A fingerprint for the Internet of Things

xxx

To prevent problems like these from occurring, each IoT device needs to be able, as it were, to show an identity document—”authentication,” in professional terms. Normally, speaking, this is done with a kind of password, which is sent in encrypted form to the person who is communicating with the device. The security key needed for that has to be stored in the IoT device one way or another, Lieneke Kusters explains. “But these are often small and cheap devices that aren’t supposed to use much energy. To safely store a key in these devices, you need extra hardware with constant power supply. That’s not very practical.”

Digital fingerprint

There is a different way: namely by deducing the security key from a unique physical characteristic of the memory chip (Static Random-Access Memory, or SRAM) that can be found in practically every IoT device. Depending on the random circumstances during the chip’s manufacturing process, the memory locations have a random default value of 0 or 1.

From A fingerprint for the Internet of Things:

xxx

xxx

n contrast, the magnetic PUF is resistant to attack and insensitive to environmental variations.

“In all previously proposed MRAM PUFs, a procedure to set random magnetization orientations is necessary for their practical application,” said Zhe Guo, a post doctor in You’s team. “In our IAE-PUF, the random distribution of magnetization orientations is formed during the MgO layer thinning process, so no initialization is required.” The avoidance of setting random states with an external magnetic field or writing current makes it easier to integrate and scale down with low power consumption.

From Highly secure physically unclonable cryptographic primitives based on interfacial magnetic anisotropy:

xxx

Apple Pay whatever, Apple ID wowza

We’re all familiar with Apple Pay and Google Pay and how much easier (and more secure) they make online commerce. It would be nice if this security were to extended to online interactions of all kinds, not only payments. I think this is not that far away. Apple has recently registered a number of patent claims across the general field of “verified claims of identity” which quite rightly attracted some attention. In July, they filed an application with the U.S. Patent & Trademark Office that describes the technology it is trying to develop to replace traditional driver’s licenses, passports and varied ID cards for government purposes or access to private property. I think these applications are really important and that the fact that Apple wants to control means of presenting and verifying “identity” through devices, including iPhones, is a signal to the industry that the wallet wars are about to heat up.

What's in your wallet?

If I look in my wallet, most of the stuff in there is nothing to do with payments.

If Apple or Google want to replace my wallet, that means that they have to replace my driving licence, my loyalty cards, my rail discount pass, my blood donor card, my AA membership… well, you get the point. And in the real world, I only have twenty or thirty of those cards but in the virtual world I have hundreds if not thousands. Replacing the payment cards was easy. Replacing the identity cards is hard. But in the long term, it’s much more valuable.

It would be nice if the security and convenience of the digital wallets were to be extended to online interactions of all kinds, not only payments. Perhaps this is not that far away. We already use them make online access easier. If I’m signing up for a new services (eg, when I signed up for the New York TimesNYT recently) then I’ll look for the “sign in with Apple” button first and only if the web site does not support it will I then select “sign in with Google” (after first remembering to log in to my “John Doe” Google account). But this is about authentication, not identification. Apple told the New York Times that I am “blahblahblah@blah.apple.com”, not that I am David Birch or that I am over 21 or that I am a UK resident or whatever.

It’s about time, Frankly. The lack of a digital identity infrastructure is big problem in an online world and it has to get fixed whether by governments, financial institutions, specialist players or someone else. Since governments, banks, telcos and others have not fixed the problem (at a level of global interoperability comparable to the internet and mobile phones), it looks as if someone else is going to have to do it.

Since governments, banks, telcos and others have not fixed the lack of a digital identity infrastructure, it looks as if someone else is going to have to do it. Click To Tweet

At the time of writing, Apple are advertising a vacancy in Cupertino for a product manager for identity. The job description posted is for a “top-flight identity product professional with industry experience in physical and digital identity to join us on the journey of replacing the physical wallet”). Maybe Apple is going to be the someone else who is going to deliver mass market digital identity.

They can do it, and I’m hardly the only person to have said this. A couple of years ago here in Forbes, for example, Panos Mourdoukoutas predicted that Apple’s next big revenue source wouldn’t be another device, but the “monetization of the ID Apple assigns to its customers”. This prediction, I should stress, was not especially radical or unusual. Indeed, back in 2016 I was working on the strategic assumption that this was an inevitable direction. I wrote at the time that “it is a very short step from Apple Pay to Apple ID, where revocable identification tokens are loaded into the tamper-resistant hardware”. This was hardly a mystical prediction. I was merely building on the obvious fact that if the “secure enclave” inside an iPhone is safe enough to store payment tokens then it is safe enough to store a variety of the virtual identities that I will need in the online future, having written back in 2015 that if my “Apple ID” provides a convenient mechanism for mutual recognition in person and on line, it will be indispensable in short order.

(Without getting distracted by technical details, it is important to note that what Apple appear to envisage is that a device — such as an iPhone, to highlight the obvious example — will be storing credentials obtained from a variety of sources. My hope is that Apple, Google and others support an interoperable standard — W3C VC, to highlight the obvious example — so the credential providers and users will move to authorisation-based transactions as soon as possible.

So the idea that the platforms might step in and provide the digital identities that will be crucial to our online existence — because banks, governments and others have not — is not what is new. What is new, and why we are talking about identity now, is the coronavirus and the extent to which is has both illustrated the problems caused by not having digital identities and accelerated the drive toward workable solutions. Suddenly we are having to figure out not only how to shop and bank online but how to work, learn, visit the doctor, vote (to pick a very current and contentious example) and access government services online. In the UK, as in the USA, we don’t yet have anything like the infrastructure needed to do this so we end up with costly and imperfect silo solutions.

My point is that we need to put some serious thought into developing a digital identity infrastructure. And we must think about how that infrastructure will evolve and develop. Does the USA want a system as in China where you have a single identity that must be used to do everything and the government knows what you are doing at all times? That has some interesting consequences! For example, for years, the government there has been trying to stop kids from playing too many video games. Now the Chinese have ruled that anyone wanting to play a game must log in using a state-run authentication rolling out this month.

Now, that may be the right way to run a country or the wrong way. That’s not my point. My point is that we need to think about the problem and make some choices about what we want because if you think that digital identity is just about making it easer to log in to your bank, you are wrong. Should the government know that you have logged in to my bank? Should Apple know that I am playing Fornite? Should Facebook know that you are voting online? How exactly can we design an infrastructure to deliver both privacy and security? These are serious questions: Digital identity is the foundation of existence in an online society and choices that are made about how those identities work will be fundamental to how that society is going to work in the future. We need to begin this discussion now.

[This is an edited version of an article first published on Forbes, 29th August 2020.]

International Identity Day

Old MacDonald Had A Retinal Scanner

Well, here we are again. It’s 16th September and International Identity Day (IID) once more*, so I’m here to rejoice with you all. To celebrate this auspicious date, I used my strongly-authenticated virtual identity with the verifiable credential IS_OVER_18 (which is linked to the digital identity stored in my bank wallet) to log in to a French vineyard to pre-order a crate of Beaujolais nouveau. I gave them my Amazon address credential when they wanted a delivery address and my payment name to send their request-to-pay for Amex to digitally sign to confirm payment. My real name and my financial details were never part of this very efficient online purchase. I’m joking, of course.


Here in the UK we have no identity infrastructure and if we did I doubt it would be interoperable with anything a French vineyard might reasonably imagine a verifiable credential to look like. In fact after the failure of the government’s most recent identity initiative, we really are back at Square None.


It’s actually even worse than you think. Not only do we not have digital identities for people, we don’t have digital identities for anything else either. And that might be more important than you think. After all, we spend a lot of time talking about digital identity for people and speculating about whether Apple ID or federated Bank ID or centralised Government ID is the best implementation but in the new online world, there are a great many entities other than people that will need to have digital identities in order to participate in a functioning post-industrial economy. Things, for example. And artificial intelligences: Bots will need identities, too. In fact I’m writing a book about this at the moment. It’s going to be called “Will Robots Need Passports?” and it will be out next year sometime.

(And the answer, as I am sure you already know, is “yes”. Spoiler alert: robots will need passports because they will need to be authorised to access resources and they will need to be recognised in order to develop reputations that will be transaction enablers.)

What we don’t spend anything like enough time talking about, though, is the digital identity of animals. I read with great interest a report in the Times of India about a new smartphone app that farmers can use to check information about cattle. This was developed in response to an appeal from Prime Minister Modi for a means to reduce cattle theft. As you probably know, India already has a national identity number for people — Aadhar — and it has worked pretty well, providing a low-cost mechanism to establish the unique identities of citizens and thereby contribute to the goal financial of financial inclusion which (as everyone knows) is an identity problem. Therefore, it would seem logical to give animals a number too.

But how do you tell Napoleon from Snowball?

Well, in this case, specific information “unique to each animal” like the footprint, height, weight, colour and tail hair is recorded in the software and a unique ID is generated. As one of the designers of the software notes, this ID “is very useful when insuring cattle”, which is a good point. I am slightly surprised that, all other things being equal, they didn’t put the IDs on a quantum-resistant blockchain in the cloud, but that’s probably version 3.

Nevertheless, the animal Aadhar — the biometric identification of animals and the association of a digital identity — clearly has economic value. I don’t know how unique animal footprints are, so I cannot comment on adjusting the false accept and false reject rates for optimal barnyard efficiency, but I do know that (as the Wall Street Journal recently reported) face recognition for animals is actually pretty difficult. As they put it, “It’s not like you can tell a donkey to stand still“. Quite. Nevertheless it can be done.

IFGS Panel on AI Ethics 2019 (courtesy of Emma Wu).

I know this because I was privileged to have Dr. Jion Guong Shen from JD Digits, a subsidiary of JD (China’s largest e-commerce business) on my panel about AI ethics and governance at the Innovate Finance Global Summit (IFGS) last year. This was a great panel, by the way, largely because the well-informed panellists took the discussion in such interesting and unexpected directions. JD Digits, amongst other things, runs face recognition services for farmyard animals including cows and pigs. It turns out that pig face recognition, in particular, is a big business, There are 700m pigs in China, and the productivity gains that farmers can obtain from ensuring that each pig is fed optimally, that sick pigs are kept away from the herd (and so on) are very significant. Apparently the face recognition system also goes some way to reigning in wannabe Napoleons, as Dr. Shen explained that there are some “bully pigs” that try to obtain a disproportionate share of barnyard resources. The system can spot them chowing down when they shouldn’t be and flag for intervention. This is a pretty straightforward use case for biometric identification that might useful introduced into British fast food outlets in my opinion.

Let’s celebrate International Identity Day by remembering that not only are digital identities are not simply for people and that the future economy desperately needs digital identity infrastructure for everything but that we have a long, long way to go.

* In case you are wondering why IID is 16th September, the choice of the date is in recognition of the United Nations Sustainable Development Goal (SDG) 16.9 which calls for legal identity for all including birth registration by 2030.

Cashless as Count Zero

As I wrote recently, China is well on the way to becoming a cashless society. It is not the only country heading in that direction, of course. A cursory examination of the global statistics around the declining use of banknotes and coins make it easy to predict that many countries will soon be effectively cashless within the strategic horizon of corporate planners. But what does this actually? USA Today jut asked what sounded like a pretty dumb question: will there be cash in a cashless society? Well, I don’t think it’s dumb question. And the answer is “yes”. When I talk about a cashless society within a generation, I do not mean that there will be literally no cash at all. That would be stupid. When I say cashless, I mean cashless in the Count Zero sense.

Cash will still be around and it will still be legal tender (although I don’t think people understand what a limited concept this is), but it will disappear from polite society and from the daily lives of most people. We will move from being a debit card society to a mobile society to a biometric society in which cash will still exist. It it just won’t matter. As the brilliant William Gibson wrote in his 1995 classic novel Count Zero, talking about a character adrift in the near future that “he had his cash money, but you couldn’t pay for food with that” going to deliver my favourite line about cash in the whole of modern fiction: “It wasn’t actually illegal to have the stuff, it was just that nobody ever did anything legitimate with it”.

Psst

with kind permission of TheOfficeMuse (CC-BY-ND 4.0)

Why am I focusing on this vision? Well, as my friend and top futurist Ross Dawson points out about Gibson, has never claimed to predict the future [but he] has “an unmatched knack for analyzing trends and behaviors inherent to modern life and extrapolating them into vivid themes that reveal a kind of raw truth about humanity”. He has an amazing track record on this, by the way. As the New Yorker highlights, Gibson first used the word “cyberspace” in 1981 and his books, I have to admit, had a huge impact on me and my way of thinking about technology.

Thus by cashless in the Count Zero sense, I mean that cash has ceased to be relevant to monetary policy, become irrelevant to most individuals and vanished from most businesses. As we look to the future, we can begin to ask, quite reasonably, whether developments in digital payment technology and changes in payments and banking regulation will bring us to the point of this kind of cashlessness within, say, a generation. Well, never mind a generation, we’re pretty close to it now as far as I can see. Let’s just say that if you live in Amsterdam, you don’t need cash for the trains and if you live in London you don’t need cash for the coffee shops. No-one is planning or managing this, it’s just happening.

Is this what we want though? This is a form of cashlessness that is too conservative to reap the benefits of a truly cashless economy, too disorganised to reign in the criminal exploitation of cash and too wedded to the symbolism of physical money to switch it off (just as we switched off analogue TV not that long ago). I think that rump cash (and I exclude various categories of post-functional cash from this definition) should be actively managed out of existence.

We need to have a strategy toward cashlessness, and not simply a laissez-faire acceptance that cashlessness will happen to the great benefit of the majority but in a way that excludes and marginalises some. Click To Tweet

A recent survey in the UK found that over 75% of low-income households rely on cash, as well as over 80% of elderly households. The shift to cashless society must be planned to help these groups so that they share in the benefits of cashlessness. Having been to China and seen at first hand the operation of a cashless society, I think it obvious that we should learn from their experiences, beginning with the observation that people in China are well aware of what happens to when society switches from anonymous cash to electronic payments. As observed in the Financial Times, the “scale of data accumulation is beyond our imagination”. The Chinese woman making that comment — while at the same time observing that despite her concerns about privacy, mobile payments are too convenient to opt out of — goes on to say, rather poetically, that she cannot tell whether her compatriots are “constructing a futurist society or a cage for ourselves”

Not everyone in China is part of this digital currency revolution, of course. The World Bank Global Findex database, which measures financial inclusion, estimates that as of lat year some some 200 million Chinese rural citizens remain unbanked, or outside of the formal financial system. As in Sweden, the shift toward cashless is raising issues around exclusion and marginalisation. There are, for example, supermarkets with different lanes for cash or cashless payments that act as physical manifestation of social stratification between, as Foreign Policy notes, the young and the old and between the urban middle class and those left behind. I’ve written before that we will see the same in developed economies as cash vanishes from middle class life to become the preserve of the rich and the poor who will use it for tax evasion and budgeting respectively.

The response should not be, as in some American cities, to force people to continue to use cash despite the expense, inefficiency and inconvenience, but to find effective digital alternatives for those trapped in a cash economy. I think we should start to plan for this now. I am in favour of Count Zero cashlessness, but I am in favour of it as a policy decision by society that is implemented to meet society’s goals. I couldn’t disagree more with the Wall Street Journal’s view that the move to cashless society “should be left to technological advancement”. No, it should not! This is a matter of great importance and with significant implications for society. The strategy should therefore be set by society, not by technologists.

Now, clearly, technological advances deliver new possibilities to policymakers and it is good for technologists to explore these possibilities. But, as they say, just because something can be done does not mean it should be done. We need a proper debate and a regulatory envelope set out to move forward so that anyone who needs to pay for anything will be able to do so electronically and that anyone who does not want to pay electronically will be presented with a method for paying in cash, albeit one that someone will have to pay for. It’s time to start thinking about what the requirements for that infrastructure are and consulting consumer organisations, businesses and government departments on their needs. We need to make a cashless Britain, not simply allow a cashless Britain.

[An edited version of this piece first appeared in Forbes, 18th August 2020.]

Who needs a digital currency when you have a Coin Task Force?

Well, anyone interested in money or technology or the future will have been following the evolution of Central Bank Digital Currency (CBDC) in China, where the largest state-owned banks have begun testing the “electronic wallet” component of the digital yuan. The tests are being conducted in cities including Shenzhen, which borders Hong Kong. Meanwhile, in America, there’s a Coin Task Force. And it’s been busy urging patriots to return their spare change to circulation by using it for retail transactions because there’s shortage. According to NPR, “Banks and laundromats are scrambling. Arcades and gumball machine operators are bracing for the worst”. Other sectors are adopting a more European approach (where rounding is common) and some stores are rounding their prices to even dollars or (as is common in London) just giving up on cash completely. But why? Where have the coins gone? The shops have none left and customers can’t be bothered to search down the back of the furniture to find them. Banks, lacking the usual coin deposits from the public, requested coins from the Mint which was unable to produce enough coins (and, in fact, fell short of its usual levels)  and… there’s a coin shortage.

America’s coin shortage isn’t a problem, it’s an opportunity to take a step forward. Click To Tweet

In developed economies, this sort of thing doesn’t matter. In Australia, for example, tens of millions of coins may never even go into circulation because their Mint has seen “virtually no demand” for coins in 2020 as physical retail closed down. Same in the UK. Even if there was a coin shortage, most people would never notice since pandemic-accelerated cashlessness is pervasive. Everything I want to buy, I can buy with Apple Pay. I never take a wallet out of the house with me, let alone coins.

Problems are opportunities

with kind permission of TheOfficeMuse (CC-BY-ND 4.0)

Frankly, the continued use of pennies and even nickels baffles me. There’s something that economists call “the big problem of small change”. If you’re interested, there’s a very good book about this, which is called “The Big Problem of Small Change”. In essence, the problem is it’s hard to make a living out of producing small change, so no-one does it, so therefore the government has to do it and bear the cost in the interests of the economy.  But should they continue to do this in a world of contactless card and QR codes? The US Mint lost 0.99 cents on each penny it sold in 2019 but continued to produce more pennies than any other coin in circulation!

The Cato Institute says that the case for producing these pointless coins is weak and they they are only minted because lobbyists harness nostalgia and “junk arguments” about rounding.  If you are interested in the subject of rounding, there is a very good paper on rounding written by Robert Whaples called “Time to Eliminate the Penny from the U.S. Coinage System: New Evidence” that was published in the Eastern Economic Journal way back in 2007. This confirms the European experience that dumping low-value coins and rounding prices is economically neuter. Rounding is not that complicated! Whaples wrote that a detailed study of convenience stores found the final digit of purchases, which usually involves multiple products and sales tax, was pretty much random so that “if you round it to the nearest nickel, the customer wouldn’t get gouged”. Sometime you’d round up, sometimes you’d round down. It balances out.

(Here is how they do it in Belgium where total amount payable in cash has been rounded up or down to the nearest five cents since December 2019: if the total amount payable in cash ends in one or two cents, it is rounded down to zero,  if it ends in three, four, six or seven cents then it is rounded to five cents and if it ends in eight or nine cents then it is rounded up to one euro. As far as I know, Belgian civil society has not collapsed and shops are operating normally under the circumstances.)

Pennies and nickels are scrap metal and a private coin industry would not be able to waste taxpayer cash on subsidising miners to keep producing them. And if you think I’m exaggerating by calling coins “scrap” then you should, as the man says, follow the money. Which in this case goes to China. I remember reading a fascinating news story about this a few years ago, which really set me thinking. The story concerned two Chinese people who were arrested in Denmark after they tried to exchange a hoard of scrap Danish coins that were mistaken for counterfeits. I thought it was a pretty unusual incident and I mentally filed it away to use as a conference anecdote, but then I spotted another similar case in which two Chinese tourists were arrested in France for suspected forgery after trying to pay a hotel bill in coins. The police found 3,700 one-euro coins in their room! The men said they had got the money from scrapyard dealers in China, who often find forgotten euros in cars sent from Europe. This tallied with the Danish story. Sufficiently large amounts of coins from Europe end up as scrap that it makes for a worthwhile enterprise (in China) to collect up these coins and ship them back here to use! Not all the coins coming from China are real though. I remember when the Italian police discovered half a million counterfeit euro coins in a container. Hardly surprising, because if container-loads of coins are coming out of China, then it’s inevitable that this trade will attract counterfeiters. And this gave me an idea.

I don’t know if the US Coin Task Force has been thinking out of the box, but may I suggest that they make a virtue out of necessity. Since the Chinese counterfeiters can presumably produce these coins at a lower cost than collecting them as scrap metal (otherwise they wouldn’t make them, they’d just collect them), why doesn’t the US mint just stop producing coins above face value and sending them for scrap and instead let the Chinese counterfeits circulate in their place? Think about it. It costs the US Mint two cents to make a penny that no-one cares is real or not. So why bother? If the Chinese can produce one for half a cent, ship it to the US in a container and make a profit of 0.2 cents on it, then let them and let the US Mint do something more useful instead: $1 coins. There is no $1 note in Canada, no £1 note in the UK, no €1 note in Europe. There are already more $100 bills in circulation than $1 bills, so let the $1 bill die a long overdue death and replace it with the more cost-effective $1 coin instead. A decade ago, the GAO calculated that the replacement of dollar bills with dollar coins would save an estimated $5.5 billion in costs over a generation. It’s time.

[This is an edited version of an article that first appeared on Forbes, 24th August 2020.]

The great Chinese money experiment is over

The Chinese were first with the great transition from commodity money to paper money. They had the necessary technologies (you can’t have paper money without paper and you can’t do it at scale without printing) and, more importantly, they had the bureaucracy. In 1260, the new Emporer Kublai Khan  determined that it was a burden on commerce and drag on taxation to have all sorts of currencies in use, ranging from copper coins to iron bars, to pearls to salt to gold and silver, so he decided to implement a new currency. The Khan decided to replace metal, commodities, precious jewels and specie with a paper currency. A paper currency! Imagine how crazy that must have sounded!

China and paper money

with kind permission of TheOfficeMuse (CC-BY-ND 4.0)

Just as Marco Polo and other medieval travellers returned along the Silk Road breathless with astonishing tales of paper money, so modern commentators (e.g., me) came tumbling off of flights from Shanghai with equally astonishing tales of a land of mobile payments, where paper money is vanishing and consumers pay for everything with smartphones.

China was first in to paper money and eight hundred years later looks like being first out of it. Click To Tweet

This thinking has been evolving for some time. Back in 2016, the Governor of the People’s Bank of China (PBOC), Zhou Xiaochuan, set out the Bank’s thinking about digital currency, saying that it is an irresistible trend that paper money will be replaced by new products and new technologies. He went on to say that as a legal tender, digital currency should be controlled by the central bank and after noting that he thought it would take a decade or so for digital currency to completely replace cash in China, he went to state clearly that the bank was working out “how to gradually phase out paper money”. Rather than simply let the cashless society happen, which may not led to the optimum implementation for society, they were developing a plan for a cashless society.

As I have written before, I don’t think a “cashless society” means a society in which notes and coins are outlawed, but a society in which they are irrelevant. Under this definition the PBOC could easily achieve this goal for China. But how will they do it? I got a window into the tactics when I listened to Kevin C. Desouza (Professor of Business, Technology and Strategy in the School of Management at the QUT Business School, a Nonresident Senior Fellow in the Governance Studies Program at the Brookings Institution and a Distinguished Research Fellow at the China Institute for Urban Governance at Shanghai Jiao Tong University), someone who has pretty informed perspectives. I heard him in conversation with Bonnie S. Glaser (senior adviser for Asia and the director of the China Power Project at the Center for Strategic and International Studies, CSIS) on the ChinaPower PODCAST. Kevin and Bonnie were discussing China’s plan to develop a Central Bank Digital Currency (CBDC). I have looked at China’s CBDC system (the Digital Currency/Electronic Payment, DC/EP) in some detail and have speculated on its impact myself, so naturally I wanted to double-check my views (coming from a more technological background) against Kevin and Bonnie’s informed strategic, foreign policy perspective.

One particular part of their discussion concerned China’s ability to advance in digital currency deployment and use because of the co-ordinated plans of the technology providers, the institutions and the state. The technological possibilities are a spectrum, there are a wide variety of business models and there are many institutional arrangements to investigate, balance and optimise. Take, for example, the specific issue of the relationship between central bank money and commercial bank money. Yao Qian, from the PBOC technology department wrote on the subject in 2017, saying that to “offset the shock” to commercial banks that would come from introducing an independent digital currency system (and to protect the investment made by commercial banks on infrastructure), it would be possible to “incorporate digital currency wallet attributes into the existing commercial bank account system” so that electronic currency and digital currency are managed under the same account.

This rationale is clear and, well, rational. The Chinese central bank wants the efficiencies that come from having a digital currency but also understands the implications of removing the privilege of money creation from the commercial banks. Thus you can see the potential problem with digital currency created by the central bank, even if it is now technologically feasible for them to do so. If commercial banks lose both deposits and the privilege of creating money, then their functionality and role in the economy is much reduced. Whether you think that is a good idea or not, you can see that it’s a big step to take. Hence the PBOC position, reinforced by Fan Yifei, Deputy Governor of the People’s Bank of China writing that the PBOC digital currency should adopt a “double-tier delivery system” which allows commercial banks to distribute digital currency under central bank control. I don’t doubt that this will be the approach adopted by the Federal Reserve when the US eventually decides to issue a digital dollar, which is why we in the West should be studying it and learning from it.

I’m fascinated by China’s long experiment with paper money and its imminent demise. This will come about not because of Bitcoin or Libra but because the PBOC has been strategic in its thinking and tactical in its governance, co-ordinating practical solutions the will make digital currency work to the benefit of the nation.  Their comments on the topic from 2016 to now have been consistent. Digital currency is coming and China will take the lead in digital currency just as it did in digital paper currency.

[This is an edited version of an article that first appeared on Forbes, 9th August 2020.]

What fintech revolution?

You may have missed World Fintech Day this year. It was 1st August, a date chosen by (amongst others) my good friend Brett King. It was a day to take some time to congratulate an industry that has achieved… well, what exactly? What is there to celebrate when the truth is that we haven’t yet had a fintech revolution or anything like one. The “challenger banks” are just banks, they haven’t brought new business models or changed market dynamics.

If you think I’m being harsh, take at look at this survey of almost 800 companies that has just ranked financial services as one of the least innovative sectors of the economy! We all expect the pharmaceutical companies, to pick an obvious example, to be more innovative than banks. And according to this survey, they are. But even the textile industry is more innovative than banking, where business models and the cost of intermediation (which I would see as being a key measure of productivity) haven’t changed for generations. Yes, fintech has brought financial services to hundreds of millions of people in developing markets, but it has yet to transform developed markets.

Even the textile industry is more innovative than banking, where business models and the cost of intermediation haven’t changed for generations Click To Tweet

Why has nothing happened?

Well, there’s a story that I tell at seminars now and then about a guy who was retiring from a bank after spending almost his entire working life there (I heard the story a couple of times from a couple of different people but as far as I know its earliest written form is in Martin Mayer’s excellent book “The Bankers“).

The guy in question had risen to a fairly senior position, so he got a fancy retirement party as I believe is the custom in such institutions. When he stepped up on stage to accept his retirement gift, the chairman of the bank conducted a short interview with him to review his lifetime of service.

He asked the retiree “you’ve been here for such a long time and you’ve seen so many changes, so much new technology in your time here, tell us which new technology made the biggest difference to your job?”

The guy thought for a few seconds and then said  “air conditioning”.

It’s a funny story, but it’s an important story because it includes a profound truth. Robert Gordon’s magisterial investigation of productivity in the US economy “The Rise and Fall of American Growth”, shows very clearly that the introduction of air conditioning did indeed lead to a measurable jump in productivity, clearly visible in the productivity statistics. Of course, other technologies led to improvements in the productivity of banks and the wider financial services sector. Computers, for example. But it took a while for them to transform anything (we all remember Robert Solow’s 1987 “productivity paradox” that computers were everywhere except for the productivity statistics) and the figures seem to show that those improvements slowed to a standstill a couple of decades ago.

Pinkcard

with kind permission of TheOfficeMuse (CC-BY-ND 4.0)

In the last decade, the smart phone revolution does not seem to have been accompanied by any increase in productivity at all and it’s not just because half the workforce are playing Candy Crush and the other half are messing around on Instagram instead of doing any useful work. It is, as Gordon notes, because the technologies are being used to support existing products, processes, regulation and institutional structures rather than to create new and better ways of delivering financial services functionality into the economy. So while there are individual fintechs that have been incredibly successful (look at Paypal, the granddaddy of fin techs that is going gangbusters and just has its first five billion dollar quarter), fintech has yet to fulfil its promise of making the financial sector radically more efficient, more innovative and more useful to more people.

I can illustrate this point quite simply. While I was writing the piece, I happened to be out shopping and I went to get a coffee. I wanted a latte, my wife wanted a flat white. While I was walking toward the coffee shop, I used their app to order the drink. The app asked which shop I wanted to pick up the drinks from, defaulting using location services to the one that was about 50 yards away from me. Everything went smoothly until it came to payment. The app asked me for the CVV of my selected payment card, which I did not know so I had to open my password manager to find it. After I entered the CVV, I then saw a message about authentication. What a member of the general public would have made of this I’m not sure, but I knew that they message related to the Second Payment Services Directive (PSD2) requirement for Strong Customer Authentication (SCA) that was demanding a One Time Password (OTP) which was going to sent via the wholly insecure Short Message Service (SMS). Shortly afterwards, a text arrived with a number in it and I had to type the number in to the app. The internet, the mobile phone and the app had completely reinvented the retail experience whereas the payment experience was authentication chromewash on top of a three digit band-aid on top of a card-not-present hack on top of a 16-digit identifier on a card product that was launched in a time before the IBM 360 was even thought of.

Thomas Phillipon of the Stern School at NYU carried out a very detailed analysis of the US financial sector back in 2014 and found that the unit cost of financial intermediation was around 1.87% on average (which is a lot of money). This adds up to a significant chunk of GDP. Indeed, calculations seem to indicate that the finance sector consumes about 2% excess GDP. What’s more, these costs do not seem to have decreased significantly in recent years, despite advances in information technology and despite changes in the organization of the finance industry.  Earlier World Bank work looking at the impact of bank regulations, market structure, and national institutions on bank net interest margins and overhead costs using data from 1,400 banks across 72 countries tells us why: tighter regulations on bank entry and bank activities increase the cost of intermediation.

To put it crudely, Moore’s Law and Metcalfe’s Law are overcome by the actual law and the costs of KYC, AML, CTF, PEP, Basle II, MiFID, Durbin and so and forth climb far faster than costs of transistors fall. This observation in fact shows us the way forward. As technology has driven down the costs of computing and communications, the costs of shifting bits around has collapsed. But financial services is — as it should be — heavily regulated and the costs of that regulation have rocketed. The net result is that fintech has not brought about a revolution. If there is going to be such a revolution, if new technology is allowed to create new business models and new market structures, and if those new structures are to reduce the costs of intermediation, then we need the regulators to create the space for innovation. And perhaps, just perhaps, they have: open banking is the first step on an open data road that may ultimately not only revolutionise payments, banking and credit but… everything.

Banking Bubbles no attribution

@dgwbirch The Glass Bank (2020).

We all understand that the future competitive landscape is about data, so the regulators can make an more innovative platform for enterprise by opening up access to it and then providing new kinds of institutions to curate it (such as the Payment Institution in the European Union and the Payment Bank in India). This kind of regulatory innovation may allow fintech to deliver what it promised and lay the groundwork for some actual challengers. So, this World Fintech Day, let’s celebrate fintech for what it is going to bring as we move forward into the open banking era, not for what it has achieved so far.

[An edited version of this piece first appeared in Forbes, 1st August 2020.]

On the internet, no-one knows you’re toaster

The pop singer Gwen Stefani had a husband who was intimate with the family’s nanny. He reportedly recorded some amorous adventures on his iPhone, no doubt to act as a comfort in his later years. Unfortunately, he’d either forgotten about iCloud or couldn’t work out how to configure it correctly (as I can’t) with the dramatic consequence that the screen saver on Gwen’s iPad was transformed from a selection of treasured family snapshots into a flick book version of Pornhub.

Connecting everything on the Internet has unexpected consequences and they are getting worse. With the Economic Times estimating that there are already some 50 connected devices per household, we have a problem that is spiralling out of control.A recent real-world test of more than a million IoT devices found that almost all of the traffic they sent was unencrypted, exposing huge quantities of personal and confidential data to potential attackers, and that networks were mixing IoT devices other technology assets (laptops, desktops, mobiles etc) to create vulnerabilities on both sides.

Never mind no-one knowing whether you’re a dog, no-one knows whether you’re a toaster pretending to be a dog. Click To Tweet

A generation on from the famous “on the Internet nobody knows you’re a dog” cartoon that became a staple of management consultants’ presentations ever after, the situation is now far worse. Never mind no-one knowing whether you’re a dog, no-one knows whether you’re a toaster. Or a toaster pretending to be a dog. Or agents of a foreign power pretending to be a toaster presenting to be a dog that is intent on bringing down our online economy.  If the Internet of Things (IoT) is going to be a platform for embedded financial services, then it will needs a serious security makeover.

Specialized elements of hardware and software, connected by wires, radio waves and infrared, will be so ubiquitous that no one will notice their presence

From The Computer for the 21st Century – Scientific American

That was Mark Weiser’s prediction of the Internet of Things from 1991. It seems pretty accurate, and a pretty good description of where we are headed. This is world in which computers and (and financial services) vanish from view and are instead part of  the warp and weft of everyday life. What I’m not sure Mark could have predicted is what a total mess it all is.


Toaster and dogwith kind permission of TheOfficeMuse (CC-BY-ND 4.0)

Whether it’s wireless kettles or children’s toys, it’s all being hacked. Adding mass market, inexpensive and insecure devices to a global network is taking us into uncharted territory when it comes to risk. I recall that, following the last massive Internet outage caused by a “botnet”, a number of commentators remarked how odd it is that a network designed to withstand nuclear war could be disrupted so badly by toasters, nanny cams and video recorders. And that seems a fair, and rather damming, point to make about the nature of our infrastructure.

If you’re wondering, by the way, a botnet is a collection of devices (computers, toasters, cameras and anything else that can reached through the interweb tubes) that have fallen under the control of some third party and can then be used in a massed and concerted fashion either for good (e.g., searching for radio signals that might indicate extraterrestrial life) or evil (e.g., overloading bank web sites so that customers can’t get through). Just to indicate the scale, a botnet “denial of service” attack against a European bank last month managed to marshall enough devices to hit the bank’s web site with 800 million requests per second, overwhelming its defences and making it impossible for the bank’s customers to access their accounts.

This does not look good for the future. Sooner or later a cyberspace Covid 3.0 will come along and then we are really in trouble. There’s no possibility of social distancing online because we’ve gone beserk connecting things up but we’ve overlooked how to disconnect them. Or, in bumper sticker form for the modern electorate, I might be tempted to paraphrase that doors are easy, locks are hard.

Anyone can connect their kettle, car or children to the Internet. And it’s tempting to do it just because it can be done. But keeping them secure? That’s another and altogether more difficult problem. If we are going to make an the IoT a platform for financial services, if we have a vision of luggage that can sort out least-cost routing and lightbulbs that can trade energy derivatives and cars that can buy their own insurance then we’re going to have to pause for breath and rethink the platform, because that toaster botnet is only the beginning.

(The toaster botnet mentioned above is a work of art. It involves the use of malicious software that wanders the highways and byways of the internet looking for devices that have been connected but do not have security defences in place. As it happens, this turns to be almost all of them. Either the password has been set to “password” or some other easily remembered — and therefore easily guessed — word, or there’s no password at all, or there’s a bug in the software than can be exploited.

This latter category is especially vexing. Suppose it turns out that my smart toilet (these do exist by the way – I have photographic evidence) has been shipped from Korea with an old version of software that the hackers can easily exploit. Now my toilet is going to need patching and then upgrading. But supposing the facilities to patch and upgrade my toilet do exist (“do not flush – upgrade in progress – download complete in 22 minutes”), how will the manufacturers persuade me to do this? What if the manufacturers have gone out of business? What if the upgrade is itself a trick designed to subvert my toilet for the amusement or profit of Eastern European hackers?

Leaving it up to consumers will not work. We cannot trust the populace to configure their smart device firewalls any more than we can we trust pop stars to configure their iCloud, so selling toasters that can be hacked (even if it is by the CIA) ought become as unthinkable as selling cars without seatbelts. The noted security expert Bruce Schneier (one of the key thinkers in this space) has rather eloquently likened IoT’s market failure (which is that I don’t care that my toaster is insecure and is bringing down your bank, and neither does the manufacturer – it’s cheap and it works) to a kind of post-industrial pollution.

(I made a podcast with Bruce around a decade ago and can tell you straight that  he has already forgotten more about computer security than I will ever learn — and is also a very nice guy. From what I know of the topic he is of course completely correct: this market failure not only means we have no real security at present, it means that things can only get worse.)

As Bruce pointed out in his excellent book “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World”, we are now in a situation where the lack of any security infrastructure means that anything that can be connected to the internet can be hacked. And since everything is connected to the internet, everything can be hacked.

The externality that Bruce highlights can only be fixed by society as a whole and, as unfashionable as that might be, that means regulation.  It’s time to begin a conversation about what that regulation might be, before it’s too late. California’s SB-327 that requires manufacturers to set different passwords for devices is a good example of what’s needed, but it’s only a start. As the Business Software Alliance’s recently-published principles for “Building a Secure and Trustworthy IoT” say, security policies should “incentivise” security through the IoT life cycle. That means a different mindset and its a mindset that sees the need for an infrastructure.

There is no doubt in my mind that we should prioritise innovation and experiment here because the truth is that just as financial services need identity infrastructures for people (IDs), so next-generation financial services will need identity infrastructures for IoTs (IDIoTs).

[This is an edited version of an article that first appeared on Forbes, 12th July 2020].

The future of money? Back to social anthropologists again

In my book “Before Bablyon, Beyond Bitcoin” I made the point that I had turned to the work of social anthropologists to help me to make sense of the impact of new technology on money and the relationship between social, economic, business and technological pressures on the various functions of money. I found the perspectives of the discipline indispensable in formulating scenarios for the future that would be useful for banks and others developing their strategies. This is why I was absolutely delighted to be invited to the European Association of Social Anthropologists (EASA) Annual Conference 2020. I’m going to take part in Panel 057, “Digital encounters, cashless cultures: Ethnographic perspectives on the impact of digital finance on economic communities”.

This panel explores new approaches towards value, economy, money, debt, finance and fiscal relations. In doing so, it discusses how global turns towards digital finance (e.g. mobile wallets; credit and debit cards) impact cash dependent and marginalized groups, communities and families worldwide. In particularly interested in following the narratives around these issue because, as I have long maintained, we need to being to develop strategies toward cashlessness rather than simply allow cashlessness to happen and we need to develop strategies for bringing new kinds of money into existence to serve society more effectively than the current international monetary and financial system does. I am not smart enough to know what all of those strategies should be, although I am smart enough to know that they require knowledge that it far beyond that of the technology and the business model, so I am genuinely keen to learn.

Just to show the variety of topics that will be discussed, here is the list of papers in the session:

  • Economy of lies: Drunk husbands, digital savings and domestic workers in Kolkata, India.

  • Cutting the wire: financial exclusion and online work among Syrians in Lebanon.

  • Debt economies as urban survival strategies in the collapsed economies: examples from post-Soviet economies and Turkey compared
    Spheres of exchange 2.0: Conversions and conveyances in Bitcoin economy.

  • Accessing Cash(lessness): Cash-dependency, Digital Money and Debt Relations Among Homeless Roma in Denmark.

  • Self-making stories: Accounts of cryptocurrencies from the ground
    An ethnography of unsettled debt. Cashlessness and betrayal in Brazil.

  • An ethnography of Italian Bitcoin Users.

  • Coercive Political Economies, the Anthropology of Risk and Social Financing. Ethnographic notes from North India (Rajasthan).

  • Banking on digital money: Swedish cashlessness and the fraying currency tether.

The authors of the papers in this session have produced a series of blogs that explore a fascinating variety of perspectives on money and what it means, from financial inclusion and cashlessness to risk and cryptocurrencies, that will certainly add significant input to the debates that I am involved in around digital currency. In particular, the social anthropologist perspective will help me to explore the key question of whether digital currency will be driven forward by evolution or intelligent design. Are we going to use new technology merely as a band-aid to cover up the flaws in the existing system or are we going to do something different?

(Ozark Series 3, Episode 1. Mom “Mining virtual gold isn’t a real job”. Son “You know that all money is imaginary, right?”)

J.P. Koning came up with a lovely way of thinking about this, with the added bonus of evocative imagery and a core analogy that holds true: money is indeed imaginary. As he put it, “Like Inception, our monetary system is a layer upon a layer upon a layer… Monetary history a story of how these layers have evolved over time”. Great movie, with the wonderful line “yes, but how did you get here”. Physiology recapitulates phylogeny, as they (used) to say. In other words, the structure of the monetary system shows its evolution, just like our knees do. It did not arise by intelligent design. In fact, quite the contrary: it demonstrates some pretty unintelligent design on a daily basis (like having people instruct speed of light instant payment transfers by typing in account numbers and sort codes).

Things, however, could be about to change. Suppose that we apply intelligent design to create forms of money that are grounded in a world of mobile phones and shared ledgers and such like to operate in a fundamentally more efficient way.? Then what would that money look like? That’s precisely what we should be listening to social anthropologists about! In intelligent design, we ought to start out by deciding what is best for society as whole rather than what is best for (say) banks. We want to have regulations that are good for society but we do not want regulations that are expensive, beyond cost-benefit analysis and a burden on stakeholders. Nor do we want regulations, as we have now, that have spiralling costs with no end in sight. We might ask, for example, in the case of America whether it makes sense to have one virtual currency regulator or 50?

In this case the current sub-optimal situation is, I would imagine, a byproduct of state regulation of banks and it perpetuates because regulators at the state level mistakenly imagine money to be something to do with banking. And, I suppose, they are currently underemployed, what with everything being so stable and efficient in the financial services world. Our first step to a better system, then, is not based on fintech but on regtech and  co-ordinated efforts to make ‘sustainable asset classes more investible at lower cost’. If we look at the patten of the co-evolution of money and technology what we see (yes I know this is a gross simplification) is a history of sustainable asset classes as a mechanism for deferred payment that in time become a store of value and then a means of exchange. The means of exchange then becomes a currency that denominates other transactions.

If that is a useful model to work with, then what would these assets be? In the article referenced above, Richard Roberts goes on to identify candidate currencies based on “flows”, which is a useful way of thinking. He points to four key flows — you could also think of them as currencies — that he believes will underpin the next economy: money, data, carbon and genes. This accords with another perspective that I have written about before, the Long Finance perspective. In Gill Ringland’s examination of plausible financial services scenarios for 2050, she talks about the key assets being a person’s identity, credit rating and parking space (alluding to a new demographic asset class of residence). I think that there will be many more currencies, because I see currencies linked to communities, but I agree with the general thrust, so let’s imagine that there is a framework in place for creating the currencies (a privacy-enhancing framework with all sorts of goodies such a homomorphic encryption and zero-knowledge proofs baked in to it) and that it has been intelligently design to meet the goals of society.

Now this is where fintech (in the form of digital assets that can be traded without clearing and settlement) comes into things, by answering some of the questions and solving some of the problems set out by the authors in my EASA session. Not the problem of helping college kids in San Francisco to split a bar tab without talking to each other, the problem of helping everyone (and I mean everyone) to better financial health though better management of assets. One way will be to turn investible assets into money (or, at least, new kinds of assets that function in money-like ways in certain circumstances). This seems to me to be a much more realistic vision of the future than the “Star Trek” alternative, even though I do enjoy that version:

One of my favorite moments from Star Trek is in ST IV: The Voyage Home, when Kirk and the gang are stranded in 1980s San Francisco. They try to board a Muni bus and are promptly turned away.

Spock: What does it mean, “exact change”?

Kirk: They’re still using money. We need to find some.

Not only is money a foreign concept to the crew, it’s so foreign they didn’t even remember it was used in the Twentieth Century.

From Why Star Trek’s Future Without Money Is Bogus — Brain Knows Better

It’s tempting to imagine a post-scarcity future where money (as a system for allocating scarce resources) has vanished and the vast communist galactic super state takes care of everyone’s needs. But like the writer here, I don’t buy it. Some things will always remain scarce and desirable, like your attention span, and money will remain necessary. But it won’t be the same money that we have today. And if you want to see how it might be different, then come and join me tomorrow in listening to some perspectives that go far beyond technology to deliver important ideas about the future of money.

All the news that’s fit to ID

I came across an interesting story via my old chum Charles Arthur’s consistently interesting “Overspill” blog. The story concerns on Oliver Taylor, a student at England’s University of Birmingham. From his picture, he appears to be normal looking twenty-something. From his profile he appears to be a coffee-loving politics junkie with an interest in anti-Semitism and Jewish affairs, with bylines in the Jerusalem Post and the Times of Israel.

Why is this interesting? For two reasons. First of all because I was involved in an interesting Twitter debate with two thoughtful identity commentators, Tim Bouma and Jonathan Williams during which this issue of “anonymous” contributions to newspapers happened to come in to the conversation and it made me think about the same issues as Charles’ story. Tim had mentioned writing for a newspaper that had kept his real name off of his stories, and I responded that if they knew who you were, then you were not anonymous.

Secondly, because Oliver’s picture was created by an AI. It’s a fake face that doesn’t belong to any living human being. It was composed to be a human face that any of us would be able to recognise and distinguish, but it is entirely synthetic.

Oh, and Oliver doesn’t exist.

Charles notes that “two newspapers that published his work say they have tried and failed to confirm his identity”. But wait. Shouldn’t newspapers try and fail to confirm someone’s identity before they publish a story?

Shouldn’t newspapers try and fail to confirm someone’s identity before they publish a story? Click To Tweet

Well, no. That doesn’t work. What about whistleblowers? What about privacy in general? If the newspaper knows who Tim Bouma is then his personal data is at risk should the newspaper be compromised or co-opted. There seems to be a conflict between newspapers wanting honest opinions and newspapers needing to know identities, even if they are hopeless at telling a real identity from a fake one.

The way out of this dead end is to understand that what the newspaper should be checking for this kind of story is not the identity of the correspondent but their credentials. I doesn’t matter who Oliver Taylor is, it matters what Oliver Taylor is. It ought to be part of our national digital identity strategy (which we don’t have) to create a National Entitlement Scheme (NES) instead of some daft 1950s throwback digitised version of a national identity card. In the NES, it then becomes part of the warp and weft of everyday life for a correspondent with something interesting to say to use his persistent pseudonym “Oliver” to post his comments along with his anonymous IS_A_PERSON credit and his anonymous IS_A_STUDENT (BIRMINGHAM) credential.

That way, the newspaper gets the information it needs to obtain a story of interest and perhaps worth publishing, while even if they are socially-engineered by genius hackers, they cannot disclose the real identity of the correspondent because they don’t know it. The mention of social-engineering, by the way, brings into focus the recent Twitter hack. What’s generally true for newspapers is generally true for Twitter: who I am is none of their business, something I written about at exhausting length before.

Incidentally, it doesn’t take hackers to obtain personal information from a platform because as I am sure you will recall, two of Twitter’s former employees have been charged in the US with spying for Saudi Arabia. The charges allege that Saudi agents sought personal information about Twitter users including known critics of the Saudi government. If Twitter doesn’t have your personal information, then it can’t  be leaked, stolen or corrupted.

There is a way forward, and cryptography can deliver it using tried and tested (albeit counterintuitive) techniques.