The law of entirely expected consequences case study: payment surcharges

Our Prime Minister, Mrs. Theresa May, went a bit Trump and tweeted. Cool. And here it is.


 The odd thing about this is that every single part of it is manifestly and demonstrably untrue. I’m genuinely baffled as to why Mrs. May (who spent 12 years working at the Association of Payments and Clearing Services, the precursor to UK Payments) should make such a transparently false claim to obtain credit for something that she should be against. To be clear: the charges were not hidden, the ban is not only on credit and debit card surcharges, and it won’t help millions of people to avoid rip-offs. Let me explain, starting with what I saw on 13th January when I went to pay for a flight on British Airways…

My first "no surcharge" purchase

Now normally when I use my BA Amex card to book a flight, I have to pay a credit card surcharge. I don’t mind paying the surcharge because I want the protections that the use of credit cards give me as a consumer and also because I want the frequent flier points I get for using this card. As of 13th January, I don’t. I get all this stuff for free because “new rules which will come into effect on 13 January 2018 will mean you cannot be penalised for choosing to pay by card, either online or in-store”. Happy days. Thank you Mrs. May!

Unfortunately, the entirely predictable result of this ban on card surcharges is that prices will go up.  For the press to say that ban has “backfired” because “consumers face higher prices and new ‘service charges’ as retailers and businesses plan to circumvent the Government’s ban” is laughable. The ban has worked entirely in accordance with the laws of economics.

To see why, let’s go back to Mrs. May’s odd social media message. First of all, the ban on card surcharges is not because of Mrs. May or the British government. It is because of the European Union’s Second Payment Services Directive (PSD2), although in the UK the government has gone further than PSD2 by, essentially, banning surcharges for all electronic payments not just the “four party” schemes. Thus it was the EU that banned “credit or debit card” surcharges, not the British Government, it is indeed the British Government, rather than the EU, that is making poor people pay for my air miles.

Now, just a quick recap of Economics 101. If the government passed a law that (for example) health care is free, that wouldn’t mean that doctors would start working for nothing. It would mean that doctors would have to paid in some other way (out of general taxation, for example). Similarly, passing a law that retailers cannot surcharge for cards doesn’t mean that everyone at Barclaycard is now working for free. Yes, the government has stopped retailers for charging for cards, but that does not mean that the costs are not going to go away. Chip and PIN terminals, 3D Secure gateways and Section 75 chargeback guarantees don’t grow on trees. What will happen?

Suppose you are an online merchant selling, oh I don’t know, let’s say Dungeons and Dragons miniatures. Let’s say your card service comes from a top quality merchant service provider who charges you 25p per transaction. From 13th January…

  1. Well, they could stop taking cards. But that would mean they lose business.

  2. They could have a loyalty scheme (spend £50, get £5 off your next purchase) but only for people who pay with cash.

  3. If half their sales are cash and half on card, then they could put the price of the average basket up by 10p. This is a nice simple solution and it’s good for me, since the customers who pay with cash are now subsidising my John Lewis cashback (since I’m only paying the extra 10p not the full 25p).

  4. Or they could try it on and add a service charge of 25p to all orders. This is what, for example, Just Eat have done.

But why should these dastardly people be allowed to get away with any of these options? Why shouldn’t they be forced to simply accept lower profits and a reduced standard of living as suggested by The Daily Telegraph which is upset that “retailers and other companies are planning measures to ‘sneak’ around the rules“. The dastardly plots unveiled by The Telegraph, precisely as you would expect from an analysis of the environment, are those that I outlined above: refusing card payments, increasing prices and introducing new ‘service charges’.

This is ridiculous from The Telegraph. Refusing to accept cards because the government has made it uneconomic is not sneaking around the rules, it is responding to the rules. And unless The Telegraph is proposing to step in and pay the cost of accepting cards for all merchants, neither is increasing shelf prices. In fact, I absolutely guarantee that prices will rise in accordance with basic laws of economics that The Telegraph should be familiar with. Unlike government ministers, apparently. The Economic Secretary to the Treasury, Mr. Stephen Barclay, said “these small charges can really add up and this change will mean shoppers across the country have that bit of extra cash to spend on the things that matter to them”. How? I have no idea. The UK travel industry, for example, pays around £150m per annum in card charges. Who does Mr. Barclay think is going to pay for the cards, terminals, fraud, bad debt, guarantees and all the rest of the infrastructure in the future? 

The result of banning card surcharges (ie, price-fixing for payment services) will be two-fold. First, it will push retailers into having their own apps that exploit open banking and use instant payments instead of cards. I can assure you that I won’t book a holiday or buy an expensive sofa this way: I want the legal protections that come with credit cards. However, the costs of accepting cards gives these merchants plenty of margin of to play so they will be able to incentive customers away from the existing rails. Second, it will transfer money from poor consumers who are trapped in the cash economy to people like me with cashback and airmiles cards. As the media have belatedly noticed (having not asked me about it in advance) “even those paying cash are set to lose out, as some companies – including food delivery firm Just Eat – plan to apply the cost increases to all customers

The outcome, as it happens, may be even more perverse. Since debit cards cost merchants less than credit cards, consumers switching to credit cards to get the rewards will mean the merchants overall bill for accepting cards will go up! This will hit hard in travel, for example, where “removing the surcharge will result in a significant shift away from payments by debit card and bank transfer so the increase [in extra costs] will be greater than the current credit card surcharge”. Not my words. “Greater than the current credit card surcharge”. So prices will rise by more than the current surcharge, despite Mr. Barclays’ odd prediction that shoppers around the current will have “that bit of extra cash”. No, shoppers around the country won’t. But certain shoppers (eg, me) will, because it the cost of the flight goes up by £1 but I would have had to pay a £2 service charge to use my rewards card before, I’m now saving a £1 and still getting the rewards.

I have long maintained that if you are going to regulate anything in this field then what you should do is require retailers to make the costs of payment choices clear and then let the market do the work. If the government wants to take action, it should adopt my plan to minimise the total social cost of payments and make debit cards the “zero”. In other words, companies should not be allowed to surcharge for debit cards and banks should be required to provide zero interchange debit cards as a condition of holding a retail banking licence. If companies want to surcharge for payment instruments that have a higher overall total social cost (cheques, cash, credit cards, charge cards, cowrie shells or euros) then that’s fine. And there would be a logic to it, unlike the current situation. Meanwhile, “consumer experts have called for regulatory enforcement to ensure businesses cannot dodge the rules“. 

This is absolutely hilarious. Who are these experts? What Soviet-style commission is going to take control of the taxi company’s pricing policy and decree what level of service charge, if any, is to be allowed? The whole situation is nonsensical. If the government, merchants or anyone else thinks that the costs of accepting cards are too high, then they are free to create an alternative that is less expensive. And if merchants want to know how to create an alternative lower cost option for customers *cough* open banking *cough* then they should feel free to call me and I’ll put them in touch with the right people (hint: Consult Hyperion).

Crime of the (new) century

Here’s something that I’m surprised we don’t see more of. Pavel Lerner, the CEO of the cryptocurrency exchange Exmo Finance, has been released by kidnappers after the payment of a $1 million bitcoin ransom. According to the Financial Times, the Ukrainian interior minister specifically labelled the crime “bitcoin kidnapping and extortion”. I would have asked for Monero, rather than traceable bitcoins, but there you go.

Given the number of Bitcoin millionaires wandering around — I bump into them at every conference I go to these days — you would have imagined that the more enterprising and forward thinking members of the cosa nostra (the coder nostra, as I call them) were out in force. Stand around outside Consensus or Money2020 and bundle most anyone into a van and drive them off into the desert and you’re sure of a Bitcoin, Ripple, Ether or Bitcoin Cash payday. It’s a puzzle that this doesn’t happen all the time, although it’s entirely possible that it does and that I never get to hear about it because I’m not rich enough, just like those Silicon Valley sex parties.

So is kidnapping for cyber-ransom the defining crime of the 21st century? Actually, I suspect not. What if, rather than traditional money–related crimes such as kidnapping and extortion, there were much better crypto-crimes invented in parallel to the new forms of crypto-money made available by technology? Is there such a crime that is unique to this virtual world? Not a virtual shadow of a crime that has been around since year zero, but a wholly new crime for the virtual world? Actually, one such crime was invented many years ago. It’s the “assassination market” that I wrote about in “Before Babylon, Beyond Bitcoin“.

An assassination market is a prediction market where any party can place a bet (using anonymous crypto-currency through the TOR network) on the date of death of a given individual, and collect a payoff if they “guess” the date accurately. This would incentivise the assassination of specific individuals because the assassin, knowing when the action would take place, could profit by making an accurate bet on the time of the subject’s death.

Here’s how the market works. Someone runs a public book on the anticipated death dates of public figures. If I hate a pop star or politician, I place a bet on when they will die. When the person dies, who ever had the closest guess wins all of the money, less a cut for the house. Let’s say I bet a fiver that a specific TV personality is going to die at 9am on April Fool’s Day 2018. Other people hate this personality too and they put down bets as well. The more hated the person is, the more bets there will be.

April Fool’s Day comes around. There’s ten million quid bet on this particularly personality. I pay a hit man five million quid to murder the personality. Hurrah! I’ve won the bet, so I get the ten million quid and give half to the hit man. I don’t have to prove that I was responsible for the assassination to get the money and no-one can pin the crime on me because I paid the hitman in untraceable anonymous electronic cash as well: I’m just the lucky winner of the lottery. If someone else had bet 31st March and murdered the television personality themselves the day before, then it would only have cost me a fiver, and I would have regarded that as a fiver well spent.

This is a rather an old idea that originated, as far as I know, with Jim Bell, who back in 1995 wrote an essay on “assassination politics” that brought the idea to the popular (well, amongst a nerd subgroup) imagination. I suppose it was inevitable that the arrival of digital currency would stimulate thought experiments in this area and it was interesting to me then (and now) because it showed the potential for innovation around digital money even in the field of criminality. If I hire thugs to lure a cryptobaron to a hotel room and then beat him up to get a $1m in bitcoins from him (as actually happened in Japan recently), that’s just boring old extortion. If I use Craigslist to lure a HODLer to a street corner and then pull a gun on him and force him to transfer his bitcoins to me (as actually happened in New York back in 2015), that’s just boring old mugging.

 

Now, as I explained in the FT some years ago, Bitcoin is not a very good choice for this sort of cyber-criminality. It’s just not anonymous enough for really decent crimes or the darkest darknets. Hence my scepticism about the claims that Bitcoin’s long term value will be determined by malevolent money mischief. But as I explained to students at Winchester College last week, if there were to be an actually untraceable cryptocurrency then an assassination market is a much better bet for the coder nostra than the physically demanding felony of kidnapping.

What if S.P.E.C.T.R.E. had Spectre?

Ruh roh, as they say. Google has just published a paper outlining a serious security flaw in, to all intents and purposes, all computers. They knew about it months ago, but they’ve been waiting for Apple, Microsoft and everyone else to issue patches (which, apparently, mean an unavoidable reduction in processing speeds) before making it public. The paper sets out two “exploits” that take advantage of the flaw. These are called “Meltdown” and “Spectre”. They basically allow software to read data from other software that it’s not supposed to be able to, so that one application (let’s say, the hacker) can read data from another application (let’s say, your browser) to steal secrets.

Spectre Graphic with Text      Meltdown Graphic with Text

As you can imagine, there was a great deal of media coverage about this flaw (as there should have been – it’s a huge deal). I happened to see an comment about it on Twitter, in which someone said words to the effect of “thank goodness it was found by don’t-be-evil Google and not by the bad guys”. This is a very misplaced sentiment. In the paper, the researchers clearly state that they do not know whether these exploits have been used in real attacks. Apart from anything else, Google says that the “exploitation does not leave any traces in traditional log files”.

So what if S.P.E.C.T.R.E. actually knew about Meltdown months ago and had Spectre in the Spring? How would we know? If they are really smart, then they’ll carry on stealing our secrets but cover their tracks so that we don’t know that they know. If you see what I mean.

It might be timely to remember the story of the Zimmerman telegram, a story that is mother’s milk to security experts.

You may recall that in 1917, Britain and Germany were at war. Britain wanted the U.S. to join the effort against the Axis of Edwardian Evil. The Kaiser’s ministers came up with some interesting plans: to persuade inhabitants fo the British (and French) colonies in the Middle East to launch a jihad, for example. Another scheme was to persuade Mexico to enter the war on the German side, thus dividing the potential U.S. war effort and eventually conquering it.

(At this point I thoroughly recommend historian Barbara Tuchman’s 1966 account of the affair, “The Zimmermann Telegram”.) 

To execute this dastardly plot, the German Foreign Secretary, Arthur Zimmermann, sent a telegram to the German ambassador in Mexico, Heinrich von Eckardt. The telegram instructed the ambassador to approach the Mexican government with a proposal to form a military alliance against the United States. It promised Mexico the land acquired and paid for by the United States after the U.S.-Mexican War if they were to help Germany win the war. The German ambassador relayed the message but the Mexican president declined the offer.

Naturally, so sensitive a topic demanded an encrypted epistle and it was duly dispatched encoded using the German top secret “0075″ code. And here it is…

The Zimmermann Telegram

As it happens, “0075” was a code that the British had already cracked. Thus, the telegram was intercepted and decrypted enough to get the gist of it to the British Naval Intelligence unit, Room 40. In next to no time, the decoded dynamite was on the desk of the Foreign Secretary Arthur Balfour, the teutonic perfidy laid bare.

Now the British were faced with the same dilemma that faces S.P.E.C.T.R.E. with Spectre. How can you use intercepted information without revealing that there is a security flaw and that you have exploited it? Consider the options:

  • If the British had complained to the Germans, then the Germans would know that the British had the key to their code and they would switch to another code that the British might not be able to break for months, missing much vital military intelligence along the way. What’s more, the Americans would know that the British were tapping diplomatic traffic into the U.S.

  • If they did not reveal the contents, they might miss a the chance to bring the U.S. into the war.

The codebreaker’s clever solution was to leak the information in such a way as to make it look as if the leak had come from the Mexican telegraph company: since the German relay from Washington to Mexico used a different code, that the Americans already knew to be broken, this was entirely plausible.

If you’re wondering what happened, well despite strong anti-German (and anti-Mexican) feelings in the U.S., the telegram was believed to be a British forgery designed to bring America into the war, a theory bolstered by German and Mexican diplomats as well as the Hearst press empire. However, on March 29th, Zimmermann gave a speech confirming the text of the telegram. On April 2nd, President Wilson asked Congress to declare war on Germany, and on April 6th they complied.

The point of this story is that stupid hackers would reveal their hand, but clever hackers would not. So the fact that, according to BBC Radio 4’s “Today” programme, the UK’s National Cybersecurity Centre says there is no evidence that the flaws have been exploited, that does not reassure me! These bugs are big.

“The Meltdown fix may reduce the performance of Intel chips by as little as 5 percent or as much as 30 — but there will be some hit. Whatever it is, it’s better than the alternative. Spectre, on the other hand, is not likely to be fully fixed any time soon.”

From “Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device? | TechCrunch”.

 

Maybe the way forward is to assume that all machines are compromised and not fix them but instead move the security away from the processors – so going back to the idea of having a Trusted Processing Module (TPM) in every transaction, either built in to the processors (like the “Secure Enclave” in iPhones) or as a separate chip in a PC or as a smart card that is connected to the computer when you want to do something. In this, as in so many other things, Brittany Spears is a beacon to the nations. Eleven years ago I used my Britney Spears smart card (which I still have) to log on to her fan club web site securely. You can read about it here

PesaLink ten-month fraud lessons forces cap on transaction amounts :: Kenya – The Standard

xxx

“IT Risk and Internal Control Consultant at NetGuardians John Kiptum said… 70 per cent of the fraud is usually internal where bank staff reset your pin number, do a SIM swap so you no longer receive short message notifications and after that pick your account empty.”

From “PesaLink ten-month fraud lessons forces cap on transaction amounts :: Kenya – The Standard”.

xxx

Horizon scanning in good company

My favourite think tank, the Centre for the Study of Financial Innovation (CSFI) in London, where I am honoured to be the Technology Fellow, was asked by the law firm Dentons to put together a series of “horizon scanning” events, each looking at the major factors that will determine the shape of the financial services sector over the next 10-15 years. As part of this series they held a fintech breakfast to look at the world of tech-based challenger banks, P2P lenders, crowd-funding, new payments methodologies, AI, crypto-currencies, blockchain and so forth. I was flattered to be invited to take part, along with Clara Durodié (founder and managing partner of AI outfit Cognitive Finance Group) and Nick Ogden (the founder of ClearBank and, some years ago, the founder of WorldPay).

(In my opinion, Nick is at the heart of the current fintech revolution, the UK-centric whirlwind around open banking and the “platformisation” of financial services, whereas Clara is at the heart of the current regtech revolution, using AI to change the markets themselves. We may be a long way from Terminators and HAL 9000, but the massive AI investments pouring into financial services around the world mean that the technology is going to change the sector soon.)

For what it’s worth, my three main horizon-scanning observations were that:

  1. Open Banking starts in January and I remain convinced it will be far more disruptive than many people think. It is not far-fetched, as Wired magazine observed, that banks might go under because of this. At the risk of sounding like a broken record, this about identity, trust and reputation not money. Obviously, I left it to Nick to talk turkey on this one. He set up Clear Bank to provide building societies, credit unions, other banks and fintech companies with access to all the major payment and card schemes, including Faster Payments and is obviously pretty convinced that open banking is going to provide space for innovation.

  2. AI is an event horizon. In that 10-15 year timescale it is clearly the most important technological trend of the generation and it is impossible to see what is the other side of it. Obviously, I left it to Clara to run a few things up the flagpole here. What I will note is that analysts at Forrester have predicted that quarter of financial sector jobs will be “impacted” by AI before 2020 and John Cryan, the Deutsche Bank CEO, was quoted in the Financial Times in September saying that the bank is going to shift from employing people to act like robots to employing robots to act like people. The impact on employment is obvious, but we cannot hold back the tide so we must take advantage of the changes and begin to explore for new opportunities that can be built around a more productive financial services sector

  3. I wanted to bring something from left field to the discussion, so in addition to these two obvious key trends I spoke about the token and Initial Coin Offering (ICO) marketplace. I think that a regulated and organised token marketplace will be one of the big financial services business moves in 2018 and I’m pretty sure that it will be successful (for a variety of reasons to do with liquidity and the elimination of clearing and settlement).

Nick, Clara and I put forward our thoughts about the longer term. During the discussion that followed, there were a number of questions and comments about the impact of AI on the financial services sector. I think this is in many ways quite unpredictable not only because of the “event horizon” but because of the impending interaction. People tend to think in terms of robo-advisers and chat interfaces, focusing on the use of AI by financial institutions to either cut costs or deliver new services (some of which, of course, we can’t imagine). But, to paraphrase Fred Schwed’s 1940s financial services classic… where are the customers’ bots?

If you think about it, however, the customers will have access to AI as well. The customers smartphones will connect them, permanently, to an intelligence far greater than their own. Thus, if a bank is trying to sell me a mortgage or a credit card or whatever, it’s wasting its time showing me incomprehensible advertisements involving astronauts riding horses through fields of purple daffodils and people singing.

My AI is going to negotiate with the AI of the regulated financial institutions in order to obtain the best product for me. Since I’m not smart enough to choose the right credit card, pension or car loan then clearly I’m going to want my own giant killer robot to take care of things. But which robot? Should I choose the Saga robots or the Virgin Money robots or the best performing robot over the past 12 months or the Google self-taught super intelligent robot that is also the world Go champion?

How the banks’ robots will interact with the customers’ robots is at the same time fascinating and frightening. I’m not sure I really want to be in the loop when the discussion of a pension plan or insurance project is taking place, but I do want some sort of confidence that there’s a regulator in the loop and that should push come to shove, my robot will be out to explain why it made the decisions it did. All in all, what I can see on the horizon is giving my AI access to my account through open banking and then letting it decide which ICO is to invest in.

Voter ID is back, and this time it’s in Woking

Well, Woking is in the news. It is going to be part of a pilot scheme at the forefront of the UK’s non-existent identity non-strategy to not introduce a working digital identity infrastructure to our great nation at any time in the foreseeable future The government has decided that voters in five areas in England will be asked to take identification to polling stations at local elections next year, and Woking is one of those areas. The report doesn’t mention just how the entitlement to vote is to be established but we already know what array of high technology machine learning AI super intelligent giant killer robot world brain quantum neuro-computing systems are to be deployed, because local authorities will be invited to apply to trial different types of identification, including forms of photo ID such as driving licences and passports, or formal correspondence such as a utilities bill.

Wait, what? It’s pointless enough showing a trivially counterfeitable physical identity document to someone who can’t verify it anyway, but come on… a utilities bill? That’s where we are in 2017 in the fifth richest country in the world? In Scott Corfe’s recent Social Market Foundation report A Verifiable Success—The future of identity in the UK he highlighted what he calls the “democratic opportunity” for electronic identity verification to facilitate internet voting thereby increasing civic engagement. Well, I agree. But that’s a long way from showing a gas bill to a polling station volunteer.

(And what does ‘local authorities will be invited to apply’ really mean anyway?  They’ve already been ‘invited’ to adopt the national Gov.UK Verify identity service. Very few did, and fewer still continue, so five might be ambitious. And where they do, are we disenfranchising voters who don’t feel like forging documents if they don’t come from the mainstream demographic — a point also made in the SMF report — thus distorting the outcomes).  

Now, I’ve written before that I am in favour of electronic voting of some kind but I’m very much against internet voting, because I think that in a functioning democracy voting must remain a public act and if it is allowed in certain remote conditions then we cannot be sure that a voter’s ballot is either secret or uncoerced. I think it is possible to imagine services where trusted third parties or electoral observers of some kind use mobile phones to go out and allow the infirm or otherwise housebound to vote, but that’s not the same thing as just allowing people to vote using mobile phones. I think internet voting is a really bad idea, but I take Scott’s point about the need for digital identity. However, since we don’t have one and I don’t see any prospect of Government producing a robust one in the foreseeable future, we’re stuck with gas bills until someone gets to grip with issue.

(I should explain here for any baffled overseas readers of this blog that the United Kingdom has no national identification scheme or identity card or any other such symbol of continental tyranny, so our gold standard identity document is the gas bill. The gas bill is a uniquely trusted document, and the obvious choice for a government concerned about fraud. By the way, if for some reason you do not have a gas bill to attest to your suitability for some purpose or other, you can buy one here for theatrical or novelty use only.)

Woking Polling Station

Why is it that the government never ask me about this sort of thing? Since they don’t have an identity infrastructure, why don’t they use other people’s? I would have thought that for a great majority of the population, especially the more transient and younger portion of the electorate (e.g., my sons) social media would provide a far better means to manage this entitlement. I’ve written before that I judge it to be far harder to forge a plausible Facebook profile than a plausible gas bill, so if I turn up at the polling station and log in to the Facebook profile for David Birch (if there is a Facebook profile for a David Birch, incidentally, I can assure you that it isn’t me) then they may as well let me vote.

None of this will make the slightest difference to the central problem, of course, because the main source of electoral fraud in the UK is not personation at the polling station but fraudulently-completed postal ballots, a situation that led one British judge to call it “a system that would disgrace a banana republic”. Indeed, this is precisely what has been going on in my own dear Woking, where four people were jailed recently for electoral fraud. As far as I can understand it from reading the various reports, including the source reports on electoral fraud in the UK, the main problem is that postal votes are being completed by third parties, sometimes in bulk. No proof of identity is going to make any difference to this and so long as we allow people to continue voting by post I can’t see how the situation will improve. So: it is not beyond the wit of man to come up with alternatives to the postal vote. But that’s not what is being proposed. The UK government is not currently proposing an app or any other kind of electronic voting here, it is merely proposing to add a basic test of entitlement at the ballot box.

When this scheme was originally announced, the minister in charge of voting (Chris Skidmore) was quoted by the BBC as saying that “in many transactions you need a proof of ID” which is not, strictly speaking, true. In almost all transactions that we  take part in on a daily basis we are not proving our identity, we are proving that we are authorised to do something whether it is to charge money to a line of credit in a shop, ride a bus or open the door to an office. In these cases we are using ID as a proxy because we don’t have a proper infrastructure in place for allowing us to keep our identities safely under lock and key while we go about our business.

If we are to implement the kind of electronic identity verification envisaged by the Social Market Foundation, then what you should really be presenting at the polling station is an anonymised entitlement to vote that you can authenticate your right to use. It is nobody at the polling station’s business who you are and, in common with many other circumstances, if you are required to present your identity to enable a transaction then we have created another place where identity can be stolen from. The real solution is, of course, not about using gas bills or indeed special-purpose election ID cards, but about introducing a general-purpose National Entitlement Scheme (NES). If memory serves, I think this is what my colleagues at Consult Hyperion and I first proposed in response to a government consultation paper on a national identity scheme a couple of decades ago. Oh well.

Really breaking banks

I can’t stress enough just how big a deal the UK’s transition to Open Banking is. The writer Wendy Grossman posted an excellent piece about this in her “net.wars” series recently. She said, without exaggeration in my opinion, that the “financial revolution” coming here in mid-January has had surprisingly little publicity perhaps because “it’s not a new technology, not even a cryptocurrency. Instead, this revolution is regulatory: banks will be required to open up access to their accounts to third parties”. As Wendy notes in her piece, Wired had a great article about this (written by Rowland Manthorpe) in October. Having talked to some of the key players and examined some of the key concepts, he draws an important conclusion, which is that open banking is not “just a technical fix, or even a solution specific to banking, but a new way of dealing with the twenty-first century’s most sought-after resource, personal data“.

He is spot on. Identity is, as some people maintain, the new money. Banks are about to be transformed from places that store digital monies (which they really don’t anyway, since the proportion of household wealth held in the form of demand deposits has already fallen to minuscule levels) into places that store digital identities. Now, this is hardly a new idea and it isn’t only techno-crackpots like me who keep going on about it. Back in 2014, the Financial Times was reporting that “Britain’s high street banks believe their future role will be as repositories of more than just money: they want to be the safe place where customers store their digital identities”. This makes complete sense as a strategy and as a European Banking Association (EBA) white paper of the time put it, “banks are well positioned” to be a crucial, supporting, positive part of their customers online lives. Banks know this to be the case, they just haven’t done much about it. I still can’t use my Barclays identity to open an account at RBS, much less to log in to Direct Line or Bet365.

Since that FT piece, some people (uncharitable persons, of whom I am not one) have suggested that banks will pratt about and muck it all up and hand digital identity on a plate to Apple, Facebook, Google, Amazon and Microsoft (the GAFAMs). Well, we’re going to start finding out in January, because I can’t help but feel that the major beneficiaries of the regulators pressure to open up the banks will not be nimble fintech startups but the internet giants who already have the customer relationships. Rowland speculates that open banking may expose some institutions to change and to competition that they simply cannot respond to. He even goes as far as to suggest that banks may well fail because of it. This is the sort of thing that they must have been mulling over down at Open Banking Limited, the entity set up to implement open banking in the UK, where the Implementation Trustee, Imran Gulamhuseinwala, “doesn’t seem to have much sympathy for failing banks”.

Now, having met Imran at dinner (with the Russian Ambassador, as it happens) I can confirm that he is one smart cookie (and a very nice guy too). He’s got a point about the competition that open banking should unleash, but when RBS goes under because all of its customers have shifted to Facebook and the bank becomes a low-margin heavily-regulated pipe that is not operationally-efficient enough to compete only on price and service levels, I suspect others may have a different perspective. Either way, I agree with Erik Tak, Head of the ING Payment Centre, who said at Trustech in Cannes this year (below) that the people who will benefit most from this opening up of retail banking will not be fintechs but those GAFAMs mentioned earlier.

Tak at Trustech

Wendy’s words are well chosen. Open Banking is a revolution, and all we can say for sure is that there is going to be change. But as to who the winners and losers are… well, the UK is about to become an interesting, exciting and unpredictable laboratory experiment in banking regulation. In a year or two, we may at least have a signpost to the future of retail banking in place.

Art and science in Bristol

Well, that was fun. I had the great honour of being invited on to a panel at the Festival of Economics, part of the Bristol Festival of Ideas. I’d never been to the festival before, but I really enjoyed it. It’s a very impressive event, and I’m not just saying that because my publisher, Diane Coyle, founded it. What I found especially impressive, apart from the sheer size of the audiences at the sessions I attended, was that the festival seemed to achieve its goal of bringing serious discussion of important topics to the general public. In our session we have a great audience and they gave us a wide variety of topics to deal with in the Q&A. All in all, an excellent event.

Green Room

I was talking about the future of money with Professor Steve KeenDaniela GaborTatiana Cutts and stand-in chair Romesh Vaitilingam who did a great job moving things along. I’m pleased to say that the session was lively and well-attended.

One of the topics that came up, naturally, was whether Bitcoin was a form of cash or not. Remember that US IRS Ruling about Bitcoins being a commodity, so that traders would have to track the buying and selling price of each individual Bitcoin in order to assess their tax liability? No? Here’s a reminder: “the real lesson from the IRS Bitcoin ruling is that for a currency—or any payment system—to work, its units must be completely fungible”. Now, fungible (from the Latin “to enjoy”) is a great word. One of my favourite words, in fact. In this context (ie, money) it means that all of the tokens are the same and can be substituted one for another. You owe me a pound. It doesn’t matter _which_ pound coin that you give me. Any will do. Any pound coin can substitute for any other pound coin because they are all the same: no-one can distinguish one pound coin from another. This isn’t true of Bitcoins. They are all different, and because they are all different, their history can be tracked through the blockchain. As the MIT Technology Review pointed out, while Bitcoin has a media reputation for providing privacy, analysis of the blockchain suggests it could be surprisingly easy for a law enforcement agency to identify many users of the currency. Actually, recent analysis of the blockchain provides much other interesting information, including the fact that around a quarter to a fifth of the bitcoins already mined are lost for good.

The idea of money that isn’t fungible but that can be tracked, traced and monitored reminded me of Nitipak Samsen’s winning entry in the Consult Hyperion 2011 Future of Money Design Award, an example that I include in my book. I used it to make the general point that if you want to look into the future you need to listen to artists as well as technologist. Anyway, I mentioned the Award on stage and a couple of people came up afterwards to ask more about this particular entry and the competition in general, so if you are one of them and you’d like to learn more, check it out here.

Have you ever wondered where the money in your pocket had come from? Who was the previous owner? Who was the owner before that? Might it be a famous celebrity?…

[From Money Trailer – Future of Money]

It is interesting to me to see these different perspectives (Nitipak’s artistic imagination about the bastard child of Facebook and Bitcoin, and the more technical ideas about fungibility) coming together and, to my mind, again illustrates just why the FOM Design Award became such a popular session at Consult Hyperion’s Tomorrow’s Transactions Forum. We (technologists) need artists to help us to imagine alternative futures.

So. TL:DR…

Bitcoin isn’t cash, because cash is fungible. If we want something to be cash, we need to make it fungible. But do we want cash? I’m always ready to listen to informed views, but right now my general feeling is that the costs outweigh the benefits.

Noted author talks fraud at Royal Institution

What a piece of luck! I was giving a talk at the CallCredit Fraud Summit at the Royal institution in London and I chose to talk about just how broken our identity infrastructure is. Hardly an original theme, but one that is worth amplifying. As Chris Green (CCO at Call Credit) noted in his introduction to the event, identity fraud is heading towards £200 billion per annum and identity theft is an epidemic.

Pretty bad. Worse still, it looks to me as if no one knows what to do about this, particularly the Government. Given that the Social Market Foundation (SMF) had just issued their report “A Verifiable Success — The future of identity in the UK” (August 2017) which noted that identity verification processes in the UK have not kept up with either technological or social change and says that “the case for change is founded on the dramatic increase in identity fraud, the inconvenience of identity verification and the correlation with social (and therefore financial) exclusion”, I thought I’d talk about how to actually do something about identity in the mass market.

RI

I illustrated the point about just how unsuited our ramshackle infrastructure is with the example of spies, referring to last year’s Financial Times interview with Alex Younger (“C”,  the head of MI6 which is James Bond’s department of the British intelligence services) who explained just how hard it is to be a spy these days. In the old days, it was easy. Just grab a fake passport out of the draw and off you go. But, as the chief spy pointed out, today social media means that it is far more difficult to create a plausible alter ego. Sure, it’s easy to create a fake social media account. It’s easy, but not very useful to a spy. To be plausible, a fake identity needs a reputation. Reputation, unlike identity, is hard to fake. It has a time component. It takes years to build up a reputation that will stand up to scrutiny! If you wanted to pretend to be someone now, you would have to have started building the fake LinkedIn profile a decade ago. The point is that it’s hard for James Bond to pretend to be me, but seemingly easy for me to pretend to be a James Bond on internet dating sites. This is a fun and interesting way to think about some of the issues around identity and I think the audience liked it!

So what was the piece of luck I referred to at the beginning? Well, I turned up at the event, along with the bestselling author (and former politician) Lord Jeffrey Archer. As we had some time spare, I thought I would be helpful and give Jeffrey a few tips on writing books, having just published one myself.

RI

 

 I think Jeffrey really appreciated my hints and suggestions but unfortunately had to leave for an urgent meeting so I wasn’t able to go into too much detail with him. Before my talk I went off to grab a cup of coffee and picked up the day’s Times to read. It had the very perfect story for me featured prominently. Hence I was able to whip out a copy of the day’s Times and wave it around to great effect at the appropriate point in my presentation!

RI

The point that I was making, of course, is that identity is not just broken but optimally broken, in that it helps the bad guys but not the good guys. We need someone to stop forward with a vision for a better identity future! Where is this person! I heard the Minister for Digital Stuff (this may not be his exact title) talking on BBC radio a few weeks ago in a report on the government’s introduction of mandatory age verification for adult sites. When asked how members of the public could gain access to adult services, the Minister said that people could use credit cards (which is a terrible idea, see for example Ashley Madison) or show their passport to adult sites (which is an even worse idea). I confidently predict that the widespread adoption of either of these solutions will push identity theft even higher.

So why is identity not fixed yet?

As I tried to persuade the audience, if we are going to make any progress we need to have a very different mental model of what identity is. Not some Victorian notion of identity as an index card in a filing cabinet but as the cornerstone of digital relationships and therefore reputation in an online world. We need to develop the strategy based on digital identity, the bridge between the real and virtual worlds. I explain this using the three domain model, as shown on the slide below, and hopefully demonstrated just how powerful this view of identity is.

3DID Basic Colour

 

We need to move our transactions into the authorisation domain as soon as possible. Let’s go back to example in the newspaper to see why. Imagine I go to the dating site and create an account. As part of this process, the dating site asks me to log in via my bank account. At this point it bounces me to my bank where I carry out the appropriate two factor authentication to establish my identity to the bank’s satisfaction. The bank then returns an appropriate cryptographic token to the Internet dating site, which tells them that I am over 18, resident in the UK and that I have funds available for them to bill against. In this example my real identity is safely locked up back in the bank vault but it has been bound to a virtual identity which I can use for online interactions. So my Internet dating persona contains no Personally Identifiable Information (PII), but if I use that persona to get up to no good then the dating sites can provide the token to the police, the police can see that the token comes from Barclays and Barclays will tell them that it belongs to Dave Birch. This seems to me a very appropriate distribution of responsibilities. When the Internet dating site gets hacked, as they inevitably do, all the criminals will obtain is a meaningless token: they have no idea who it belongs to and Barclays won’t tell them.

One of the key attractions of this architecture, and I’m sure that I am not the only person who thinks this, is that it gives an expectation of redress in the event of inevitable failure. Things always go wrong. What’s important is what the structures, mechanisms and processes for dealing with those failures is. If some fraudsters take over my bank account and use my identity to create a fake profile on a dating site, then I’d expect the bank to have mechanisms in place to revoke the tokens and inform both the dating site and me that such revocations have taken place without disclosing any PII.

This is important because PII is in essence a kind of toxic waste that no companies really want to deal with unless they absolutely have to. Under the new provisions of the General Data Protection Regulation (GDPR), the potential fines for disclosing personal information without the consent of the data subject are astronomical. Hence the complete cycle needs to be thought through because it will be crazy to have an infrastructure that protects my personal data when the system is operating normally but gives it up when the system fails, or when we attempt recovery from failure.

Digital identity gives us a vision of how to do this in our new online world. It is how we keep our real identity safe and sound while we explore the online world in safety using our virtual identities. A huge thank you to Call Credit for asking me along to share this vision with their audience.

Life imitates art, even in payments

A few years ago, I took part in an entertaining event at the British Computer Society (BCS) during which my alter ego, Mr. Don Rogers from the Isle of Man Economic College, set out a new payment system. During this talk (you can see the video here), Mr. Rogers proposed the “Crime Pays System” or CPS. Under this system, digital payments would be either “light” or “dark”. The default transaction type would be light and free to the end users. All transaction histories would be uploaded to a public space (we were, of course, thinking about the Bitcoin blockchain here) which would allow anybody anywhere to view the transaction details. This “Light Exchange” is designed to promote an environment of social accountability. The alternative transaction type would be dark. With this option advanced cryptographic techniques would make the payment completely invisible, leaving no trace of the exchange, thus anonymising all transactions. A small levy in the region of 10% to 20% would be paid per transaction. The “Dark Exchange” would therefore offer privacy for your finances at a reasonable price. The revenue generated from the use of this system would be taken by the government to substitute for the loss of taxes in the dark economy.

Pretty whacky, way-out, left-field thinking, yes? Well, I must in all honesty admit that it was not my idea. Like all such concepts way ahead of their time, it has its origins in art, not technology. The idea came from my good friend and wonderful artist, Austin Houldsworth. As you may know, for many years Consult Hyperion ran the Future of Money Design Award as part of the annual Tomorrow’s Transactions Forum. Austin organised this award and he also designed the cover for my book Before Babylon, Beyond Bitcoin. In fact, here he is showing me the machine that he built for the cover photo of the book.

Welcome to the Machine

 

Well, it’s taken a few years, but Austin’s idea is a few steps closer to reality, since Coin Telegraph reported that just such a payment system is being proposed for Russia. And our guess of a 10-20 percent holding tax was remarkably accurate, since what is being proposed in Russia is apparently a 13% tax.

The CryptoRubles can be exchanged for regular Rubles at any time, though if the holder is unable to explain where the CryptoRubles came from, a 13 percent tax will be levied. The same tax will be applied to any earned difference between the price of the purchase of the token and the price of the sale.

From BREAKING: Russia Issuing ‘CryptoRuble’

That’s pretty amazing if you ask me, but it does illustrate a general point about futurology, which is that sometimes the technologist’s roadmap can be a less accurate guidebook than artists’ imaginations.

Whether we achieve a mostly cashless society sooner or later should be left to technological advancement.

From Should We Move to a Mostly Cashless Society? – WSJ

No, it shouldn’t. This is a matter of great importance and with significant implications for society. The strategy should be set by society, not by technologists. And we need to make some big decisions about it fairly soon, otherwise we will allow technology (that is, technology companies) to create an environment that we may not be comfortable with. What might that environment be? Well, it won’t be like 1984 (for one thing, we didn’t need the government to come around an install screens to watch us all the time, we bought them ourselves from Apple and Samsung and Google). I don’t think it will be like Star Trek either, partly because of the physics and partly because of the money-free utopianism. I think it will be more like the future set out a few decades ago by the “cypherpunk” writers who predate the internet and social media but saw which way the wind was blowing. I’m not the only one who thinks that “we are, roughly, living in the world the cyberpunks envisioned”.

There’s a nostalgia around that word cypherpunk for me, because it’s now many years back I saw these visions and was captivated by them. A quarter of a century ago, my Consult Hyperion colleague Peter Buck and I wrote an article for the “Computer Law and Security Report” (Volume 8, Issue 2, March–April 1992, Pages 74-76), asking whether William Gibson’s work was science fiction or informed prediction (clearly, we thought it was the latter). The article (called “What is Cyberspace” [Ref] [PDF]), which tried to explain the idea of cyberspace to a lay audience (this was before Netscape, the year zero of the modern age, so most lawyers had never been online), turned out to be rather popular. I like to think that one of the reasons was the conviction that we were exploring the actual future, not a hypothetical future. I can’t remember where the idea of the paper came from, but I do remember that we chose extracts from Gibson’s brilliant writing to illustrate the concepts rather than trying to paraphrase, and I still get a thrill from reading them now.

That’s king hell ice, Case, black as the grave and slick as glass. Fry your brains as soon as look at you

[From “What is Cyberspace?”]

I loved the idea of the “black ice” then and I love it now. In the Gibson world, Intrusion Countermeasures Electronics (ICE) refers to security software that protects data form unauthorised access, and black ice is ICE so deadly that it can kill a hacker. Wonderful. It came back to me a couple of years ago when I turned on BBC radio at random while driving home, only to discover that someone was reading one of my all-time favourite books, Gibson’s “Burning Chrome”, and the mention of the black ice gave me that chill all over again.

Writing this blog post I can still remember the shock of reading Gibson’s 1984 masterpiece “Neuromancer” for the first time. (Gibson later called this work an optimistic view of the near future because it assumes only limited nuclear exchanges between countries – let’s hope he’s right.) Why was it such a shock? Well, since leaving university I’d found myself specialising in secure data communications. I worked on one of the first secure LANs for the UK government, on secure satellite communications for banking, on secure military networks for NATO, that sort of thing. I understood computer networks, but I didn’t grok them. I didn’t feel what it meant, where it was taking us.

Reading Gibson back then was like lifting a veil from parts of my own brain. I took an artist to give me vision and vocabulary. And what a vocabulary it was. My very favourite William Gibson quote, right after “the future is already here, it’s just unevenly distributed” is about money. It comes from his novel “Count Zero” and it’s about the cashless society. I re-use it shamelessly in presentation after presentation.

He had his cash money, but you couldn’t pay for food with that. It wasn’t actually illegal to have the stuff, it was just that nobody ever did anything legitimate with it.

 Use of Cash in Sweden

As I’ve written before, we are heading toward a cashless society, cashless in this Count Zero sense, where cash will still be around and it will still be legal tender (although I don’t think people understand what a limited concept that is), but it will disappear from polite society and from the daily lives of most people. This vision of a cashless society, not a society where there is not no cash but a society where cash is irrelevant, may have seemed outlandish twenty five years ago, but it’s a pretty accurate description of Sweden now (where only a tiny fraction of retail payments are cash)  and China soon. The future is less unevenly distributed than it was even a decade ago.

[An edited version of this piece was posted to Medium, 16th October 2017].