I came across an interesting story via my old chum Charles Arthur’s consistently interesting “Overspill” blog. The story concerns on Oliver Taylor, a student at England’s University of Birmingham. From his picture, he appears to be normal looking twenty-something. From his profile he appears to be a coffee-loving politics junkie with an interest in anti-Semitism and Jewish affairs, with bylines in the Jerusalem Post and the Times of Israel.
Why is this interesting? Because the picture was created by an AI. It’s a fake face that doesn’t belong to any living human being. It was composed to be a human face that any of us would be able to recognise and distinguish, but it is entirely synthetic. Oh, and Oliver doesn’t exist. Charles notes that “two newspapers that published his work say they have tried and failed to confirm his identity”.
Wait. Shouldn’t newspapers try and fail to confirm someone’s identity before they publish a story. Well, no. That doesn’t work. What about whistleblowers? What about privacy in general? The way out of this dead end is to understand that what the newspaper should be checking for this kind of story is not the identity of the correspondent but their credentials. I doesn’t matter who Oliver Taylor is, it matters what Oliver Taylor is. It ought to be part of our national digital identity strategy (which we don’t have) to create a National Entitlement Scheme (NES) instead of some daft 1950s throwback digitised version of a national identity card. In the NES, it then becomes part of the warp and weft of everyday life for Oliver to post his comments along with his psedonymous IS_A_PERSON credential.
Well in the UK, as in the US, we don’t have a digital identity infrastructure (or in fact any other form of identity infrastructure) and the shambolic approach to identity is manifest in a daily litany of frauds, frictions and fantasies (often from the government). Here is an absolutely typical example: a nightclub is issuing its own identity cards since it can no longer rely on any of the other forms of “identification” that are in use. The nightclub manager says that the number of people presenting fake IDs is crazy, so the nightclub is going to issue its own identity cards with a picture on them. In order to get one of these cards, customers will need to present “two forms of up-to-date official ID” (not entirely sure what this means, since there is no “official ID” in the UK) and then in order to get into the club, customers will need either one of these club cards or a passport or a driving licence.
Before I continue with this specific example, let me make a general point about how I think these things should work in an always on, connected world. First of all, retailers and other service providers should all have their own virtual identity, or persona, for every customer because they need to be able to communicate and connect with those customers in order to deliver better services and products. In essence, every customer should have a loyalty card. The contents of that card should be unique to each service provider and any compromise of it should not lead to compromise with other service providers. In a digital identity world, this sort of thing is straightforward. You present a virtual identity from an organisation that is acceptable to the nightclub (e.g., a bank) and they send you back another virtual identity that contains things of relevance to the nightclub, such as your customer number and preferences.
In the virtual world, this makes sense because your mobile phone can store millions or billions of loyalty cards. In the “real” world, it will be really annoying to carry around thousands of loyalty cards with you wherever you go, but when those loyalty cards are (essentially) public key certificates then there is no problem.
So let’s go back to the nightclub and see how they might progress on a digital world, by creating a loyalty card based on digital identity infrastructure. Doing things this way has three distinct advantages. First of all, if you are a nightclub then your bar staff may well not be at MI5 levels when it comes to spotting a fake Romanian passport but they might be able to spot a fake version of your nightclub identity. (In practice, of course, they wouldn’t have to because the validity of the card will be checked by their phones). Secondly, by giving every customer loyalty card you are able to interact with them securely (in technical terms you can always send messages encrypted to that persona). Finally, as the nightclub manager himself notes, “we can also ban people and remove the card at our discretion, giving us more control and creating a safer environment”.
On a commercial note. you might wonder why organisations that already spend a lot of money on working out who people are (e.g., banks) don’t take this sunk cost and transform it into a revenue stream. I’ve more than once been told by a bank that there is no business for providing ID as a service to business customers, when clearly this nightclub (to pick just one example) is perfectly prepared to spend money on creating its own identity service when I’m sure the management would much rather that their efforts be directed towards running a nightclub.
Banks should be looking forwards by creating a digital identity infrastructure and then selling products and services based on the infrastructure to, for example, nightclubs. That way, the nightclubs could produce their own branded app (by adding a skin to a generic multi-bank identity app, for example) and pay the bank a pound to testify to the age of the holder rather than waste money having to do it for themselves.
Snippings 