in my card number, date of birth, last 4 digits of phone number and then when I got through to person I had to give my name and the first two letters of my secret word. Surely card number followed by CAP/DPA OTP is all that is required?
2. I can't use my Barclays identity to log in to Barclaycard.
3. The British government presumably trust Barclays, since they regulate them, but when I log on to sort out taxes or get my car tax I have to use completely different username/password combinations (ie, no security) instead of just linking my government "identities" to my Barclays identity for authentication purposes.

So despite having all of the technology already in place and deployed, there is no functioning two-sided market. I wonder if it's because it's just too complicated to either explain to senior management or make it accessible to the general public?

government, identity, management, standards

[Dave Birch] I've been looking at a survey undertaken by UK Online's "myopinion" panel in connection with the Technology Strategy Board's VOME project that Consult Hyperion are involved in.

Researchers from the Information Security Group (ISG) at Royal Holloway, University of London worked together with UK online to conduct a survey of privacy attitudes and behaviours. Focusing on our concerns about privacy while using the internet, the survey reveals that online identity theft is currently the greatest fear for internet users.

[From Online identity theft is the greatest fear for internet users]

The great majority of respondents (almost all of them, in fact) use the Internet daily from home, work or school. In this group, their top concerns about privacy are:

1. "Online identity theft"
2. "Spying on online activity"
3. Payment card data being intercepted.
4. Merchant mischarging.
5. Having to provide too much personal information when purchasing online.

I noticed an odd gender imbalance, in the sense that women report being more concerned about privacy than men do, but men were much more likely than women were to actually do anything about it, presumably because doing something means (to a large extent) technological activities such as turning on firewalls.

government, identity, management, standards

[Dave Birch] It's taken me a while to sit down and read through the US Government's National Strategy for Trusted Identities in Cyberspace (USTIC) paper that is out for comment. I've tried not to read it just as a technical expert (what do they mean by strategy? what do they mean by trust? what do they mean by identity? what do they mean by cyberspace?) but as someone who wants to see real change in the identity landscape and a step change in the security of online transactions. Can the USTIC help this agenda? The document says early on that it is about a user-centric identity ecosystem, a world-view that I entirely support, so let's take a look.

One not entirely trivial point before we start: one thing that did annoy me about the document was that it uses the phrase "digital identity" to mean what I would call a "virtual identity". That is, it defines a digital identity as the set of attributes that represent an individual in a transaction, whereas I would define the virtual identity as the set of attributes that represent a digital identity in a transaction because it is the digital identity that is the bridge between the real and virtual worlds, the connection between individuals and what the US strategy calls "non-person entities" and their representation in electronic form. (I can see I'm losing this battle, but I'm not going to give up easily.) So I'm going to use my (more precise) terminology in discussing the strategy.

The document describes an identity ecosystem for use by individuals, business and government that attempts to balance the requirements for identification and "reputation" in a forward-looking manner. It talks about creating a user-centric identity ecosystem, which it defines as an ecosystem that will allow individuals to select the interoperable credential appropriate to a specific transaction. In other words, it lets people select between different virtual identities on a per transaction basis, something that we have long advocated. Now, obviously, the individual's choice of credential cannot be entirely unconstrained. I can well imagine being allowed to log in to Citibank using a Barclay's Bank identity but not being allowed to log into Citibank using, say, my Twitter login. Similarly, I can well imagine using my Facebook identity to get access to some basic government information about benefits but having to use my mobile phone in someway to confirm my identity to log in to obtain, let's say, the results of the medical test -- more on this example later.

I emphasised this last example, by the way, in the light of the news that PayPal and Microsoft are already conducting an "identity mash up" with a medical company.

Medtronic, PayPal, Southworks, and Microsoft recently worked together to demonstrate the ability for people to use their PayPal identities for participating in a Medtronic medical device trial, rather than having to create yet another username and password... the name, address, birth date, and gender claims provided by PayPal are relied upon by Medtronic and its partners as being sufficiently authoritative...

[From Mike Jones: self-issued » Using Consumer Identities for Business Interactions]

From the point of view of the UK, where the national identity card scheme has just been scrapped and there is no alternative identity infrastructure in place, there is much to be admired in the US approach. The idea of creating an ecosystem that is built around the idea of public and private sector co-operation, individual choice, opportunities for innovation and market-based practicality should be a matter of priority here as well because if it is not, then efforts such as Martha Lane Fox's Manifesto for a Networked Nation will remain gimmicks: what's the point of making the population use the web if they can't do transactions?

Government should “think internet first” in designing services and provide support for those who need help using its online services.

[From David Cameron Supports Digital Champion’s Ambition – Make UK First Nation Where Everyone Can Use the Web « Raceonline2012's Blog]

Right now, I can't even use the same login identity for the DVLA and HMRC (the only two online government transactions I ever do).

government, identity, management, standards

[Dave Birch] As I blogged before, Consult Hyperion joined forces with Identrust to sponsor the Digital Identity Forum track on "Identity is the new money" at this year's European e-Identity Management conference in London on 9th-10th June 2010. It was a really enjoyable event, I have to say, so hats off to Roger and the team from EEMA. The morning keynote came from Emer Coleman from the Greater London Authority who showed us a video about squirrels and then went on to talk about something called the "London Datastore". I didn't really understand her slides, which mentioned Marx, The Wire, Mini-Me from that Austin Powers movie, a tumble dryer and the Chicago School, but I think it meant that they are going to start using open source, which is a good thing, and they are going to open up some public data, such as where the new cycle hire stations will be (although they don't know, since the sites are only indicative and you have to file a Freedom of Information Act request to find out).
This was followed by a panel discussion on the different "faces" of identity: ethical, legal and technical.

• The ethical perspective came from Alexander Hanff, Head of Ethical Networks at Privacy International. Alexander noted the significant changes that have occurred in the UK in the last couple of weeks, with the abolition of the ID card, Children's Index and so forth. He was rather positive about the new Coalition and said that he expected more "positive changes" to come. I have to say that I wasn't clear on the vision, although he did mention transparency as a key element in the new identity and trust landscape, and that's something I do agree with.
  • He did mention in passing that most businesses are unprepared for the impact of European telecoms regulation. This isn't my field, so I didn't entirely follow this part, but it seems that the EU is going to require the interweb to spy on its users in case they are terrorists or something.
• The legal perspective came from Kevin Fraser, Head of Data Protection, Ministry of Justice. Kevin explained the eight key principles of data protection.
• The technical perspective came from Forum friend Kim Cameron, Chief Architect, Identity & Access, Microsoft. Kim set out some of the drivers for cloud computing and some of the challenges that it faces. He mentioned in passing the problems of synchronising data over the interweb, which is exactly the problem that I have noticed with Microsoft Exchange and Outlook (they seem to send megabytes of data back and forth). He asked, essentially, whether the costs of identification and authentication will erode the cost advantages of the cloud (I think not, because I expect standard platforms to arise) and pointed out, entirely accurately, that none of this has really been thought through. He was advocating a claims-based model and reminded people that this is about M2M as well.

I liked having these different perspectives brought together at the beginning of the event as it made for a good foundation for observations and questions in the Digital Identity Forum stream, where John Bullard from Identrust chaired the speaking session and I chaired the panel session: though I say so myself, it was an excellent afternoon -- many thanks to John Skipper, Vincent Jansen, Giles Sergant, Frank McCarthy, William Heath, Pete Bradwell, Robin Wilton and Henry Potts -- and I came away with a number of new ideas to take back to our customers who are interested in developing identity-based businesses for the mass market. I was specifically curious as to whether the panel and the delegates had any feelings about the potential for banks to be identity providers, but the conversation was much more interesting and wide-ranging. I'll put together a discussion of a few key points for the EEMA web site when I have some time.

banking and finance, identity, management

[Dave Birch] As I blogged before, Consult Hyperion has joined forces with Identrust to sponsor the Digital Identity Forum track on "Identity is the new money" at this year's European e-Identity Management conference in London on 9th-10th June 2010. Having been through the usual juggling as people drop in and out, get called away to meetings and mess up their calendars, the final line-up is now as fixed as it can possibly be:

The Digital Identity Forum: Identity is the New Money
Sponsored by Consult Hyperion and Identrust

Session 1: Chaired by John Bullard, Identrust

13:15 John Skipper, PA Consulting
13:45 Vincent Jansen, Innopay
14:15 Sonia Rossetti, RBS
14:45 Giles Sergant, Touch2ID

15:15 Tea

Session 2: Chaired by David Birch, Consult Hyperion

15:45 Expert Panel on the Identity Business

Joe Norburn, Identrust
Robin WIlton, FutureIdentity
Jan Dart, Bell ID
Todd Facemire, Barclays

16:45 Expert Panel on Identity and the Consumer

Peter Bradwell, DEMOS
Henry Potts, UCL
Marc Dautlich, Olswang
William Heath, MyDex

17:45 Close.

Look forward to seeing you there. By the way, the promotional code EID10DIF will give your delegates 20% OFF of one or two day passes.

banking and finance, identity, management

[Dave Birch] Here at Consult Hyperion we've recommended to more than one non-US customer that they look at specifying PIV solutions. Why? Because PIV does almost all of what they want, and the cost and integration advantages make it a better short- to medium-term solution. But there's another less tangible reason for being interested in it: because once the US government has chosen something as a "standard", then that is where the energy will go, because the suppliers are rational people. The seal of approval is very, very important. Which is why I"m not the only one who has been reflecting on just how significant the US government's support for OpenID is. When this support was announced, Bob Blakely highlighted just how important an announcement it was.

But the identity world had its own big news today; the news is that the US Government has teamed up with the OpenID Foundation, the Information Card Foundation, the Kantara Initiative, and InCommon in creating the Open Identity Initiative.

[From Burton Group Identity Blog: US Government Identity News]

I was involved in some discussions with a government department a few months ago -- long before the US government announcement -- during which I suggested opening up some public services using OpenID. My reasoning was that we could experiment with "soft" OpenIDs provided by (to consumers) familiar services. If you asked a customer to log in to the DVLC using their Facebook "Identity", then I'm sure they would manage to do this with little training and no mention of trust infrastructures and the like. Once they are comfortable with this, then you can restrict access to "hard" OpenIDs (by which I mean 2FA OpenIDs).

The central point, though, was that the government could help to create an identity infrastructure built on a diverse selection of "private" digital identities. I think that, as Burton note, the US government's decision signals a genuine paradigm shift in this direction, a genuine change in the mental model are identity.

after years of government attempts to create identities and assign them to citizens (via such bad ideas as the UK National ID scheme and the US REAL-ID act), a government has finally recognized that individuals already HAVE identities, and that it’s a better idea, for most purposes, to use these identities than to establish a new government bureaucracy to create new identities

[From Burton Group Identity Blog: US Government Identity News]

Personally, I think that the government ought to be a "gold standard" identity provider as well as an identity oonsumer, but that's another issue.

[Dave Birch] I enjoyed Scott Silverman's talk about privacy and security at ID World. Scott (the devil, according to CASPIAN) is the CEO of Verichip, the company that developed the first FDA-approved RFID chip for human implantation. (It's just a passive RFID chip containing a 16-bit identification number). Apparently, they had had some 900 emergency rooms across the US signed up for the service before the "privacy backlash" started. Opponents of the system told the newspapers that the chips caused cancer, and that was that.

Now, to be honest, I'm very sympathetic to Scott. A couple of years ago, I contacted Verichip because I thought it would be fun to have a Verichip implanted in my arm ready for the Digital Identity Forum, but they said no (spoilsports). My cat has one, and I'm jealous.

Anyway, the point is that the privacy backlash was so great that the stock price collapsed and the company -- which was reduced to a shell -- has now been restructured as PositiveID with Scott as the majority shareholder. They have a number of initiatives, one of them being "PatientID" which will link high-risk patients (eg, Alzheimer patients) to their medical records. Now, as far as I can see (and I'm speaking from the point of view of someone with an Alzheimer's sufferer in the family) this is a splendid idea. I'm pretty privacy sensitive, but this is an application that makes absolute sense to me. If I had Alzheimer's, I'd want a chip so that if I get lost or confused, a doctor can instantly find out who I am and what my conditions and medications are. You could do it by fingerprinting me, or iris scanning or whatever. But it appears to quick and simple to use the chip instead.

Scott also mentioned their "HealthID" initiative that will link sensors to the chip: so, for example, you could have a glucose-sensing chip for some types of diabetes so that when the chip is read to identify the patient it will also report glucose levels. If I had diabetes, I would much rather have one of these than prick my finger and test drops of blood. I wouldn't want everyone to be able to read it though, and this is where the problem comes: we need to have some form of standard privacy-enhancing infrastructure that sits above the "chip layer" to make this all work properly.

[Dave Birch] Rob Schuurman is the general manager of Nedap Healthcare, based in the Netherlands. They have developed award-winning products that use mobile phones and NFC to deliver practical, convenient security to a mass market. In this podcast, he talks about his practical experiences getting an NFC-based service into operation and shares some thoughts about the future of the technology in that sector.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

[Dave Birch] I re-read an excellent post over at Emergent Chaos. It reflected an important discussion between two people, both of whom I take very seriously. To paraphrase and simplify horribly, Bob thinks that the social structures maintain privacy, Adam thinks that technological structures maintain privacy.

In a world where some people say "I've got nothing to hide" and others pay for post office boxes, I don't know how we can settle on a single societal norm. And in a world in which cheesy-looking web sites get more personal data — no really, listen to Alessandro Acquisti, or read the summary of "Online Data Present a Privacy Minefield" on All Things Considered... -- I'm not sure the social frame will save us.

[From Emergent Chaos: Bob Blakley Gets Future Shock Dead Wrong]

The lack of a "norm" is a good point here, and I have to say it made me think. We should be developing tools that allow people to construct their norms (within boundaries, obviously) but not setting out a norm so that the tools can only implement one model. For this reason, amongst others, I tend to come down on the more technological side of this argument, which is why I'm so keen to see privacy as part of customer propositions and privacy-enhancing technologies as part of the systems being built in both public and private sectors.

[Dave Birch] This blog has been nominated for the Computer Weekly Blog Awards for 2009.

Now, merely being nominated is reward and testament enough, but should you feel moved to voice your support in the traditional way, then please feel free to vote early and vote often.