Noted author talks fraud at Royal Institution

What a piece of luck! I was giving a talk at the CallCredit Fraud Summit at the Royal institution in London and I chose to talk about just how broken our identity infrastructure is. Hardly an original theme, but one that is worth amplifying. As Chris Green (CCO at Call Credit) noted in his introduction to the event, identity fraud is heading towards £200 billion per annum and identity theft is an epidemic.

Pretty bad. Worse still, it looks to me as if no one knows what to do about this, particularly the Government. Given that the Social Market Foundation (SMF) had just issued their report “A Verifiable Success — The future of identity in the UK” (August 2017) which noted that identity verification processes in the UK have not kept up with either technological or social change and says that “the case for change is founded on the dramatic increase in identity fraud, the inconvenience of identity verification and the correlation with social (and therefore financial) exclusion”, I thought I’d talk about how to actually do something about identity in the mass market.

RI

I illustrated the point about just how unsuited our ramshackle infrastructure is with the example of spies, referring to last year’s Financial Times interview with Alex Younger (“C”,  the head of MI6 which is James Bond’s department of the British intelligence services) who explained just how hard it is to be a spy these days. In the old days, it was easy. Just grab a fake passport out of the draw and off you go. But, as the chief spy pointed out, today social media means that it is far more difficult to create a plausible alter ego. Sure, it’s easy to create a fake social media account. It’s easy, but not very useful to a spy. To be plausible, a fake identity needs a reputation. Reputation, unlike identity, is hard to fake. It has a time component. It takes years to build up a reputation that will stand up to scrutiny! If you wanted to pretend to be someone now, you would have to have started building the fake LinkedIn profile a decade ago. The point is that it’s hard for James Bond to pretend to be me, but seemingly easy for me to pretend to be a James Bond on internet dating sites. This is a fun and interesting way to think about some of the issues around identity and I think the audience liked it!

So what was the piece of luck I referred to at the beginning? Well, I turned up at the event, along with the bestselling author (and former politician) Lord Jeffrey Archer. As we had some time spare, I thought I would be helpful and give Jeffrey a few tips on writing books, having just published one myself.

RI

 

 I think Jeffrey really appreciated my hints and suggestions but unfortunately had to leave for an urgent meeting so I wasn’t able to go into too much detail with him. Before my talk I went off to grab a cup of coffee and picked up the day’s Times to read. It had the very perfect story for me featured prominently. Hence I was able to whip out a copy of the day’s Times and wave it around to great effect at the appropriate point in my presentation!

RI

The point that I was making, of course, is that identity is not just broken but optimally broken, in that it helps the bad guys but not the good guys. We need someone to stop forward with a vision for a better identity future! Where is this person! I heard the Minister for Digital Stuff (this may not be his exact title) talking on BBC radio a few weeks ago in a report on the government’s introduction of mandatory age verification for adult sites. When asked how members of the public could gain access to adult services, the Minister said that people could use credit cards (which is a terrible idea, see for example Ashley Madison) or show their passport to adult sites (which is an even worse idea). I confidently predict that the widespread adoption of either of these solutions will push identity theft even higher.

So why is identity not fixed yet?

As I tried to persuade the audience, if we are going to make any progress we need to have a very different mental model of what identity is. Not some Victorian notion of identity as an index card in a filing cabinet but as the cornerstone of digital relationships and therefore reputation in an online world. We need to develop the strategy based on digital identity, the bridge between the real and virtual worlds. I explain this using the three domain model, as shown on the slide below, and hopefully demonstrated just how powerful this view of identity is.

3DID Basic Colour

 

We need to move our transactions into the authorisation domain as soon as possible. Let’s go back to example in the newspaper to see why. Imagine I go to the dating site and create an account. As part of this process, the dating site asks me to log in via my bank account. At this point it bounces me to my bank where I carry out the appropriate two factor authentication to establish my identity to the bank’s satisfaction. The bank then returns an appropriate cryptographic token to the Internet dating site, which tells them that I am over 18, resident in the UK and that I have funds available for them to bill against. In this example my real identity is safely locked up back in the bank vault but it has been bound to a virtual identity which I can use for online interactions. So my Internet dating persona contains no Personally Identifiable Information (PII), but if I use that persona to get up to no good then the dating sites can provide the token to the police, the police can see that the token comes from Barclays and Barclays will tell them that it belongs to Dave Birch. This seems to me a very appropriate distribution of responsibilities. When the Internet dating site gets hacked, as they inevitably do, all the criminals will obtain is a meaningless token: they have no idea who it belongs to and Barclays won’t tell them.

One of the key attractions of this architecture, and I’m sure that I am not the only person who thinks this, is that it gives an expectation of redress in the event of inevitable failure. Things always go wrong. What’s important is what the structures, mechanisms and processes for dealing with those failures is. If some fraudsters take over my bank account and use my identity to create a fake profile on a dating site, then I’d expect the bank to have mechanisms in place to revoke the tokens and inform both the dating site and me that such revocations have taken place without disclosing any PII.

This is important because PII is in essence a kind of toxic waste that no companies really want to deal with unless they absolutely have to. Under the new provisions of the General Data Protection Regulation (GDPR), the potential fines for disclosing personal information without the consent of the data subject are astronomical. Hence the complete cycle needs to be thought through because it will be crazy to have an infrastructure that protects my personal data when the system is operating normally but gives it up when the system fails, or when we attempt recovery from failure.

Digital identity gives us a vision of how to do this in our new online world. It is how we keep our real identity safe and sound while we explore the online world in safety using our virtual identities. A huge thank you to Call Credit for asking me along to share this vision with their audience.

Life imitates art, even in payments

A few years ago, I took part in an entertaining event at the British Computer Society (BCS) during which my alter ego, Mr. Don Rogers from the Isle of Man Economic College, set out a new payment system. During this talk (you can see the video here), Mr. Rogers proposed the “Crime Pays System” or CPS. Under this system, digital payments would be either “light” or “dark”. The default transaction type would be light and free to the end users. All transaction histories would be uploaded to a public space (we were, of course, thinking about the Bitcoin blockchain here) which would allow anybody anywhere to view the transaction details. This “Light Exchange” is designed to promote an environment of social accountability. The alternative transaction type would be dark. With this option advanced cryptographic techniques would make the payment completely invisible, leaving no trace of the exchange, thus anonymising all transactions. A small levy in the region of 10% to 20% would be paid per transaction. The “Dark Exchange” would therefore offer privacy for your finances at a reasonable price. The revenue generated from the use of this system would be taken by the government to substitute for the loss of taxes in the dark economy.

Pretty whacky, way-out, left-field thinking, yes? Well, I must in all honesty admit that it was not my idea. Like all such concepts way ahead of their time, it has its origins in art, not technology. The idea came from my good friend and wonderful artist, Austin Houldsworth. As you may know, for many years Consult Hyperion ran the Future of Money Design Award as part of the annual Tomorrow’s Transactions Forum. Austin organised this award and he also designed the cover for my book Before Babylon, Beyond Bitcoin. In fact, here he is showing me the machine that he built for the cover photo of the book.

Welcome to the Machine

 

Well, it’s taken a few years, but Austin’s idea is a few steps closer to reality, since Coin Telegraph reported that just such a payment system is being proposed for Russia. And our guess of a 10-20 percent holding tax was remarkably accurate, since what is being proposed in Russia is apparently a 13% tax.

The CryptoRubles can be exchanged for regular Rubles at any time, though if the holder is unable to explain where the CryptoRubles came from, a 13 percent tax will be levied. The same tax will be applied to any earned difference between the price of the purchase of the token and the price of the sale.

From BREAKING: Russia Issuing ‘CryptoRuble’

That’s pretty amazing if you ask me, but it does illustrate a general point about futurology, which is that sometimes the technologist’s roadmap can be a less accurate guidebook than artists’ imaginations.

Whether we achieve a mostly cashless society sooner or later should be left to technological advancement.

From Should We Move to a Mostly Cashless Society? – WSJ

No, it shouldn’t. This is a matter of great importance and with significant implications for society. The strategy should be set by society, not by technologists. And we need to make some big decisions about it fairly soon, otherwise we will allow technology (that is, technology companies) to create an environment that we may not be comfortable with. What might that environment be? Well, it won’t be like 1984 (for one thing, we didn’t need the government to come around an install screens to watch us all the time, we bought them ourselves from Apple and Samsung and Google). I don’t think it will be like Star Trek either, partly because of the physics and partly because of the money-free utopianism. I think it will be more like the future set out a few decades ago by the “cypherpunk” writers who predate the internet and social media but saw which way the wind was blowing. I’m not the only one who thinks that “we are, roughly, living in the world the cyberpunks envisioned”.

There’s a nostalgia around that word cypherpunk for me, because it’s now many years back I saw these visions and was captivated by them. A quarter of a century ago, my Consult Hyperion colleague Peter Buck and I wrote an article for the “Computer Law and Security Report” (Volume 8, Issue 2, March–April 1992, Pages 74-76), asking whether William Gibson’s work was science fiction or informed prediction (clearly, we thought it was the latter). The article (called “What is Cyberspace” [Ref] [PDF]), which tried to explain the idea of cyberspace to a lay audience (this was before Netscape, the year zero of the modern age, so most lawyers had never been online), turned out to be rather popular. I like to think that one of the reasons was the conviction that we were exploring the actual future, not a hypothetical future. I can’t remember where the idea of the paper came from, but I do remember that we chose extracts from Gibson’s brilliant writing to illustrate the concepts rather than trying to paraphrase, and I still get a thrill from reading them now.

That’s king hell ice, Case, black as the grave and slick as glass. Fry your brains as soon as look at you

[From “What is Cyberspace?”]

I loved the idea of the “black ice” then and I love it now. In the Gibson world, Intrusion Countermeasures Electronics (ICE) refers to security software that protects data form unauthorised access, and black ice is ICE so deadly that it can kill a hacker. Wonderful. It came back to me a couple of years ago when I turned on BBC radio at random while driving home, only to discover that someone was reading one of my all-time favourite books, Gibson’s “Burning Chrome”, and the mention of the black ice gave me that chill all over again.

Writing this blog post I can still remember the shock of reading Gibson’s 1984 masterpiece “Neuromancer” for the first time. (Gibson later called this work an optimistic view of the near future because it assumes only limited nuclear exchanges between countries – let’s hope he’s right.) Why was it such a shock? Well, since leaving university I’d found myself specialising in secure data communications. I worked on one of the first secure LANs for the UK government, on secure satellite communications for banking, on secure military networks for NATO, that sort of thing. I understood computer networks, but I didn’t grok them. I didn’t feel what it meant, where it was taking us.

Reading Gibson back then was like lifting a veil from parts of my own brain. I took an artist to give me vision and vocabulary. And what a vocabulary it was. My very favourite William Gibson quote, right after “the future is already here, it’s just unevenly distributed” is about money. It comes from his novel “Count Zero” and it’s about the cashless society. I re-use it shamelessly in presentation after presentation.

He had his cash money, but you couldn’t pay for food with that. It wasn’t actually illegal to have the stuff, it was just that nobody ever did anything legitimate with it.

 Use of Cash in Sweden

As I’ve written before, we are heading toward a cashless society, cashless in this Count Zero sense, where cash will still be around and it will still be legal tender (although I don’t think people understand what a limited concept that is), but it will disappear from polite society and from the daily lives of most people. This vision of a cashless society, not a society where there is not no cash but a society where cash is irrelevant, may have seemed outlandish twenty five years ago, but it’s a pretty accurate description of Sweden now (where only a tiny fraction of retail payments are cash)  and China soon. The future is less unevenly distributed than it was even a decade ago.

[An edited version of this piece was posted to Medium, 16th October 2017].