About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

16 posts categorized "Digital Money Forum"

The role of identity cards

By Dave Birch posted Feb 8 2008 at 12:44 PM

[Dave Birch] Writing in a recent Spectator, Hugo Rifkind of The Times explains just how shocked he was when what used to quaintly refer to as e-government actually worked. In this case, he was applying for a replacement driving licence online...

I didn’t need to register, as I had apparently done so already, by creating something called a Government Gateway account when filing my tax return. I didn’t need to send them a photograph, as they still had my old one on file. I didn’t need to prove my address, as they had the electoral roll. I didn’t need to send them proof of identity, as they could look up my passport, just from the number. Seriously. Twenty minutes.

[From Shared Opinions | The Spectator]

He mentions this to support the idea that there's no point being against a identity card because, in essence, we already have one. But this is wrong: this is an argument in favour of an effective national identity register (which I am in favour of too) not an argument in favour of an effective national identity card which, had it existed and been designed properly, would have been used to authenticate Mr. Rifkind in this transaction. His experience illustrates precisely why the government should focus on the issuing of national identity numbers and not on storing data -- any data -- in the register. Adding a national identity number to the DVLA database makes sense: adding the DVLA number to the register doesn't deliver anything beyond what is already place and makes the system potentially more vulnerable. What should happen is this: Mr. Rifkind logs in to the government gateway -- initially using usernames and passwords but using 2FA once the cards have been rolled out in the future -- and from then on seamlessly moves around government departments and gets stuff done using standard federated identity products. No spending half an hour searching for the piece of paper that you haven't seen since last year that has your government gateway log in details on it, as I did when sorting out my tax last month (unluckily just before the whole system crashed).

Continue reading "The role of identity cards" »

Dog years

By Dave Birch posted Jan 17 2008 at 10:31 AM
According to one of the U.K. newspapers, the government is thinking about chipping prisoners in order to track them, as they (sort of) do at the moment with ankle bracelets...

But, instead of being contained in bracelets worn around the ankle, the tiny chips would be surgically inserted under the skin of offenders in the community, to help enforce home curfews. The radio frequency identification (RFID) tags, as long as two grains of rice, are able to carry scanable personal information about individuals, including their identities, address and offending record.

[From Prisoners 'to be chipped like dogs' - Independent Online Edition > UK Politics]
They are talking about Verichips here, but a moment's reflection leads me to the conclusion that the story either cannot be true at all or can only have been leaked to the newspaper by someone who hasn't the slightest understanding of RFID technology or, for that matter, technology in general. Verichips store only a 16-digit number and they are not re-writable: they can't store addresses or anything else. But then none of the people in the article seem particularly au fait with the either the technology or its risks:

Consumer privacy expert Liz McIntyre said a colleague had already proved he could "clone" a chip. "He can bump into a chipped person and siphon the chip's unique signal in a matter of seconds," she said.

When she says "siphon the chip's unique signal", she of course means "read the chip ID as per the specification". Reading the ID number off of the chip is no different to reading it off of the patients bracelet. It's just a number. I'm not waving away perfectly valid privacy concerns here. I'm just pointing out that the fact of the matter is that there is no point implanting a chip under the skin of someone who doesn't want to co-operate. They will simply take it out, or swap it with another chip. The technology has absolutely nothing to offer in this case.

Continue reading "Dog years" »

Why do biometric systems fail?

By davebirch posted Sep 14 2007 at 8:17 AM
[Dave Birch] I've been wondering why the IRIS biometric scheme is so bad. I've now given up on it completely: the last couple of times I've tried to used -- when it's actually been working -- it hasn't let me in. I don't know why it's stop recognising me, although I have a theory. What if it is something to do with the number of people enrolled? I was an early adopter of the scheme, and it's always been pretty terrible. I've complained about it before bit always come back and given it another try. Well, no more. Whether the biometric, the system or the government procurement procedure failed, I'm not sure. But it's not a very good advertisement for large-scale biometrics, just as the procurement for the national identity card in the U.K. is about to begin.

Technorati Tags: , ,

Continue reading "Why do biometric systems fail?" »

Finding a privacy compromise

By davebirch posted Jul 4 2007 at 7:36 PM
[Dave Birch] People, quite reasonably, express concern that organisations keep data about them and it is an entirely realistic fear that this data will be mined in unexpected ways in the future. I remember coming across this problem in the early days electronic purses, when there were differing opinions as to how long transaction data should be retained. In one of the schemes, for reasons I can't entirely recall, it was determined that 90 days was an acceptable comprise for "cash replacement" purposes. So, detailed transaction data would be retained for 90 days and during this time the police could obtain (with an appropriate court order) records for an individual card's transactions (although since there was no signature or PIN involved, that told you nothing about who was using it). After 90 days, the individual records were deleted and only the statistical aggregates were retained. This seemed to me to be a sensible way of dealing with the problem of the data trail left by digital identities.

Technorati Tags: , ,

Continue reading "Finding a privacy compromise" »

Consumers want biometrics (again)

By davebirch posted Mar 9 2007 at 8:11 AM

[Dave Birch] Yet another survey, this time from Unisys, seems to indicate (yet again) that U.S. and U.K. consumers would like to see biometrics introduced.  Across the board, a large majority of consumers in the United States (63 percent) and United Kingdom (87 percent) believe that the rise in identity fraud and the insufficient protection of personal information will become a significant security threat in the future, and feel that financial institutions and government are not doing enough to stop it.  As a result, an even greater percent of U.S. consumers (69 percent) and U.K. consumers (92 percent) would prefer that banks, credit card companies, healthcare providers and government organizations adopt biometric technologies, as compared to other protection measures such as smart card readers, security tokens or passwords/PINs, to safely and quickly verify personal identities.

Technorati Tags: , ,

Continue reading "Consumers want biometrics (again)" »

The public and confidence

By davebirch posted Mar 6 2007 at 8:20 AM

[Dave Birch] Any viable mass market digital identity system will need public confidence.  In particular, it will need public confidence in its most public manifestation, the smart card.  Can we find an example of a widespread smart card system to see if it has public confidence?  Yes, of course: chip-and-PIN.  There appears to public confidence in the chip-and-PIN system in the UK despite almost daily reports of its vulnerability to attack.  The public confidence is maintained by APACS.  Their spokesperson recently said (of the "tampered terminal" attack) that 'There is no evidence to suggest this has actually happened in the UK at all... It is on the list of potential threats, as lots of other things are" and went on say that "the fraud would be difficult to carry out because it requires an in-store accomplice and an external fraudster working simultaneously on the theft" apparently unaware that this is just what happened in the widely publicised "Shell case".  So here we have a case of an attack that is not only theoretically possible but has actually happened.  Yet the general public don't seem to care, for the obvious reason that it's not their problem.  If someone counterfeits my credit card, the bank gives me the money back.  Why should I worry?

Technorati Tags: , , , , ,

Continue reading "The public and confidence" »