Snippings

I remember when Alex Tapscott wrote an op-ed for The New York Times in which he said that “using blockchain technology, online voting could boost voter participation and help restore the public’s trust in the electoral process and democracy”. As I said at the time, he was wrong. It’s got nothing to do with the blockchain. It’s because online voting is a bad idea, even if you did implement it with blockchain.

I wrote about this back in 2015, noting that politicians don’t understand the Internet (or, indeed, technology in general) and expressing some surprise that they don’t ask people who do (e.g., me) to provide some input to their plans. If, for example, the Speaker of our House of Commons had asked me about online voting back in 2015, I would never have advised John Bercow to say that people should be allowed to vote online in the 2020 general election (assuming the current government lasts that long, of course).

Alex writes that “as citizens, we can trust the outcome of such a voting system: voters can check the blockchain to verify that their vote was counted correctly” (as presumably could the person with a gun to the voter’s head). And I can see how this might work: voters could look in a database to see that their vote was counted correctly, and then check some companion blockchain to see that the record concerning their vote had not been changed. But does this really help or would it just make voting under duress more common?

I remember discussing this at the Tomorrow’s Transactions UnConference 2015 when voting came up in a discussion session about about non-financial demands for identity and authentication technologies. I emphasised the point that voting online is a mad idea that doesn’t fix any actual problem, and I was hardly a lone voice. Let me stress that I was not saying that we could not use modern technology to improve the voting system. As I wrote the previous year, “we live in a Venmo world now, so if the under-30s want to vote using an app that tells their friends that they voted, or perhaps even how they voted, or perhaps allows them to add a funny picture or an acute comment, well so be it. But make it secure, and make them go down to the polling station to use it”.

The guys and gals in that Unconference discussion session came up with a rather interesting idea: Democracy Monkey. Think Survey Monkey but with the strong two-factor authentication and appropriate Customer Due Diligence (CDD). The idea is this: make Democracy Monkey a public utility that can be used by central and local government for all sorts of public purposes and sell it to business so that they can use it for votes for shareholder meetings and such like. I also thought that it could be used for “Britain Hasn’t Got Talent”, “The Why Factor” and “I Used to be a Celebrity Get Me Out of Here” and so on as a way to socialise the use of the technology.

We developed our plan using Chaumian blinded tokens as the core technology. The broad marketecture was that you use your gov.verify identity provider to register with the Democracy Monkey and to indicate which elections you want to take part it. The system sends you tokens for those elections at the appropriate time. The Democracy Monkey app on your mobile phone could store the tokens in a tamper-resistant secure element and then when you want to “spend” the vote you can run the app or tap to make it happen. For some voting, such as General Elections, you would be required to tap as that sort of voting is a public act, but for other voting (e.g., “Strictly Come Trampolining”) you could use the in-app “spend” to vote remotely.

I still think this is worth a try and stand ready to answer the nation’s call should the powers that be decide to move forward. And if you want to store the destination of the blinded votes on a blockchain somewhere, that would deliver transparency and accountability so that’s good too.

As the President of the FATF wrote in the Financial Times recently

“This past week, the FATF, whose global network consists of 204 countries, amended the organisation’s standards as they apply to financial activities involving virtual assets and also to businesses which deal in them — including virtual currency exchanges and some ‘wallet’ providers. It has agreed that all countries must supervise and monitor these businesses, and that they should also ensure they apply key controls against money laundering and terrorist financing, including customer due diligence and suspicious transaction reporting.”

From “Virtual assets and financial crime now go hand in hand    | Financial Times”.

xxx

xxx

“A former United Airlines employee has been given a federal prison sentence after stealing meal vouchers from the carrier, Peoria’s Journal Star reports. The outlet reveals that despite being fired by the carrier back in 2016, Ollantay Corujo kept his uniform and badge, using them to access computers at various terminals around the country and to print off individual meal vouchers.

Describing Corujo’s crime, the outlet explained that, ‘While each voucher was worth around $20 to $30 … they were the functional equivalent of cash … Corujo would then ‘redeem’ those vouchers through a food truck company that he owned, causing cash to flow to him without him ever buying or using the vouchers as intended.’”

From “United Employee Sentenced for Stealing $500K Worth of Meal Vouchers – FlyerTalk – The world’s most popular frequent flyer community”.

xxx

xxx

“According to data from Crone Consulting, the number of online mobile app transactions using Apple Pay is ‘growing much faster’ than transactions made inside retail stores.”

From “Apple Pay ‘Making Up a Lot of Ground’ With Competitors Thanks to Success of Apple Pay Cash – MacRumors”.

As I have consistently maintained, it’s all about app-and-pay, not tap-and-pay.

xxx

“So why the clamor for its return? Nostalgia, said economist Charles Wyplosz. ‘People long for a simpler age,’ when the U.S. ‘was the dominant economy and there were no financial markets to speak of.’”

From “Why Did the U.S. Abandon the Gold Standard? | Mental Floss”.

xxx

xxx

Abu Dhabi police are warning local residents that money may be stolen from their bank balances through “electronic magnetisation” and exploitation of contactless payment technology.

The warning comes after widely shared videos emerged on social media purporting to show contactless payment technology being used to steal funds from victims without their knowledge.

In a statement, Colonel Amran Ahmed Al Mazrouei, Abu Dhabi’s director of criminal investigations, said that although such thefts were possible, none has so far been recorded in the emirate.

From Abu Dhabi police warn of contactless card thefts – ArabianBusiness.com.

xxx

xxx

The Department for Digital, Culture, Media and Sport (DCMS) took over policy responsibility for the digital identity market in June and is working on a plan to stimulate an ecosystem of providers based on government-backed standards for interoperability of digital identities, and opening up application programming interfaces (APIs) to public sector databases such as passports and driving licences.

From Government to end investment in Gov.uk Verify digital identity system.

xxx

A generation back, in the July 2000 edition of Harper’s Magazine, Dennis Cass wrote (in an article on Silicon Valley) about “the kinds of things you’ve heard bores like Nicholas Negroponte drone on about in Wired magazine, like shoes that can send e–mail to other shoes”. I wrote this down at the time, because I had previously met Nicholas (who wasn’t boring at all) and remember thinking that Dennis’ was an interesting perspective from a non-technologist looking at what technologists were doing. And it was a funny example.

Shoes that can send e-mail to other shoes! Ridiculous. And yet a couple of years ago, through the miracle of Twitter, I found a piece on bluetooth connected “smart” shoes. The dystopia is here. It’s only taken a couple of decades to get this point, but it’s something to celebrate. I can confidently predict that our shoes will be getting hacked from now on. After all, if the makers of bluetooth connected sex toys are unable to keep them secure, the makers of shoes haven’t a prayer.

This is a confident prediction. I remember reading an article about the Internet of Things (IoT) in the New York Times. It was about the poor state of IoT security and it referenced noted security expert Bruce Schneier, who was arguing that the economic and technical incentives of the internet-of-things industry do not align with security and privacy for society generally. He has previously said that given that lack of alignment the government must step in. He says the lack of security is a kind of invisible pollution and that “like pollution, the only solution is to regulate”.

(I made a podcast with Bruce around a decade ago and can tell you straight that  he has already forgotten more about computer security than I will ever learn — and is a very nice guy. From what I know of the topic he is of course completely correct: this misalignment not only means we have no real security at present, it means that things can only get worse.)

As Bruce points out in his excellent new book “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World”, we are now in a situation where the lack of any security infrastructure means that anything that can be connected to the internet can be hacked. And since everything is connected to the internet, everything can be hacked.

Oh dear.

Of course this isn’t just about sex toys. This isn’t just about hackers having some fun or commercial rivals causing trouble. I don’t want to be overlay dramatic, but I think you can argue that World War III has already started, it’s just that we haven’t noticed because it is in cyberspace. And as noted media theorist Marshall McLuhan observed way back in 1970, “World War III is a guerrilla information war with no division between military and civilian participation”. In other words, there’s a cyberwar going on, and we are all participants.

It’s not a one-off, either. Bruce says in his chapter on “Everybody Favours Insecurity” that cyberwar in the new normal. I think he is once again spot on. We need an infrastructure for everything, because everything is at risk.

So if the only solution is for the government to do something, what should it do? Well, there are all sorts of things I am sure, but surely one of them must be to act to facilitate the introduction of a digital identity infrastructure of some kind. Identity isn’t just about people, it’s about everything. And unless there is some way for my sex toy to know that it is me calling, or for me to be sure that it’s my sex toy I’m talking to, then the friction attendant on the online economy will be so great as to dissipate the benefits.

Now, an infrastructure doesn’t mean a single solution. There’s a payment infrastructure that both me and my local shops tap into, but within that infrastructure I can use my Barclays debit card or John Lewis MasterCard, my American Express charge card or my Barlcaycard. And I can use any of those cards in many different kinds of terminals connected to many different networks and acquirers. And it all works.

 

We need a digital identity infrastructure that is as effective as this payments infrastructure. That is, most of the time you won’t need to think about it.  Just as I have half a dozen cards that’s all function within this infrastructure but under my control(In other words, knowing that they will all work) it seems reasonable that within I should have half a dozen different digital identities and I can choose from one of her transaction basis, safe in the knowledge any one of the more work. So what is it that is stopping us from getting to this infrastructure?

There is, however, one important difference colon the digital identity infrastructure has to be for everything full stop now, that is a much more complicated goal then it sounds at first full stop take my car for example colon there’s the identity of my car comma defined in terms of its relationship with me. But what about the components of the car? Suppose I want my car to be able to check where it’s components of come from or to assess whether the components are real or counterfeit?

xxx

Start-up bank Monzo said its phone lines are regularly inundated with calls from suspected scammers complaining that their accounts have been frozen.

The bank will shut down accounts it suspects of being fraudulent but, not wishing to tip off a potential criminal, will not inform its owner why.

Oblivious criminals often then ring up to complain, with elaborate sob stories reportedly involving audio recordings of babies crying and desperate pleas of needing the account unfrozen.

From Why your fraudster could be getting better customer service at the bank than you are.

xxx

xxx

I had asked my financial adviser at Brewin Dolphin for the relevant bank details and he sent them by email.

From If you’ve been sent bank details by email, be warned | Money | The Guardian.

This is dumb, pure and simple. If someone sends you sensitive personal information using unencrypted e-mail then you must assume that they are at best reckless and at worst utterly uninformed. What the financial adviser at Brewin Dolphin should have done, of course, is refuse to engage in such absurdly risky behaviour and asked the customer to contact them using a secure messaging application (eg, Signal).