Digital identity in the UK – Will big banks or big techs deliver it?

The opening keynote at this year’s London Identity Week was given by Oliver Dowden, the Minister for Implementation at the Cabinet Office. Mr. Dowden is the Minister in charge of the digital transformation of government. To people like me, digital identity is central to digital transformation of government (and the digital transformation of everything else, for that matter) so I was looking forward to hearing the UK government’s vision for digital identity.  In his keynote, the Minister said that the UK is seen as being at the cutting edge of digital identity and that GOV.UK Verify is at the heart of that success. 

(On 9th October 2016, Mr. Dowden gave written statement HCWS978 to Parliament, announcing that the government was going to stop funding GOV.UK Verify after 18 months with the private sector responsible for funding after that.)

Right now you can’t use a GOV.UK Verify identity provider to log into your bank or any other private sector service provider. But in his speech the Minister said that he looks forward to a time when people can use a single login to “access their state pension and the savings account”. This, in my opinion, is quite distinct from the single identifier that the Parliamentary Select Committee on Science and Technology called for in their report this week. The Right Honourable Norman Lamb MP, Chair of the Committee, observing that “the current digital service offered by the Government has lost momentum” called for the introduction of a single unique identifier for access to public services.

 

I have to say that I sort of agree with the Science and Technology Committee on the efficient delivery of public services as well as what the Minister said about a single login across both public and private services. Obviously you’d want the same login scheme but a different persona (an identifier plus credentials) for pensions, pornography and other purchases, but that’s a another issue and not the focus on this discussion.

Identity Week Minister

Back to the Minister’s point though. Yes, it would be nice to have some sort of ID app on my phone (I happen to sit on the advisory board of Biid, who provide just such an app) and it would be great if my bank and Her Majesty’s Revenue and Customs (HMRC) and Woking Council and LinkedIn would all let me log in with this ID. The interesting question is who will provide such a login given that the government does not seem able to. Put a pin in that and we’ll return to it later. Meanwhile, back to the Minister, who made three substantive points in his speech. He talked about:

  • The creation of a new Digital Identity Unit, which is a collaboration between DCMS and Cabinet Office. The Unit will help foster co-operation between the public and private sector, ensure the adoption of interoperable standards, specification and schemes, and deliver on the outcome of the consultation.

  • A consultation to be issued in the coming weeks on how to deliver the effective organisation of the digital identity market. Through this consultation the government will work with industry, particularly with sectors who have frequent user identity interactions, to ensure interoperable ‘rules of the road’ for identity. To me, this sounds like a call for a trust framework of some kind but the Minister did not use those words.

  • The start of engagement on the commercial framework for consuming digital identities from the private sector for the period from April 2020 to ensure the continued delivery of public services. The Government Digital Service will continue to ensure alignment of commercial models that are adopted by the developing identity market to build a flourishing ecosystem that delivers value for everyone.

The Minister had a tight schedule was therefore unable to stay for my subsequent speech. I suggested that the idea of a general-purpose digital identity might be ambitious and a preferable strategy might be to look at who else could deliver the “digital identities from the private sector” used for the delivery of public services, which means delivering inclusive identity services with appropriate security at population scale. Perhaps DCMS has ensured that the UK taken a lead in this respect since, according to Sky News, “thanks to its ill-conceived porn block, the government has quietly blundered into the creation of a digital passport – then outsourced its development to private firms”. One of these firms runs the world’s largest pornography site, Pornhub, so I imagine they know a thing or two about population-scale identity management.

Identity Week Keynote

Assuming that the GOV.UK Verify identities fail to gain traction in the private sector, then I think there are two obvious private sector coalitions that might step in to do this for the government: the big banks and the big techs.

Big Banks

For a variety of reasons, I hope that the big banks are able to come together to  respond to the comments of Mark Carney, the Governor of the Bank of England, on the necessity for a digital identity in the finance sector to work with the banks to develop some sort of financial services passport. I made some practical suggestions about this earlier in the year and have continued to discuss the concept with potential stakeholders. I think it stacks up, but we’ll have to see how things develop. 

The reason why I’m so keen on this approach is that banks already do the hard work of establishing customer identities for know-your-customer (KYC) purposes but they don’t then do anything with it. So identity is a cost centre, when there is an opportunity for it to be a platform for new products and services. I’m not the only person who thought that the DCMS age verification legislation would be the trigger for a sophisticated federated privacy-enhancing bank-centric ID.

Modifications to open banking could allow bank customers to share data on their identity and their date of birth with third parties in a double-blind way that stops their bank from knowing the site they want to visit, or the site they’re visiting from knowing their identity.

From Don’t let the government’s porn block create a monopoly – 1828.

Well, whether it’s used for age verification or a pensions dashboard, I would have thought that what the European Commission Expert Group on Electronic Identification and Remote KYC Processes calls an “attribute-based LoA-rated KYC framework for the financial sector (ie, a financial services passport) would make a perfect post-Brexit stake-in-the-ground initiative to define the new era by boosting efficiency in the crucial Big Bank sector as well as providing a platform for new products and services for the Big Techs to develop. Talking of which…

Big Techs

I had the good fortune to attend more recent breakfast session with the Minister organised by the Cicero PR people. I have to say that the subject of digital identity came up more than once. There was considerable discussion (under the Chatham House rule) of both the priority of a UK digital identity infrastructure and the means by which it might come into existence. While I voiced my usual opinion that it should be the banks taking the lead, there were other people talking about alternative private sector providers.

It is clear, then, that if the banks can’t get it together then the big techs will  come knocking on the government’s door. I’ll readily admit that when the Minister said “private sector identities” in his speech, the first thought to flash across my brain was “Apple”. The public,  as well has civil servants in other departments who don’t really know or care about digital ID might be saying to themselves, “why can’t we just use ‘sign in with Apple’ to do our taxes?”, and this is a good point. Even if they are not saying it right now, they’ll be saying it soon as they get used to Apple’s mandate that all iOS apps that allow third-party sign-in must support it.

How would you use your Apple ID to log into HMRC? Easy: you log in as you do now after sending off for the password and waiting for it to come in the post and that sort of thing and then once you are connected tell them the Apple ID that you want to use in the future. If you want to be “jackdaniels@me.com” or whatever, it doesn’t matter. It’s just an identifier for the Revenue to recognise you. Then next time you go to log in to the Revenue, you log in as jackdaniels@me.com, something pops up on your iPhone and you put your thumb on it or look at it, and bingo you are logged in to fill out your PAYE without ever having to remember your taxpayer ID or government gateway passport ever again.

 

Incidentally, you could use this to log in at Pornhub too, because Apple have implemented a form of the persistent pseudonymity that I have long advocated as the core of a practical “privacy settlement”. So, as Wired magazine puts it, Apple’s universal login will let you hide your email address from third-party services. Unlike Facebook, Google and other services, Apple will randomly generate an email address on your behalf, and it then forward communications from the services that you sign up to on to your actual Apple ID address. I’m not joking about Apple delivering an infrastructure for the mass market instead of the government, it’s just that I thought that our forward-thinking innovation-centric banks would be the people to build on it. A couple of years ago I asked “Why doesn’t my bank put a token in my Apple Pay that doesn’t disclose my name or any other personal information… Keep my real identity safe in the vault, give me blank card to top shopping with”

The banks have a chance to to do this if the government, the Bank of England and industry bodies get together and work with them on it. But I wouldn’t be at all surprised to go over to the HMRC web site fairly soon to see “log in with Amazon” and “log in with Apple” next a button with some incomprehensible waffle about eIDAS that I, and most other normal consumers I’m sure, will simply ignore.

Follow the e-money

A couple of years ago I remember going to see ComplyAdvantage to make a podcast with them. I thought the new category of regtech was interesting and that the potential for new technologies in that space (eg, machine learning) was significant, so I went of off to learn some more about and talk to a few organisations to test some hypotheses. I remember thinking at the time that they were good guys and on a good trajectory and it looks as if my opinion was well-founded (they are doubling in size this year).

Anyway, I was thinking about them because they recently sent me a new white paper “A New Dawn for Compliance” (which notes that an estimated $2 trillion is laundered globally every year and only 1-3% of these funds are identified and possibly stopped) and it nicely encapsulated something that has been touched on in a fair few conversations recently: there’s no way to hire ourselves out of the compliance mess we’re in. Even if financial services and other businesses had infinite compliance budgets, which they most certainly do not, it’s simply not feasible to hire enough people to keep up. Even if there were infinite people with expertise in the space, which there most certainly is not, bringing them on board is too time-consuming, too expensive and too inflexible to create a compliance infrastructure that can respond the new environment.

Technology is the only way out of this.

Using technology to automate the current procedures is, as always, only a small part of the solution. The UK Financial Intelligence Unit (UKFIU) receives more than 460,000 suspicious activity reports (SARs) every year (according to the National Crime Agency), yet fraud continues to rise.

Moreover as Rob Wainwright (head of Europol) pointed out last year, European banks are spending some €20 billion per annum on CDD with very limited results. In fact, he said  specifically that  “professional money launderers — and we have identified 400 at the top, top level in Europe — are running billions of illegal drug and other criminal profits through the banking system with a 99 percent success rate”. This is not even a Red Queen’s Race, it’s a Formula 1 of crime where the bad guys are ahead and we can’t overtake them.

The Fifth Anti-Money  Laundering Directive (AMLDV) which comes into force in 2020 will, I predict, do nothing to change this criminal calculus. AMLDV will cost organisations substantially more than its predecessors and these costs are out of control. According to a 2017 whitepaper written by my colleagues at Consult Hyperion, KYC processes currently cost the average bank $60m (€52.9m) annually, with some larger institutions spending up to $500m (€440.7m) every year on KYC and associated customer due diligence (CDD) compliance. In the AMLDV era we will look back with nostalgia to the time when the cost of compliance were so limited.

It’s time for a rethink.

We need to re-engineer regulators and compliance to stop implementing know-your-customer, anti-money laundering, counter-terrorist financing and the tracking of politcally-exposed persons (let’s lump these all together for the sake off convenience as Customer Due Diligence, or CDD) by building electronic analogues of passport and suspicious transaction reports and so on. In a world of machine learning and artificial intelligence, we need to invert the paradigm: instead of using CDD to keep the bad guys out of the system, we should bring the bad guys into the system and then use artificial intelligence and pattern recognition and analytics to find out what the bad guys are doing and then catch them!

Surely, from a law enforcement point of view, it’s better to know what the bad guys are up to? Following their money should mean that it is easier to detect and infiltrate criminal networks and generate information that the law enforcement community can use to actually do something about the flow of criminal funds. In any other financial services business, a success rate of 1% would call into the question the strategy and the management of the business

Posh and Blocks

While flicking through British Vogue magazine for some moisturising tips, I came across a mention of digital identity! I was surprised and delighted that (just as has happened another of my obsessions, Dungeons and Dragons) what was once the province of nerds and outsiders has become fashionable and cool. Hurrah! Vogue says that secure digital identities for luxury goods are crucial, which is great! I could not agree more. Digital identities are not only for people! I have been writing about the need for digital identities for things for many years, and not only for high fashion (a field where, oddly, I have some experience in the use of NFC applications. On mobile phones to scan designer clothes – but that’s another story).

LFW

 

Some years ago I asked if “the blockchain” (put to one side what this might mean for a moment) might be a way to tackle the issue of “ID for the Internet of Things” (#IDIoT). I said at the the time that I had a suspicion that despite some of the nonsense going on, there might be something there. My reason for thinking that is that there is a relationship between blockchain technology and IoT technology, because we need a means to ensure that virtual representations of things in the mundane cannot be duplicated in the virtual. As I saw it, there were three ways to do this: a database, tamper-resistant hardware or blockchain.

If we look at the database idea first, I explored this more than a decade ago using the example of luxury goods such as watches and asking how would you tell a fake Rolex from a real one. It’s a much more complicated problem than it seems at first. For example: why would Rolex care? I can’t afford a Rolex, so if I buy one at a car boot sale or in China, Rolex isn’t losing a sale. But by wearing the fake, I’m presumably advertising the desirability of a Rolex. So surely they should be happy that people want to wear fakes or not? And if I did have a real Rolex, would I want to wear it in dangerous places where expensive watches get stolen in broad daylight by muggers (eg, London, London or London) or where I might just lose it?

Anyway, regardless of the reasons for it, let’s think about how to tell the real thing from the fake thing using technology. Suppose RFID is used to implement Electronic Product Codes (EPCs) for luxury goods. If I see a Gucci handbag on sale in a shop, I will be able to point my Bluetooth EPC-reading pen at it and read the EPC, which is just a number. My mobile phone can decode the number and then tell me that the handbag is Gucci product 999, serial number 888. This information is, by itself, of little use to me. I could go onto the Gucci-lovers website and find out that product 999 is a particular kind of handbag, but nothing more: I may know that the tag is ‘valid’, but that doesn’t tell much about the bag. For all I know, a bunch tags might have been taken off of real products and attached to fake products.

To know if something is real or not, I need more data. If I wanted to know if the handbag were real or fake, then I would need to obtain its provenance as well as its product details. The provenance might be distributed quite widely. The retailer’s database would know from which distributor the bag came; the distributor’s database would know from which factory the bag came and Gucci’s database should know all of this. I would need access to these data to get the data I would need to decide whether the bag is real or fake.

This is a critical point. The key to all of this is not the product itself but the provenance. A database of provenance (for example) is the core of a system to tell real from fake at scale.

Who should control this database, and who should have access to it, is rather complicated. Even if I could read some identifier from the product, why would the retailer, the distributor or Gucci tell me any about the provenance? How would they know whether I were a retailer, one of their best customers, one of their own ‘brand police’, a counterfeiter (who would love to know which tags are in which shops and so on) or a law enforcement officer with a warrant?

This is where the need for a digital identity comes into the picture. A Gucci brand policeman might have a Bluetooth pen tag reader connected to a mobile. They could then point the pen at a bag and fire off a query: the query would have a digital signature attached (from the SIM or SE) and the Gucci savant could check that signature before processing the query. Gucci could then send a digitally signed and encrypted query to the distributor’s savant which would then send back a digitally signed and encrypted response to be passed back to the brand policeman: ‘No we’ve never heard of this bag’ or ‘We shipped this bag to retailer X on this date’ or ‘We’ve just been queried on this bag in Australia’ or something similar.

The central security issue for brand protection is therefore the protection of (and access to) the provenance data, and this needs a digital identity infrastructure to work properly. If it adds £20 to the price of a Rolex to implement this infrastructure, so what? The kind of people who pay £5,000 for a Rolex wouldn’t hesitate to pay £5,020 for a Rolex that can prove that it is real.

A small brand premium might be rather popular with people who like brands. Imagine the horror of being the host of a dinner party when one of the guests glances at their phone and says “you know those jeans aren’t real Gucci, don’t you?”. Wouldn’t you pay £20 for the satisfaction of knowing that your snooping guest’s Bluetooth pen is steadfastly attesting to all concerned that your Marlboro, Paracetamol and Police sunglasses are all real? Of course you would.

For some goods, we might want to add tamper resistant hardware to the product. I have long been interested in the use of low-cost RFID chips in this context. An example I looked at some years ago was the problem in Korea with the production of counterfeit whiskey. The authentic whiskey producers decided to add an RFID chip to the bottle caps. This chip was coded with a URL and an identifier. When a customer, or a shopkeeper, or a policeman, or in fact anyone else wants to check whether the whiskey is real or not, they touch the cap with their phone and the URL launches a web site that knows the provenance of the identifier and can tell you when and where it was bottled as well as some other information. When a customer opens the bottle, the tag is broken and can no longer be read. That seems to be a cost-effective solution, although it again relies on the provenance database to make it work (otherwise the counterfeiters would just find a way steal the chips).

The mass market IoT, however, amplifier that problem of permission. I have always tried to illustrate this for people in a fun way by using the case study of underwear. It’s one thing for dinner guests to scan my wine bottle to see that it is a real Romanée-Conti and another for them to scan my Rolex to check that it is indeed a first-class far-eastern knock-off, but it’s quite another for them to be able scan my underpants and determine that they date from 1983. How do we turn tags on and off? How do we grant and revoke privileges? How do we allow or deny requests for product or provenance? Once again, we must conclude that not simply digital identity but a full digital infrastructure is needed.

The third approach that I thought worth exploring was that of some form of blockchain. It seemed to me that by using the blockchain to maintain uniqueness, we might find a way to make the IoT a transactional environment. Just as you can’t copy the physical object, but you can transfer it from one owner to another, so you can’t copy a token on a shared ledger, only transfer it from one owner to another. Thus, if you can bind a token to a physical object, you can greatly reduce the cost of managing that object. Hence I was rather interested to read in that Vogue article that Luis Vuitton, Microsoft and Consensus have developed a platform called “Aura” to manage provenance to provide proof of origin and prevent counterfeits using a blockchain. The basic idea is to represent luxury goods as ERC-721 tokens on a private permissioned Quorum blockchain.

Obviously, I don’t have any details about how this will actually work, but LVMH seem to imply that at the time of purchase of one of their brands’ product, the customer can use the brand’s application to receive an “AURA certificate” containing all product information. I assume that if you sell your handbag (or whatever) to a charity shop, you can transfer the certificate to the charity shop’s application. Underlying all of this, there is the token on the blockchain moving from the retailer’s wallet, to your wallet, to the charity shop wallet.

If this works, and it’s simple and convenient for consumers, some sort of app presumably, it will generate an amazing amount of valuable data for brand owners. They will know exactly who has their stuff and how much of it they’ve got. If the app records “fails” as well, then they’ll also know who has the knock-offs too.

Real fakes and fake fakes

My good friend Chris Skinner pointed me at a story about counterfeit art. The art in question, a “Picasso”, is apparently the work of a counterfeiter called Davd Henty. According to The Daily Telegraph, after being exposed as a forger a few years ago, “the publicity led to him being feted on television programmes and his copies – marked clearly as ‘Henty’s’ – now sell for £5,000 and upwards”. This reminded me of something I wrote a decade ago after a visit to Halifax, where I saw an interesting use case for RFID chips that were being bonded into the canvas used for painting. So here’s a picture of such a picture (and me).

RFID_Picture

This caught my eye all those years ago and it’s worth showing it again, because it’s a fascinating case study of using RFID in the real/counterfeit problem space. It’s not just about what’s real and what’s fake.  The picture I am looking at here was painted by John Myatt. If you don’t recognise the name… well, his story  is introduced in The Daily Telegraph this way: “From talented chart-topping songwriter, to Brixton prison for being involved in ‘the biggest art fraud of the 20th century’, John Myatt’s incredible life is now the subject of a Hollywood movie and his artistic talent the focus of a major TV series”.

Interesting guy. Take a look at his “genuine fakes”.

The reason Mr Myatt can make a good living doing genuine fake art, as noted in the Financial Times, is his notoriety as a master forger, which resulted in a six-month prison sentence in 1995. The picture I am looking at has RFID tags bonded to it, but in this case the purpose of the tags is to prove not only that the picture is a fake, rather than real, but that it’s a John Myatt fake and not someone else’s fake. So, basically, the idea is to use a combination of primary and secondary identification technologies to connect product and provenance in such a way as to prove that the picture is a real fake, if you see what I mean. Great stuff.

So if we are going to use technology to create a new identity infrastructure that works for things as well as people, it must not only distinguish real from fake, but fake from fake!

Talking about real fakes, rather than fake fakes, I have an important one at home. I got it after reading about a donation of drawings to Yad Vashem, Israel’s holocaust memorial. The drawings are of the men who worked in the once-secret Nazi operation to produce fake money, a story told in the brilliant film “The Counterfeiters”, which won the 2007 Oscar for best foreign film. It is the true story of Operation Bernhard, which was the Nazi plan to devastate the British economy. The idea, conceived at the very start of the Second World War, was to drop the worthless banknotes over England, thus causing economic instability, inflation and recession. Remember, in 1939 the German people had very recent memory of worthless paper currency devastating the economy, as is well chronicled in Adam Fergusson’s book “When Money Dies”.

The film is based on a memoir written by Adolf Burger, a Jewish Slovak typographer who was imprisoned in 1942 for forging baptismal certificates to save Jews from deportation. The Nazis took Burger and more than a hundred other Jews from a variety of trades—printing, engraving and at least one convicted master counterfeiter, Salomon Smolianoff—and moved them from different death camps to a special unit: “Block 19” in Sachsenhausen concentration camp. There they set about forging first the British and then the American currency. In the end, the prisoners forged around Sterling 132 million, which is about four billion quid in today’s prices.

The Nazis were never able to put their plot into operation. At the end of the war, they packed up all the printers’ plates and counterfeit bills into crates which they dumped into Lake Toplitz in Austria, from which they were subsequently retrieved. Some of the counterfeit notes went to the purchase of war materiel for the nascent Israeli army, some went to collectors. I bought an authenticated Operation Berhard counterfeit “white fiver” from a banknote collector and that is how I came to have a real fake on my wall at home.

Innovation in blockchain innovation

A couple of years ago, I was invited along to the Scottish Blockchain Conference (ScotChain17). I have to say that it was a really enjoyable, well-organised and interesting day out in Edinburgh. Here I am in one of the panel discussions.

Scotchain panel

At this excellent event, I gave a talk about the use of blockchain in supply chains. Professor Angela Walsh kindly commented on my presentation, saying that it had her crying with laughter while learning a lot, a compliment that I treasure. The content was summarised thus by a keen observer…  “The point,” said Birch, “is that people are talking absolute bollocks about blockchain, on an industrial level”. If you at all interested, the talk was filmed and you can see it here:

 

Well, my comments on ideas of using the blockchain to solve supply chain problems being somewhat misguided may have seemed a trifle harsh at the time, but as far as I can tell they were a broadly correct characterisation of the state of the industry and a broadly accurate prediction of the sector’s trajectory. Two years on, I just read that the noted research house Gartner says that nine in ten blockchain-based supply chain projects are “faltering” because they cannot figure out important (or, in my opinion, any) uses for the new technology.

Hence I feel that my somewhat uncharitable remarks were justified and my blockchain crystal ball remains intact, its reputation enhanced. 

My reason for highlighting this Caledonian chronicle, and subsequent validation, is to point you to my forthcoming talk at Vincent Everts’ super Blockchain Innovation conference in Amsterdam. If you are going to the excellent Money2020 in Amsterdam that week – where I will be chairing the Open Banking track – stick around and join me at the ABN Amro headquarters on June 7th for a wide perspective on the state of the blockchain world.

I’ll be making a presentation on the intersection of blockchain and artificial intelligence. This is a space where I have observed an avalanche of absolute bollocks, so I’m going to stick my neck out and make a (well-informed) prediction about the key impact of AI on the blockchain world. It has nothing to do with supply chains, but I think has more significance and will mean big changes in the blockchain ecosystem.

I think have some solid foundations for making this prediction, so come along to cheer or jeer and I’ll be delighted to see you there either way.

Stablecoins and stable coins

I notice that in the considerable press comment concerning the possible introduction of a Facebook payment system and perhaps even a Facebook currency of some kind, commentators continually refer to a Facebook “stablecoin”. I am certain that they are wrong to use this term, because it does not mean what they think it means. I may well be facing a losing battle about this, but I am stickler for correct currency terminology.

So. Stablecoin. What?

In the Bank of England’s excellent “Bank Underground” blog, there was a post on this topic that said “The chances of a stablecoin keeping a stable price depends on its design. There are generally two designs of stablecoin: those backed by assets, and those that are unbacked or ‘algorithmic’”. They are right, of course, but I would like to present slightly more granular classification of stablecoin currencies. I think there are three kinds:

  1. Algorithmic Currencies, in which algorithms manage supply and demand to obtain stability of the digital currency. This is what a stable cryptocurrency is: since a cryptocurrency is backed by nothing other than mathematics, it is mathematics that manages the money supply to hold the value of the steady against some external benchmark. This is what is meant by stablecoin in the original crypto use of the term.

  2. Assetbacked Currencies, in which an asset or basket of assets are used to back the digital currency. I don’t know why people refer to these a stablecoins, since they are stable only against the specific assets that back them. An asset that is backed by, say, crude oil is stable against crude oil but nothing else.

  3. Fiat-backed (aka Currency Boards), which are similar to a asset-backed currencies but where the assets backing the digital currency are fiat currencies only. There are mundane versions of these already: in Bulgaria, for example, where the local currency (the Lev) is backed by a 100% reserve of Euros

As for that last category, it is effectively what is currently defined as electronic money under the existing EU directives, and therefore already regulated. Those coins backed by fiat currency, such as JPM Coin, simply provide a convenient way to transfer value around the internet without going through banking networks. Now, this may well be an advantage in cost and convenience for some uses cases but it is a long way from an algorithmic currency. If this is indeed what Facebucks turn out to be (ie, actual bucks that you can send around on Facebook, something along the lines of Apple Cash), then I have written before why I think they will be successful.

So will any or all of these catch on?

Predictions are of course difficult, but my general feeling is that it is the asset-backed currencies that are most interesting and most likely to succeed in causing an actual revolution in finance and banking. Algorithmic stablecoins and fiat “stablecoins” exist to serve a demand for value transfer, but this is increasingly served well by conventional means. I notice this week, for example, that Transferwise can now send money from the UK to Hong Kong in 11 seconds, a feat made possible by their direct connection to the payments networks of both countries. Why would I use a fiat token when I can send fiat money faster and cheaper?

Of course, you might argue that a digital currency board might allow people who are excluded from the global financial system to hold and transfer value but I am unconvinced. There plenty of ways to hold and transfer electronic value (eg, M-PESA) without using bank accounts. Generally speaking, people around the world are excluded because of regulation (eg, KYC) and if we want to do something about inclusion we should probably start here. If you are going to require KYC for the electronic wallet needed to hold your digital currency they customers may as well open a bank account, right?

(I’ve written before about how the need for an account hampered Mondex. When it was first launched, I went to a bank branch with £50 expecting to walk out with a Mondex card with £50 on it. What I actually walked out with was a multi-page form to open a bank account so that I could get a Mondex card which arrived some time later. And since I had to put my debit card into the ATM in order to load the Mondex card, I did what most other people did and drew out cash instead.)

I suppose there are some people who think that the anonymity and pseduonymity of cryptocurrencies might make them an attractive alternative to certain sectors, but this is probably a window. If cryptocurrencies were used for crime on a large scale then efforts would be made to police them. Bitcoin, in particular, is not a good choice for criminals since it leaves a public and immutable record of their actions but you can imagine a future in which the mere possession of an anonymous cryptocurrency becomes a prima facie cash of money laundering.

Looking at the “stable” stable, then, I’ll put my money on the middle way. I’ve said it before and I’ll say it again, there is a real marketplace logic to the trading of asset-backed currencies in the form of tokens and I expect to see an explosion of different kinds.

Programming bank accounts

I’ve been reading an interesting paper from Northumbria University called “Recipes from Programmable Money“. The paper looks at what customers of the UK challenger bank Monzo have done with its integration with IFTTT (the “if this, then that” automation software) to draw some early lessons that may have wide applicability to post-PSD2 financial services infrastructure. This is fascinating to me (even though I think the title is wrong, because it’s not the money that is being programmed but the bank accounts) because it is natural to wonder what, once third-parties are free to build on banks’ interfaces because of PSD2, customers will want from the new product and service providers.

The paper goes about examining how real users (albeit savvy early adopters in the UK) used the ability to automate a selection of Monzo account actions. Since these automations are a small window into what users might want from from more general third-party API-based interactions, I think the researchers have uncovered useful insights about just how important XS2A will be. After all the speculation about what API access to accounts might mean for Europe’s banks, there’s no substitute for looking at what consumers actually do with the new technology.

It seems to me that the key finding of the paper is that “some of the most intriguing recipes in our corpus were those that integrated Monzo with applications that ordinarily have little to do with banking”. (“Recipes” are the IFTTT automation scripts.) That is, in general, consumers use banking services as integral to other services, which is what you might expect on reflection because users don’t want to do banking, which is boring, they want to do other more interesting things that happen to be facilitated by banking.

The authors also observe that “this proliferation of financial data across different platforms, and channels, highlights the way in which programmable money may cut across services” and that “we are seeing how money and transactions are potentially just another form of data, to be pushed and pulled around integrated services”. I am sure they are correct about this, which is why it will be so hard for banks to find effective strategies to compete with other providers of those integrated services. It may well be that only the lower margin “‘pipe” services are available to them, in which case they need to focus on operational efficiency to compete.

All very interesting, and wholly congruent with earlier analyses from informed industry observers (eg, me). But it’s another point made in the “programmable money” paper that caught my eye. It’s impossible to disagree with it when it concludes that technologies such as machine learning, AI and smart contracts “foreground the delegation of significant financial power to automated systems and agents”. As I wrote last year, in the context of competition in retail banking, the future choice of banking services provider (the AS-PSP, in the euro-jargon) will be made not by customers, but by bots. It seems to me that the early indications from the real world are that this is correct, and that it has many ramifications.

I’ll give you an example. If you live in the UK and are over the age of around 30, you may have seen an advertisement with a man in a spacesuit in it.

To the Mooooooooon!

No, not that one. I mean an advert on TV, the sort of thing that no-one under 30 ever sees any more. It’s an advert for a bank. It doesn’t matter which one. The point is that it’s about brand and image. But what will be the point of it a world where an AI-powered child-of-IFTTT is doing the heavy lifting? Consumers may neither know nor care who their bank is. This will pose a challenge to those with a career in marketing, but it may have some positives too. For example, I can assure Barclaycard that my bot will pay no attention whatsoever to their advertisement with Simon Cowell in it, whereas like most normal people I would cancel my card because of it.

My bot will chose your bank on the basis of interest rates, response times, jurisdiction, functionality, service uptimes and other such measurable parameters. Your logo? Your sponsorships? Your history? Whatever.

US cashless backlash: why punish retailers?

The US is behind some other parts of the world, perhaps, but it is trending in the same direction. According to recent research, almost a third of American adults use no cash at all for their weekly purchases (it was a quarter back in 2015). Conversely, a fifth of Americans says that make nearly all of their purchases in cash. Against this backdrop, it is no surprise that some retailers, in some locations, are starting to go cash free. Now, as far as I am concerned, that’s up to them. Writing in the CATO Journal last year — “Special Interest Politics Could Save Cash or Kill It” CATO Journal 38(2): 489-502 (Spring 2018) — Norbert Michel said “it seems risky, at best, to give the government so much control over the form of payment citizens choose, but that is exactly what many policymakers are hoping to do”. He was talking about laws to ban cash, but the argument applies both ways. Should regulators care whether you pay in cash or not and, if they do care, what should they do about it?

 

Here’s a specific example. In March, Atlanta’s Mercedes-Benz stadium, home of the Atlanta Falcons, stopped accepting cash for sporting events. Now, I imagine the people who run the Mercedes-Benz to be business persons who operate according to the principles of profit and loss. They’re not making this decision because of some idealogical position about notes and coins. They wouldn’t be doing it unless they thought they would be better off without the costs of cash.

So: should they be allowed to do this, just as Tottenham Hotspur have done with their new stadium at White Hart Lane?

There is no US law on the subject. I see in Payment Law Advisor that the US Treasury Department has guidance on the issue, but it states that refusing cash may be allowable “on a reasonable basis, such as when doing so increases efficiency, prevents incompatibility problems with the equipment employed to accept or count the money, or improves security”. Security and efficiency are precisely the factors causing retailers to shift to cashless operators as far as I can see, so the Treasury guidelines seem to be working.

That does not, however, seem to matter to the State and City legislators who rising to the challenge of dragging America back into the 1950s, when the payment card was a notion restricted to future fiction and the concept of a mobile phone so alien as to be unimaginable. At that level there is a patchwork of regulation. Massachusetts apparently has a little-known 1978 law requiring retail stores to accept both cash and credit although it does not seem to be enforced and the legislature has yet to say whether it applies to restaurants. Food and drink are in the vanguard elsewhere, such as in Pennsylvania, where the head of the Pennsylvania Restaurant and Lodging Association says that there are lots of restaurants (as well as other businesses) that want to go cashless because “places that handle cash are less safe than those that don’t have cash on hand” and that in a cash business “taxes aren’t always paid”.

Yet US legislators seem to be in favour of maintaining this costly and inefficient state of affairs. The New York Times reports that the New Jersey Legislature and the Philadelphia City Council have already passed measures this year that would ban cashless stores and New York City, Washington, San Francisco and Chicago are consider doing something similar. Their objection is that cashlessness marginalises low-income communities. If this is true, and I have no reason to doubt the sincerity of these lawmakers, then it is a problem with the financial system not retailing. Penalising retailers by forcing them to accept cash because the financial system does not make a reliable, secure electronic alternative available to low-income (or, indeed, any other) communities is peverse.

I don’t want to discuss the causes here – that’s for another time – but the specifically US problem around financial inclusion is the root cause of the problem and that’s what should be tackled. If low-income people in Somalia can buy produce in the local market using their mobile phones, you can’t help but wonder why low-income people in Philadelphia can’t do the same, much to the benefit of society as a whole.

Know 2019 Keynote

This time it’s war
Keynote address to Know 2019, Las Vegas, 25h March 2019.

[An edited version of this keynote appeared on Medium, 28th March 2019]

Know 2019 Las Vegas

I’ve said many times that we need an identity infrastructure that deals with the realities of this modern world, the world of the Nth industrial revolution (where N is 4, or 5, or something similar). As things go from bad to worse, we need this infrastructure be a government priority and we need the private and public sectors to come together to deliver it. And if they don’t want to, if you don’t want to, then you should be made to. I’m not standing here flattered to be asked to deliver this keynote because digital identity is about making life easier when you log in to your bank or to do your taxes. I’m here because it is far more important than that. Digital identity is vital national infrastructure

We don’t have long to get our act together and we are starting from scratch. In the UK we have no tradition of identity cards or national identification systems, or anything like it. To the British, national identification is “papers, please”: something associated with authoritarian tyrannies, France and wartime. And even in wartime, the idea of requiring people to hold some form of identification was regarded as so fundamentally incompatible with the customs and practices of Her Majesty’s subjects that the last British identity cards (from the first and second world wars, essentially) drew on what Jon Agar memorably labelled “parasitic vitality” from other systems such as conscription and food rationing. Identity infrastructure was created as a form of mobilisation against the enemies of the Realm and the chosen implementation, the identity card, was not an end in itself, but a means to support those other activities in to aid the war effort.

This dislike of identification as a State function is hardly unique to the United Kingdom. In America there are similarly strong opinions on the topic and the failure of the Australia Card back in 2007 stems, I think, from the same common law roots. These views of course stand in stark contrast to the views of almost all other nations of the world. The majority of people on Earth have some form of state identification and would find it impossible to navigate daily life without it. That doesn’t make the need to be identified by the state at all times either right or proper, by the way, but that’s a different discussion for another day.

If the development of national identity infrastructure is, however, only possible as part of a war effort… well, I have to tell you that we are at war. It’s just that this time we’re in a cyberwar and our identity infrastructure needs to support mobilisation across virtual and mundane realms. World War 3.0 has already started but a lot of people haven’t noticed because it’s in the matrix. There was no specific date when this war broke out and there is no conceivable Armistice Day on which it will end. Rather, as Bruce Schneier put it in his excellent book Click Here to Kill Everybody last year, cyberwar is the new normal.

(This will, unfortunately, make the war movies of the future rather dull. No more Dunkirk or Saving Private Ryan, no more The Dambusters or Enemy at Gate. Instead movies will be about solitary individuals sitting in dimly-lit bedsits typing lines of Perl or Solidity while eating tuna out of a can.)

The advent of cyberspace conflict is not because computers and communications technologies have only just reached the Armed Forces. Far from it: the very first computers were developed to compute ballistic trajectories and part of my young life was spent trying to work out how to use radio and satellite technologies to keep NATO systems connected after a first strike against command and control infrastructure, which is why talk of white noise jamming and direct-sequence spread spectrum transmission still gives me a shiver. But in those far-off days, the reason for knocking out the NATO’s IT infrastructure was so that you could then send tank columns through the Fulda Gap or drop the Spetsnatz into Downing Street. There were cyber aspects to war, but it wasn’t a cyberwar. Now it’s all out cyberwar and as historian Niall Ferguson said in his book The Square and The Tower, it’s war between networks.

(The early British response to this new state of affairs was comfortingly backward-looking. Back in 2013 there was a plan for the creation of a digital Home Guard made up from well-meaning volunteers to stand on the cyber-landing grounds to repel invasion.)

Now, I’m sure that behind the scenes the Department of Defense have been working around the clock to defend our payment systems and water supplies against foreign hackers but I do wonder if the insidious threat from the intersection of post-modernism and social media had as a high a priority? It should have done, because as it turned out the enemy stormed Facebook, not the Fulda Gap. We need a wall right enough, but we need it to around our data.

Marshall McLuhan saw this coming, just as he saw everything else coming. Way back in 1970, when the same Cold War that I played my part in was well under way, he wrote in Culture is our Business that “World War III is a guerrilla information war with no division between military and civilian participation”. Indeed. And as we are now beginning to understand, it is a war where quiet subversion of the enemy’s mental assets is as important as the destruction of their physical assets. Social media are creating entirely new opportunities for what The Economist referred to as “influence operations” (IO) and the manipulation of public opinion. We all understand why! In the future, “fake news” put together with the aid of artificial intelligence will be so realistic that even the best-resourced and most professional news organisation will be hard pressed to tell the difference between the real and the made-up sort.

Smart cyber-rebels will want to take over social media, just as rebel forces set off to capture the radio and TV stations first: not to shut them down, but to control them. The lack of identity infrastructure makes it easy for them: at least you could see when your favourite news reader had been replaced by a colonel in a flak jacket, but you’ve no idea who is feeding the “news” to your social media timeline. It’s probably not even people anymore. While writing these words I read of (yet another) complaint about social media companies doing nothing to control co-ordinated bot attacks. But how are they supposed to know who is a bot and who isn’t? Whether a troll army is controlled by enemies of the state or commercial interests? If an account is really that of a first-hand witness to some event or a spy manufacturing an event that never happened?

The need to tell “us” from “them”, real from fake, insiders from outsiders, attackers from defenders is critical and the lack of an identity infrastructure (as much as the creation of identity infrastructures that are too easy to subvert) leaves us open to manipulation. We need to create an effective infrastructure as a matter of urgency but it should not be framed in the context of a 20th-century bureaucracy responding to the urban anonymity of the industrial revolution by conceiving of people as index cards, but in a 21st-century context based on McLuhan’s notions of identity forged in relationships. We need to create an environment of ambient safety, where both security and privacy are strengthened, twin foundations for the structures we need to build to prevent chaos.

(America may or may not need a Space Force, but it most certainly needs a Cyberspace Force.)

So this is my challenge to you. This is a conference I take very seriously and an audience that I respect. I am looking to you to man the barricades. I want you to begin the process of assembling the infrastructure that we so desperately need, so that I can tell my e-mail package to ignore messages that say they came from bank but didn’t, my web browser to put a red border around “news” that does not come from a reputable, cross-checked source and set my phone to ignore tweets that come from bots rather than people.

If this all sounds over-dramatic: it isn’t. I think it is perfectly reasonable to interpret the current state of cyberspace in these terms because the foreseeable future is one of continuous cyberattack from both state and non-state actors and digital identity is a necessary building block of our key defences. I sincerely hope that over the next couple of days you will find new ideas, new ways of co-operating and perhaps even a new mission to protect and survive in this new era of amazing opportunities, astonishing threats and terrifying risks.

Thank you.

Feedback

Well, I’ve never appeared in a cartoon before (to the best of my knowledge) so my sincere thanks Richard Parry and “The Chaps” for their kind comment on this keynote. I should point out that I am well aware of the market failure around cybersecurity, but that’s a topic for another day!

Know 2019

 

The non-cartoon feedback was pretty good too!

And from the education day that preceeded the keynote…

Thanks y’all!

FaceCoin or FacePESA, Zuckbucks are a winner

Around a decade ago my son was, as is rather the fashion with teenagers, in a band. With some friends of his, he arranged a “gig” (as I believe they are called) at a local venue. There were five bands involved and the paying public arrived in droves, ensuring a good time was had by all. All of this was arranged through Facebook. All of the organisation and all of the coordination was efficient and effective so that the youngsters were able to self-organise in an impressive way. Everything worked perfectly. Except the payments.

eden_first_gig

When it came to reckoning up the gig wonga (as my old friend Paul Pike of Intelligent Venues would call it), we we had a couple of weeks worth of “can you send PayPal to Simon’s dad” and “he gave me a cheque what I do with it?” and “Andy paid me in cash but I need to send it to Steve“ and so on. Some of them had bank accounts, some of them didn’t. Some of them had bank accounts that you could use online and others didn’t. Some of them had mobile payments of one form or another and others didn’t. I can remember that at one point my son turned to me and asked “why can’t just send them the money on Facebook?”.

As I wrote at the time, I didn’t have a good answer to this because I thought that sending the money through Facebook would be an extremely good idea and I can remember discussing with some clients at the time what sort of services they might be able to offer to Facebook or other social networks that were empowered through an Electronic Money Issuing (ELMI) license and Payments Institution (PI) licence. The rudimentary business modelling was quite positive, and so I naturally assumed that there would be some sort of Facebook money fairly soon, especially because I am something of a proponent of community monies of one form or another.

I also wrote at the time that Facebook money, or Zuckbucks ($ZUC), could easily become the biggest virtual currency in the world given that there are so many people with Facebook accounts and the ability to send value instantly from one account to another via Facebook would be so attractive. You’ll remember that Facebook launched “Facebook Credits” so time ago but they weren’t really a currency, just a way of prepaying for virtual goods with the service. A virtual currency is something more, it’s true electronic money that you can send from one person to another. Well, it looks as if this is coming, as I read in the crypto press that Facebook “is talking to exchanges about potentially listing a cryptocurrency” [CoinDesk]. It looks as $ZUC might be just around the corner, and people are getting excited.

As I understand things, Mr. Zuckerberg has already decided integrate the social network’s three different messaging services — WhatsApp, Instagram and Facebook Messenger — on a single unified messaging platform and, according to the New York Times, have that platform implement end-to-end encryption. This would naturally be an ideal platform for a universal currency so it’s no surprise to hear that the company is now looking at just such an enterprise. Even if Facebook couldn’t read the details of a transaction, it would know that I just paid a car insurance company and might find some use for the data in the future.

My suspicions that a Facebook money might me rather successful were further strengthened while listening to one of my favourite podcasts, Pivot with Kara Swisher and Scott Galloway, on a plane last week. Scott said that his biggest friction in the physical world is charging (I couldn’t agree more – battery life is the bane of my road warrior existence) and that his biggest friction in the virtual world is payment. He cited the example of trying to buy wifi on a flight and having to mess around typing in card numbers like it was 1995 and pointed out just how much Facebook could gain by adding payments to their platform. Scott is surely right, and since the people at Facebook are smart, they must be looking at the potential to develop a new revenue stream that is separate from advertising with some enthusiasm.

Barclays equity research note on the subject (Ross Sandler and Ramsey El-Assal, 11th March 2019) reckon that a successful micro-payment service could add some $19 billion to Facebook’s revenues, so clearly I’m not the only one who is a little surprised that they haven’t already leveraged the technologies of strong authentication to get something off the ground already. It also notes that one of the problems with the original Facebook Credits business was the cost of interchange, a problem that has a very different shape now with interchange caps in place in various parts of the world and open banking giving the potential for direct access to consumer bank accounts (so that exchanges between fiat bank accounts and $ZUC would be free).

Facebook Marketplace has just added card payments [91Mobiles], as shown in the screenshot below, so that marketplace users can pay for goods directly without having to come out of Facebook. I think this is, frankly, a window into a one possible future for financial services!

These are boring old Visa and Mastercard payments, but presumably $ZUC can’t be far behind. Unfortunately, since there are no details that I can find on what exactly “Facebook Coin” is going to be, I can’t really offer any informed comment on the chosen implementation. If, however, it is something along the lines of JPM Coin then it will be a form of electronic money and governed by the appropriate rules and regulations (which is good, and since they have very smart people at Facebook I’m sure they’ve already spotted the advantages of providing a trusted, regulated global payment service). You can kind of see the idea: your Facebook account sprouts an automatic, opt-out, wallet. You can buy coins for this wallet using a debit card and then send them to anyone else with a wallet (why this needs the blockchain is not entirely clear, by the way, but that’s another discussion).

Wallets that have been KYC’d (put to one side what exactly this might entail) could store up to say $ZUC 10,000, wallets without KYC would be limited to say $ZUC 150. I think this might be a great opportunity for banks to use their federated and standardised digital identity infrastructure* to provide an attractive service to Facebook that might relieve them of onerous regulatory burdens. All Facebook has to do is get me log in to my bank and have them return some cryptographic token (with no personal information in it) to Facebook to indicate that the bank has done KYC and knows who I am. A bit of a win win.

This, at a stroke, would provide teenagers with a means to settle gig wonga, provide online retailers with instant payment across borders and provide brands a mean to reward consumer behaviour. If Facebook make it free to buy ZUC$ and guarantee to redeem at par for consumers, they could be on to a real winner. In Europe, if the Facebook wallet is combined with PSD2 to deliver instant load and instant payout, it delivers a serious play that will give people are reason to use the Facebook platform to organise their gigs, lay out their online wares and promote their brands instead of messing around with Snapchat or Youtube or email or blogs or whatever else they are using now.

* Note: does not exist. Images not from actual gameplay.