About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

33 posts categorized "Personal Identity"


By Dave Birch posted Dec 3 2009 at 10:22 PM

[Dave Birch] Should people be allowed to have "anonymous" prepaid mobile phones (well, SIMs) or not? It's a simple question, but a complicated subject. And it's worth exploring because it helps us to have a real, focused discussion about practical privacy and security issues. The subject came up because of one of the current hot topics in the UK, which is the government's proposed "crackdown" (although "crackup" might be a better description) on the authorised copying of copyright material. Once the government has disconnected most broadband users in Britain through the "three accusations and you're out" policy, many desperate internet addicts will be driven to using mobile connections to continue online banking, reading about "I'm a celebrity get me out of here" behind the Murdoch paywall and playing World of Warcraft. At which point, the mobile operators will come under pressure to start disconnecting people as well. But as the always spot-on mobile industry analyst and Forum friend Dean Bubley notes

"On one hand, the government's trying to encourage internet connectivity — bridging the digital divide — but a lot of people in lower socioeconomic groups are on prepay, and the vast majority are anonymous," Bubley said

[From Mobile industry 'cannot identify pirates' - ZDNet.co.uk]

So the mobile operator won't be able to turn over the name and address of the supposed copyright pyrate. When the letter from Apple Corporation arrives at Vodafone asking them to turn over the name and address of the person who downloaded "Love Me Do", Vodafone won't be able to tell them (so presumably Vodafone will then be found in contempt of court or something and their internet access will be turned off).

So what to do? Well, one approach (followed in many countries) is simply to force all prepaid phones to be registered with the authorities. In the UK, the government might use its splendid new national identity register, for example, to ensure that all prepaid phones have a passport or national identity card connected to them them. And, as in Spain, take immediate action against those terrorists, money launderers, child pornographers and criminals who refuse to do so.

Spanish mobile operators last night cut off an estimated three to four million pre-pay mobile phones whose owners had not followed government instructions to register their devices.

[From Spain cuts off 3m pre-pay mobiles • The Register]

I can see exactly why law enforcement and government agencies object so strongly to anonymous mobile phones (although they still allow people to post letters anonymously) but I think they are wrong to react in this way. The truth is, the criminals will just use other peoples' phones and will be even harder to track and trace than they were before.

Consider the most prosaic of examples. Where I live, in a deprived part of Europe called "Surrey", a window in the house opposite to ours was smashed by a gang of feral youths. Sadly, we didn't see this happen so we unable to assist the local constabulary. But suppose I had seen it happen? I have, currently, four prepaid mobile phones about my person (they are used for various demos and experiments for work) so I would have just picked up one of these phones and called the police with the details of the incident and a description of the yobs.

But now suppose that my prepaid phones were now connected to me through the national identity register? Now there's no chance that I will pick up one of them and report the crime, because I'd be worried that my name and address would get (via the police or the database) to the gang in question.

This may be a silly example, but from battered women to corporate whistleblowers there are plenty of good reasons for allowing anonymity. We need this to be part of the infrastructure.

All this does prove, though, that there is a legitimate place for digital anonymity, and I hope that any identity management system required by the US government and others will allow anonymity and not prevent it.

[From Tech and Law: Technology, domestic violence, anonymity]

Note the important qualification here: there is a legitimate place for "digital anonymity". I would go further than that and say that without digital anonymity, we are creating the wrong kind of infrastructure for a successful and prosperous society. Now, your web site may choose to allow or decline access by digitally known, pseudonymous or anonymous identities. If you are a web site discussing Iranian democracy, you may well insist on the latter. If you are government department, you may insisit on the former. The infrastructure must cope with both.

Continue reading "Trans-mission" »

The DNS of the industrial bourgeoisie

By Dave Birch posted Oct 19 2009 at 11:30 AM

[Dave Birch] I have a vague memory -- which five minutes googling cannot substantiate and I'm too lazy to go and find the book in the other room -- that somewhere in the Gulag Archipeligo by Aleksandr Isaevich Solzhenitsyn there is mention of Stalin's desire to have a more revolutionary telephone system where all calls had to go through a central exchange and be encrypted so that Stalin could listen to everyone else's calls but his would be encrypted to remain secret. The prisoners with relevant skills were supposed to be designing this while in the gulag. It never worked, of course, and the Soviet Union had appalling telecommunications infrastructure as a consequence because the communications revolution was halted by the dictatorship of the proletariat: there's some deep incompatibility between innovation and centralisation. I couldn't help thinking of this when I read about the calls by Eugene Kaspersky to have a more Stalinist internet:

The CEO of Russia's No. 1 anti-virus package has said that the internet's biggest security vulnerability is anonymity, calling for mandatory internet passports that would work much like driver licenses do in the offline world.

[From Security boss calls for end to net anonymity • The Register]

What he means by this is that he wants a technologically complicated and expensive solution to be implemented so that ordinary people are inconvenienced to the maximum while criminals can roam free (which is what would happen). Creating such an asymmetric solution is not the way forwards: for one thing, who would decide what to censor?

A little local controversy involving the Church of Scientology and its critics could lead to curbs on the right to anonymity of anyone using the web.

[From Scientology seeks to squash anonymity • The Register]

We already have experience of this "solution" in the UK. Laws giving a wide variety of bodies the ability to monitor CCTV, the internet, phone calls and everything else which were supposed to save us from international terrorism are used by local councils to stop people from trying to get their children into better schools and to check that people are recycling enough of their rubbish. I'm sorry, but creating a world in which anyone can read anyone else's e-mail, track anyone else's web browsing, see what anyone is reading is not the way stop Russian virus writers from taking over everyone's PCs. We need an identity infrastructure.

Continue reading "The DNS of the industrial bourgeoisie" »

The right to moan

By Dave Birch posted Aug 28 2009 at 6:26 PM

[Dave Birch] I've been following a few discussions about online anonymity, triggered by a couple of stories about bloggers identities being disclosed for one reason or another. One of them was the ridiculous story about an outraged model.

Of course, pretty much no one would have seen such a blog if Cohen hadn't gone legal about it, claiming (with no proof) that she was losing jobs because of it (which seems difficult to believe).

[From Outed Blogger Plans To Sue Google; Skank Model Mess Gets Messier | Techdirt]

This what they call on the interweb the "Streisand effect", but of course in these knowing post-modern times it could all be a clever publicity stunt and the model is not being stupid by cynically wasting taxpayers money to attract attention. Anyway, the point is that this story got yet another discussion about internet anonymity going. The general tone of the discussions in the media appears to be the usual unthinking "if you've got nothing to hide...".

I take a different view. Most people do not have anonymity, it's a myth. If I log on to The Guardian's "Comment is Free" and post something about the destruction of the public finances under the name "General Wolfe of Quebec", I am not really acting anonymously because it is trivial (as the recent headline stories have proved) to determine the IP address that the post came from and then go to the ISP to get the account. So although the Internet seems anonymous to people who don't understand it (eg, models, politicians), it isn't. And it's not obvious whether that is good or bad. If you're trying to track down someone posting child pornography (the usual short-circuit for the argument) then it's bad, but if you're trying to complain about the treatment of political prisoners in your country, then it's good. And what's more, whether your blogging is anonymous or not depends on the technology, not on the constitution or the judiciary.

As Ben Laurie has so clearly pointed out, unless the connection layer is anonymous, nothing else matters.

[From Digital Identity Forum: Internet]

I think that at a minimum bloggers should have conditional anonymity: that is, they should be able to use a pseudonym that is only connected to them on the production of a court order. This cannot be achieved by depending on the service providers: even if they operate with good will,

Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques for protecting the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated they can often 'reidentify' or 'deanonymize' individuals hidden in anonymized data with astonishing ease.

[From SSRN-Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization by Paul Ohm]

What this, I think, implies is that there will be blogging platforms that spring up in the US to operate under the provisions of protected free speech legislation and beyond the vagaries of UK libel laws and, over time, the most interesting and valuable blogs will migrate in that direction. Those platforms will provide authenticated pseudonymous identities (using, as I repeatedly wish for, 2FA OpenID or something similar) that are contingent on cryptography. How is the nurse going to blow the whistle on a drunk surgeon without pseudonymity?

Continue reading "The right to moan" »

Paradigms and pseudonyms

By Dave Birch posted Jun 26 2009 at 2:41 PM

[Dave Birch] I enjoyed listening to Roger Clarke at the 2nd interdisciplinary workshop on Identity in the Information Society at the LSE because I had read his work (particularly on PKI) over many years and wanted to see how his thinking had evolved. Roger made a number of excellent points, one of them being that the barriers that we need to overcome (if we are going to do anything practical about identity management) is that the models that we technologists are using, the implicit mental models of the decision-markers and the reality of the situation are all different (I'm paraphrasing greatly, obviously). Having had the chance to think about this some more, I think that I agree with his diagnosis but disagree with the treatment.

So far as the treatment goes, Roger proposed a way to deal with this some time ago and explained this in his presentation. His model is to have get around the problem of the mappings -- that is, the mappings between real and virtual entities and their attributes -- by separating out elements of the mapping, distinguishing between identity and entity, between identification and entification.

If I've understood what Roger meant, then I think I don't quite agree with him, because I think replacing the N:N mappings between real and virtual identities by 1:N mappings to digital identities is a simpler way to model the complexity of the boundary between real and virtual in the identity space. So I don't think about identity and entity but about the real and digital identities and stuff, and some of that stuff happens to be people, if you see what I mean.

Continue reading "Paradigms and pseudonyms" »

I'm sure banks have a strategy for this kind of thing

By Dave Birch posted Sep 18 2008 at 2:27 PM

[Dave Birch] Some time ago, I pointed out that sensible retailers would use ID cards to cut payment schemes out of the transaction loop, by using ID cards as payment tokens and using the ACH network rather than Visa or MasterCard. I've just written another piece on this for Electronic Finance & Payments Law & Policy.

As I have long been advising our clients in the payment space, there will be inevitable implications for retail payments businesses once a national ID card is in place.

[From Digital Identity Forum: Paying for identity]

Retailers want business change, not just lower fees. Now, a barrier to their competing with existing card schemes themselves has been the cost of issuing and managing secure smart cards or other tokens. But if the government is going to do it for them, then they may as well exploit it. I can easily imagine taking my ID card and a blank cheque down to Tesco, putting them both into a machine and punching in my PIN. Then, next time I go shopping, I punch my PIN into the keypad at the checkout lane, wave my ID card over a reader and then go on my way. This kind of the service has already begun to spring up in the U.S.A., in response to the issuing of “Real ID”drivers’ licences which have machine readable magnetic stripes that can be read at POS terminals. A company called National Payment Card (NPC) has begun to exploit the opportunity, by getting customers to register their bank details and a PIN against their licence. This means that customers can then pay for fuel by swiping their licenses at petrol stations and entering a PIN. A similar national scheme has just launched in Malaysia, where one of the leading banks has begun installing kiosks where customers can use their bank chip card and the MyKad ID card (without biometric authentication) together to link the ID card with the bank account automatically:

Consumers will have to open either a savings or a current account with EON Bank, which is the only bank providing payment transactions through the MyKad at the moment.

[From Buy fuel with your MyKad]

The scheme is targeting the fuel sector in the first instance and has signed up all Caltex and BHP filling stations, so that customers can fill up and they pay at the pump with their ID card. Since the margins on fuel are thin, the sector has every incentive to cut payment schemes out of the loop and move to direct bank transfer via ACH. I wonder if they even bother to authorise the transactions: after all, if you try to cheat them by presenting the ID card when you have no money in the bank, they have your ID details and I imagine you'll be hotlisted pretty quickly.

Continue reading "I'm sure banks have a strategy for this kind of thing" »

Location layer

By Dave Birch posted Sep 16 2008 at 9:14 AM

[Dave Birch] I recently gave a talk about the using mobile phones as carriers of identity "cards", pointing out the kind of functionality that such an implementation could deliver into the hands of citizens and consumers. I'd used Neil McEvoy's "identity as utility" as the paradigm and demonstrated, I think, that the mobile phone is (for the time being) the most logical means to implement national-scale solutions. Caspar Bowden of Microsoft was in the audience and -- as I always genuinely appreciate -- asked me a couple of tough questions that I've been reflecting on. One of them concerned the relationship between security and privacy in an environment where the connection layer not only knows who the users are, but where they are at all times. This, Caspar reasoned, means that any implementation that tries to use privacy-enhancing technologies at a higher layer will necessarily be confounded, since trivial data matching in mobile phone records or ISP records will deliver an accurate record of both where you were and who you were talking to. This is, of course, correct. As Ben Laurie has so clearly pointed out, unless the connection layer is anonymous, nothing else matters. Uh oh...

A United Nations agency is quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous. The U.S. National Security Agency is also participating in the "IP Traceback" drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.

[From U.N. agency eyes curbs on Internet anonymity | Politics and Law - CNET News]

Shouldn't there be some kind of informed public debate about this kind of thing? (If you want to read up, start with the document that Robin Wilton pointed me to at the ITU.) This isn't a bit of irrelevant geekery on the margins of society, it's a fundamental issue, a fundamental bound on the development of communications.

Continue reading "Location layer" »

Engineering eID

By Dave Birch posted Jul 28 2008 at 12:55 PM

[Dave Birch] What are differences between the proposed German identity card and the proposed UK identity card? Well, for one thing we already know how the German card will work and what applications it will contain. In fact it will contain three: the ePass application for police and border control, the opt-out eID application for e-business and e-government and the opt-in eSignature application. It has some interesting functions, such as proof of age without disclosing age, and supports end-to-end online security because it has a mutual authentication scheme built in. If someone wants to authenticate you using your card, they have to provide a digital certificate (issued to them by the German government) that contains a map of the attributes (eg, address) that the service provider is allowed to use. Since the card and the service provider thus have an encrypted end-to-end channel, they are immune to man-in-the-middle attacks.

A function I find particularly interesting is the pseudonym function. A service provider can request an identity that is known only to that service provider and the card will generate a pseudonym according to a published algorithm. Since this involves using the service providers public key, service providers cannot know other service providers pseudonyms, a simple means to increase both security and privacy for very little effort. If there is a specification for the U.K.'s identity card that is currently being procured then I haven't seen it, but I'd lay a pound to a penny that it does not include this kind of privacy-enhancing technology (PET) because I have never seen it in any of the management consultants presentations, government strategy documents or discussion forums. What a shame. Why do Germans deserve this kind of security but we Brits don't?

Continue reading "Engineering eID" »

No more PETs win prizes puns, please

By Dave Birch posted Jul 23 2008 at 7:44 PM

[Dave Birch] Microsoft has been sponsoring the annual privacy-enhancing technology awards at the PETS Symposium for a few years now. This year the winning paper was written by Arvind Narayanan and Vitaly Shmatikov, researchers at The University of Texas, who looked into large publicly available anonymised data sets – and very quickly discovered a major privacy risk, as their experiments showed that such data sets could be used to re-identify individuals using efficient algorithms. All of which means that companies should be careful about storing masses of data on customer choices because, even if customers aren't explicitly identified in the individual records, it doesn't take much effort to identify them from the pool. Interesting stuff.

Runners-up, Cambridge University researchers Steven J. Murdoch and Piotr Zieliński, also focused on online anonymity. Their paper discusses and analyses, for the first time, the possibility of surveillance at internet exchanges (IXes) where Internet traffic crosses from one network to another. Because so much traffic passes through these, the research seems to indicate that a relatively small snapshot of the data in transit contains a lot of information about what is moving between which nodes.

I found the other runner-up paper especially fascinating because of my focus on the intersection of the digital money and digital identity worlds. The paper "Making P2P Accountable without Losing Privacy" (by Belenkiy et al, Brown University) posits the use of e-cash (that is, the original Chaumian e-cash) to add accountability to file sharing networks without giving up privacy. The idea is to balance between selfish users in a transparent way (and money is the most transparent of all ways) without sacrificing anonymity. Given some of the discussions about anonymity over on Digital Money, this is a timely addition to the debate and shows the accountability and privacy are not mutually exclusive.

Incidentally, their premise that fairness is essential to providing scalable incentives for greater participation seems right to me, as does there characterisation of "selfish peers" as agents in a virtual economy, but I'm not sure if e-cash is a necessary grease to make that work. The authors suggest that the money used in their scheme has five essential characteristics:

  • It should be fungible (ie, no "different strokes" and everyone's money can be used for everything in any combination).
  • It should be integral to the fair exchange of money for goods/services. Because of my history in this space, I'm particularly interested in "shopping" protocols that include all of the steps in a transaction.
  • The money must be unforgeable, obviously.
  • The payment system must be efficiently implementable.
  • Finally, users should be able to spend anonymously.

This is an axiom I think: it's not clear to me from the paper whether they have some reason for thinking that anonymity will or will not make any difference to the performance of the scheme. Would anyone care?

As an aside, when discussing the economic issues raised by the paper, the authors say that under limiting conditions they can demonstrate the knowledge of bank balances (M1) can predict how much money can be added to the network without causing a crash. I hope the Chancellor reads up on their model!

By the way, a big thanks to the guys at Microsoft for sponsoring this valuable award.

Continue reading "No more PETs win prizes puns, please" »

Fingers in the dyke

By Dave Birch posted Jul 11 2008 at 4:15 PM

[Dave Birch] Over on the Digital Money Blog, we've been talking about the well-known MiFare security issue. We're interested in it over there because MiFare is used for things such as Oyster cards and there's an overlap between contactless cash replacement and contactless transit systems. From this frame of reference, the security issue is interesting and it needs to be factored in to system procurement, card updates and that kind of thing. No-one is going to implement an electronic purse system using MiFare Classic, so the sky isn't falling in. So, the guys are saying, well, next time we buy some cards we'll buy MiFare Plus instead, but other than that, what's the worry. But now it turns out that the problem may be far more troublesome than at first realised, because it turns out that the same technology (designed for mass transit) is being used by the Dutch government to secure access to important facilities:

...the Dutch Interior Ministry's spokesman said this is "a national security issue," since several government agencies there use the same technology to restrict access to their facilities.

It looks as if the researchers behind the MiFare crack have done Dutch citizens a big favour by alerting them to the inappropriate use of technology -- MiFare Classic was designed for mass transit, not for identity cards and access control for sensitive facilities -- before some bad guys do.

Continue reading "Fingers in the dyke" »

RUSI and all that

By Dave Birch posted Jul 1 2008 at 12:19 PM

[Dave Birch] One (!) of the conferences I spoke at last week was the Royal United Service's Institute's conference on Science and Technology for Homeland Security and Resilience. I decided to put my original presentation about ID card technology to one side and go with my new psychic ID card slides. If you're at all curious, the slides are here...

There were a couple of tough questions -- mostly around "why bother with an ID card at all" -- but on the whole the people there were very nice to me, and prepared to listen to what I suppose must seem like a fairly radical idea if you are from a conventional security background.

As the comments on the original blog post seem to indicate, I think I've stumbled on a useful way of describing an alternative form of identity card. I've been writing it up in more detail for a journal, so hopefully I can address some of those issues as I go along with the "psychic rewrite", by which I mean that I'd already prepared a paper on how to use smart cards, mobile phones and so on to create new kind of identity card, but I'm currently rewriting it to use the Dr. Who framing as it does seem to speak to people far more effectively than any of my previous attempts.

Continue reading "RUSI and all that" »