[Dave Birch] Having had the sixth roundtable in our series and started to prepare for the seventh, I'm beginning to think that one of the reasons why it is proving difficult to iterate towards solutions for the "identity problem" in financial services is that it is hard to think about the future of identity because it is going to be so different from the past. I've said before that
we need to develop more sophisticated notions of identity in our post-modern paradigm and that trying to shoehorn entirely new concepts like a social networking identity into either pre-modern notions of what might or might not constitute real identity or modern notions of some kind unique state-delivered identity is going nowhere.
[From Digital Identity: Bring it on]
When we're trying to imagine how identity infrastructure might work for the financial services world, there's no point looking backwards and imagining that making people carry either bits of cardboard or the electronic equivalent of bits of cardboard (like the proposed UK national identity card was) will help. In the new economy, where online and offline begin to merge, we need to find some kind of identity infrastructure to support individuals, organisations and governments in their interactions and transactions spanning the virtual and mundane. At the heart of this is some kind of concept of digital identity.
The sector should demand a 21st-century infrastructure founded on digital identity because you can do things with digital identity that you can't do with analogue identity: digital identity isn't simply an electronic representation of analogue identity. It can do things that have no analogue analogue, so to speak. This is because digital identity is built on mathematics and cryptography, not our "common sense" notions of what an identity is. When you digitise something, you have the opportunity to unpick it and rebuild it to be better. Identity is no different.
Consider the prosaic case study at the heart of goodness knows how may discussions about identity in the UK. You go into a pub and they ask you to prove you are over 18. You show them your driving licence. Now, assuming they believe it's a real driving licence (they have no way of checking, of course), they now know your name and address as well as your age. That was none of their business. Actually, your age is none of their business either, because all they need to know is whether you are over 18 or not. Digital identity can do that: you could easily imagine an Oyster-like button on the bar: you touch a card or your phone to it and the barman sees either your picture (if you are over 18) or a red cross if you are under 18. He doesn't have to judge whether your papers are real or not: unforgeable digital signatures do that for him.
This is a general point: digital identities are better because they can be checked. Your phone will be able to tell you whether the guy at the door really is from British Gas. But they can be discreet: if the pub asks for your address, your digital identity can check and see whether to give it to them or not. This has been possible online for years, but it's about to enter the mass market because of the mobile phone.
The transition to digital identity and the use of mobile phones also means an integration of logical and physical identity. Instead of carrying a key fob that gets you into your office and an ID card that gets you into the building and a dongle for logging into to your PC, your digital identity (almost certainly embedded in your phone) will do all of these things. This isn't theoretical. RIM have just announced that the new versions of the Blackberry that include contactless technology will integrate the HID iClass physical access system. This means that you can touch your Blackberry to your office door to open it as well as read your e-mail.
The new BlackBerry Bold 9900/9930 and BlackBerry Curve 9350/9360 smart phones activated with iCLASS digital credentials will be compatible with the installed base of iCLASS readers that are used for applications ranging from physical access systems in buildings, to student IDs, to applications that track time and attendance.
[From NFCNews | NFC-enabled Blackberry devices supporting HID iCLASS]
The new generation of mobile phones that have this Oyster-like "tap and go" technology built in to them -- like the Google phones that recently launched in the US -- mean that the use of digital identities can be made quick and convenient. If you want a snapshot of how this bridge across the real and virtual might work, have a look at the pilot project at the Clarion Hotel in Stockholm, where frequent visitors were given a mobile phone equipped with NFC ("near field communication") contactless interfaces so that they could check in on their phones and then go straight to their room to tap and enter.
A world’s first pilot is starting at the Clarion Hotel Stockholm in Sweden. ASSA ABLOY, Choice Hotels Scandinavia, TeliaSonera, VingCard Elsafe and Venyon, a fully owned subsidiary of Giesecke & Devrient, have joined forces to replace hotel room keys with NFC-enabled mobile phones.
[From NFC mobile phones replace hotel keys | Clarion Hotel Stockholm]
The guests said using the NFC-enabled phone to check in, enter their room and check out made their stay more pleasant, saved time and inspired them to use the service again. Ease of use counts, especially in identity where the underlying concepts of keys and certificates are opaque to the general public, and for the foreseeable future it's the mobile phone that can deliver this ease of use.
You can see what Nokia, RIM and Google are moving towards. When you meet someone on business, a quick tap of the phones will exchange contact details and make a LinkedIn connection. Digital signatures will mean the information can be trusted. When you're waiting for a train, you'll be able to tap your phone to an advert for a film and find yourself connected directly to the ticket office.
For financial services to use this quick, convenient and simple interface, it needs an infrastructure that means the things you're interacting with can be trusted and that they can trust you. In the US, the Department of Commerce has launched their National Strategy for Trusted Identities in Cyberspace (NSTIC) and the Cabinet Office are working on something similar in the UK, as discussed in our second workshop: a framework for private sector identity providers to work in.
I think that NSTIC isn’t bad at all. As I’ve noted before I’m pretty warm to it. The “identity ecosystem” it envisages is infinitely better than the current ecosystem and it embodies many of the principles that I regard a crucial to the online future.
[From Reflecting on NSTIC]
I think our final workshops should focus on defining the financial sector's requirements for this framework: looking forward to exploiting new technology to make life both simpler and more secure at the same time.
Who steals my purse steals trash; 'tis something, nothing;
'Twas mine, 'tis his, and has been slave to thousands;
But he that filches from me my good name;
Robs me of that which not enriches him, and makes me poor indeed.
William Shakespeare, Othello (Act 3, Scene 3).