Snippings

xxx

Indian news website NDTV reported that two agents from Pakistan’s Inter-Services Intelligence reached out to Mr Marwaha on Facebook a few months ago.

They allegedly used fake profiles which led him to believe they were women after which they began regularly communicating with him on WhatsApp.

From India officer held over ‘swapping secrets’ for obscene photos – BBC News

xxx

xxx

Giffgaff, the mobile network run by Telefonica, is to use Open Banking rules to provide a personal financial management service to its users in the UK.

From Mobile network giffgaff to use Open Banking rules to move into pers…

xxx

I was very sorry to hear about the death of John Perry Barlow, one of the great influences on my life in technology.

 

 

One of my happiest memories of is having dinner with John and cypherpunk founder Eric Hughes, along Nicholas Negroponte, and having a discussion about the use of cryptography to deliver transparency (I was – and still am – sure that Eric’s “open book accounting” has a role to play in creating a new financial services infrastructure).

I remember being on a panel with John at a Vanguard executive summit thing in New York. It must have been mid-2000s, maybe 2005 or 2006. The topic of smart cards came up, and I told John that American banks were reluctant to start issuing them. He asked me why, so I told him it was because they were invented in France. He suggested that Gemplus rename them “Freedom Cards”, which still makes me chuckle thinking about it more than a decade later.

I probably only met him a dozen times, but he was unfailingly nice and I greatly enjoyed his company. Above all, he was interesting about cyberspace, virtual worlds and the future of society, things that need impassioned visionaries to be interesting about them, and I thank his memory for that.

xxx

In June 2017, the National Institute of Standards and Technology revised its digital identity implementation guidelines in Special Publication 800-63.  By the end of June 2018, all federal agencies will be required to have legacy systems and applications in compliance with the guidelines.

From NIST’s digital identity deadline approaches — GCN

The NIST Digital Identity Guidelines use a three part model to create a standardised framework for dealing with the digital identity.

The NIST guidelines break up digital identity management into three sections: enrollment and identity proofing, authentication and life cycle management and .

From NIST’s digital identity deadline approaches — GCN

If that breakdown sounds familiar to blog readers, it’s because it is congruent with the “Three Domain Identity” (3DID) model that we developed a few years ago to help our clients to formulate strategies around digital identity. Just as a reminder, the three domains in our model are “identification” (NIST’s enrollment, identity proofing), “authentication” (NIST’s authentication and life cycle management), and “authorisation” (NIST’s federation and assertions). I made a handy “cut out n’ keep” graphic. 

xxx

//embedr.flickr.com/assets/client-code.js 

So, it seems to me that the 3DID model provides an excellent basis for government and business to establish a shared digital identity paradigm.

xxx

A SURGEON who lied about his skills in an interview so he could get a job at a Worcestershire hospital has been found guilty of fraud.

From GUILTY: Surgeon Sudip Sarker lied to get hospital job | Worcester News

xxx

xxx

Mastercard has announced that by next spring, consumers will be able to identify themselves with biometrics when they shop and pay… using a mobile device.

From Mastercard Plans for EU Biometric Authentication | PYMNTS.com

xxx

xxx

Sometimes an idea is ahead of its time. Many of the most ambitious products in payments and fintech were dismissed as absurd or over-ambitious at the time — only to feel perfectly normal years later as culture and consumer habits evolved.

From 7 failed fintech ideas that might succeed today | PaymentsSource

xxx

xxx

This week, Amazon was awarded two patents for wristbands that can track a warehouse worker’s hands and monitor their performance.

From Amazon files patent for wearable IoT wristband to track its warehouse workers – TechRepublic

xxx

 

xxx

A class-action lawsuit filed earlier this week claims that vibrator manufacturing company Lovense, based in Hong Kong, has been collecting data on customers.

The suit does not name any of the plaintiffs, who allege that the features in Lovense’s products allowed the company to collect and store ‘highly intimate and sensitive data regarding consumers’ personal use of its vibrators.

Among these details are ‘the date and time of each use and the selected vibration settings’, according to the suit.

From Vibrator manufacturing company ‘collected users’ data’ | Daily Mail Online

xxx

xxx

A class-action lawsuit filed earlier this week claims that vibrator manufacturing company Lovense, based in Hong Kong, has been collecting data on customers… Among these details are ‘the date and time of each use and the selected vibration settings’.

From Vibrator manufacturing company ‘collected users’ data’ | Daily Mail Online

xxx

I was please to read that “the suit does not name any of the plaintiffs”. No kidding. But kidding aside, this example provides a stark illustration of what happens when there is no fundamental identity — and therefore trust, reputation and privacy — platform in place. And what’s more, it also tells us that the identity platform cannot be the kind of unsophisticated, basic platform that (for example) banks deploy. There’s a world of difference between logging in to the bank, where I need to prove that I am Dave Birch, and logging in to the sex toy 

• There are billions of identities coming online in coming years whether this be refugees and those in developing countries (as referenced heavily at Davos), or devices and things
• These identities all need to be secured, at massive scale…this requires innovative, flexible, future proof identity platforms that can handle this complexity

Position on blockchain (which I need to verify with our internal experts that I am relaying correctly)

• We think it has a lot of potential value, but there’s also a lot noise in the space
• We’re taking a measured approach, have joined the Hyperledger Project to explore more around tracking of valuable assets (IoT, documents, KYC), active policies for authorization that are more dynamic, an immutable record of user consent and its withdrawal

It was truly interesting, but not surprising, to see digital identity become a recurring theme throughout the agenda of this year’s Davos (or, more properly, the 48th World Economic Forum Annual Meeting in Davos). Interesting, because it means that digital identity is now on the agenda for public and private sector strategists at the highest level (and about to become a strategic battleground, in my opinion). For those of who have been saying for some time that the “new economy” is being constrained, and even subverted, by the lack of a practical identity infrastructure in tune with the always-on world, this focus on identity could not have come soon enough. It is not surprising that it has reached the Davos agenda though because anyone who has spent any time trying to construct a vision for future online services must have come to the same broad conclusion: we cannot build services for the post-industrial age using the identity infrastructure of the industrial age. We need a new digital identity infrastructure.

J. C. Smith, CEO of Thompson Reuters: “Digital identity is the building block towards trusted access, authentication and privacy,”

From Digital identity paves way for trusted access, authentication and privacy says CISCO CEO at Davos

Mr. Smith is surely correct. All of the characteristics that we are interested in at the customer level (eg, privacy) can only be delivered through a digital identity layer that forms a fundamental platform for a wide variety of services and in response to a wide variety of use cases. To illustrate just how wide, consider the four use cases that I always put up to test the completeness of any digital identity vision that I am presented with: multiple identities, witness protection, whistleblowing and adult services. Each of these four examples imposes very different demands on digital identity and any practical digital identity system has to cope with all of them in ways that should be determined by society, not by technologists.

“Digital identities and access systems are foundational elements of our shared digital future” said Derek O’Halloran, Head, World Economic Forum System Initiative on Shaping the Future of Digital Economy and Society.

From Digital Identity – Why It Matters and Why It’s Important We Get It Right | World Economic Forum

Mr. O’Halloran is surely correct. I like this framing of issue as shared digital future, because it reinforces the point that digital identity must be shaped by a shared vision that necessarily encompasses some difficult issues. We all understand there are wide cultural differences in how identity is conceptualised and animated. There is no single position on surveillance, to choose an obvious case, that we can use to set all of the requirements. Meeting these varied needs is a really challenge to those of trying to formulate ideas about how to fix the “identity problem”.

Digital identity is relevant in a wide range of situations that require people and entities to prove who they are

From Digital Identity – Why It Matters and Why It’s Important We Get It Right | World Economic Forum

This is, frankly, wrong. And it illustrates just how important it is to build the right conceptual framework around digital identity before we rush to deploy biometrics, bots and blockchains to fix the identity problem referred to above. It is wrong because in almost all of the situations where digital identity is needed in the modern world, it is not to demonstrate who you are but to demonstrate what you are: an employee, a citizen, a subscriber, a member of the club, an adult and so on. One of the most profound elements of the new identity paradigm is to separate the binding of digital identity to real entities from the binding of digital identity to credentials used to enable transactions (and the authentication of the holders of those transactions). You can see this separation clearly in the structure of the draft NIST Digital Identity Guidelines (SP-800-63-3).

//embedr.flickr.com/assets/client-code.js 

Generally speaking, transactions need what NIST call here “assertions”. I am over 18, I have this line of credit, I am allowed to drive, I can enter this building, and so on and so forth. These transactions do not need my identity. Far from it: we want to keep personally-identifiable information (PII) out of transactions as much as we can! There is a world of difference, as everyone intuitively knows, between proving that you are over 18 and proving who you are, or giving out your age or your birthdate. This a crucial part of the digital identity post-industrial paradigm, where digital identity forms the bridge between your real identity and your (many) online identities.

OK, so let’s take on board that we have a modern vision of what a modern digital identity infrastructure should do. But now here’s the hard part, and the real challenge to the Davos delegates. How can that vision, and the benefits to society that it can deliver, be extended to everyone. Everyone. Even people who have no identity all at the moment.

“We estimate it will take $12 billion to achieve identification for all. The World Bank will secure over $750 million investments in ID-related projects in the next three years and we will strive to mobilize more financing from other sources,” said Kristalina Georgieva, Chief Executive Officer, World Bank and co-chair of the Identification for Development (ID4D) High-Level Advisory Council

From Digital Identity – Why It Matters and Why It’s Important We Get It Right > Press releases | World Economic Forum

Wow. That’s a lot of money in anyone’s language and perhaps it is one of the reasons why there has been little progress so far. Even if we can agree on shared vision, it is a huge enterprise to deliver it and it must be obvious that given the scale of the enterprise (after all, we are talking about billions of identities here) it can only be achieved by bringing together government, NGO and private sector initiatives. Now, the good news is that the first steps in this direction have been taken, with a wide variety of such organisations committing to tackling the growing global problem.

The UNHCR, World Bank, World Food Programme, Consumers International, Omidyar Network, the Linux Foundation, FIDO Alliance, GSMA, Hyperledger, ID2020, Open Identity Exchange, Sovrin Foundation, World Identity Network, Accenture, Barclays, Deutsche Bank, Mastercard, Microsoft, Sedicii and Visa have announced their commitment to strengthen collective action on [digital identity].

From Digital identity – it matters that we get it right

It is interesting to note the new technology angle, with organisations such as Hyperledger and Sovrin, appearing in this list. There was a lot of discussion of how “the blockchain” could help although it was at high level and a long way from practical deployment. I strongly agree with the idea that we not only need to get digital identity right but also need to deliver it to everybody. Whether the best way to achieve this is using cryptocurrency or a database, individuals or institutions, is up for debate. (In particular, I feel that that the idea that blockchain will solve the problem by doing away with institutions needs to be examined sceptically.) Still, as the technology evolves, so will that debate. ForgeRock has joined to Hyperledger Project to be a constructive part in that debate and bring experience of large-scale deployments to the table. If the disparate organisations and perspectives going into that debate are going to make progress, they need to make a strong start, so I’d like to make a practical suggestion of positive 1-2-3 steps to hit the ground running! 

1. Develop a common framework for digital identity to facilitate conversation between the stakeholders and to construct a paradigm for the new online age. I’m not smart enough to know what this should be, but I do think the “Three Domain Identity” (3DID) that I developed with my colleagues at Consult Hyperion is a constructive contribution to a discussion about that model.

2. Develop a common set of requirements that can be agreed (and I do not underestimate how difficult this will be) between governments, NGOs, IT suppliers, academics, human rights lawyers and others. They’ll have to be simple and clear!

3. Develop narratives to show, demonstrate and inspire around implementations of the digital identity model meeting those agreed requirements.

Whether a revolution that bypasses institutions or a mechanism for radical transparency in existing institutions, there was blockchain in the air at Davos. Even if you are sceptical about blockchain as a solution to any or all of the world’s identity problems, it does seem to me that there are a great many practical issues — ranging from the management of keys to the discoverability of identities, from the standardisation of attributes to the protection of personal data — that might be catalysed through the use of the new technology. Whether we are trying to bringing efficiency to government operations, reduce fraud in commercial transactions or protect the human rights of refugees, working together to co-evolve practical ways to deliver on the shared vision can only be a good thing.