Apple Pay whatever, Apple ID wowza

We’re all familiar with Apple Pay and Google Pay and how much easier (and more secure) they make online commerce. It would be nice if this security were to extended to online interactions of all kinds, not only payments. I think this is not that far away. Apple has recently registered a number of patent claims across the general field of “verified claims of identity” which quite rightly attracted some attention. In July, they filed an application with the U.S. Patent & Trademark Office that describes the technology it is trying to develop to replace traditional driver’s licenses, passports and varied ID cards for government purposes or access to private property. I think these applications are really important and that the fact that Apple wants to control means of presenting and verifying “identity” through devices, including iPhones, is a signal to the industry that the wallet wars are about to heat up.

What's in your wallet?

If I look in my wallet, most of the stuff in there is nothing to do with payments.

If Apple or Google want to replace my wallet, that means that they have to replace my driving licence, my loyalty cards, my rail discount pass, my blood donor card, my AA membership… well, you get the point. And in the real world, I only have twenty or thirty of those cards but in the virtual world I have hundreds if not thousands. Replacing the payment cards was easy. Replacing the identity cards is hard. But in the long term, it’s much more valuable.

It would be nice if the security and convenience of the digital wallets were to be extended to online interactions of all kinds, not only payments. Perhaps this is not that far away. We already use them make online access easier. If I’m signing up for a new services (eg, when I signed up for the New York TimesNYT recently) then I’ll look for the “sign in with Apple” button first and only if the web site does not support it will I then select “sign in with Google” (after first remembering to log in to my “John Doe” Google account). But this is about authentication, not identification. Apple told the New York Times that I am “blahblahblah@blah.apple.com”, not that I am David Birch or that I am over 21 or that I am a UK resident or whatever.

It’s about time, Frankly. The lack of a digital identity infrastructure is big problem in an online world and it has to get fixed whether by governments, financial institutions, specialist players or someone else. Since governments, banks, telcos and others have not fixed the problem (at a level of global interoperability comparable to the internet and mobile phones), it looks as if someone else is going to have to do it.

Since governments, banks, telcos and others have not fixed the lack of a digital identity infrastructure, it looks as if someone else is going to have to do it. Click To Tweet

At the time of writing, Apple are advertising a vacancy in Cupertino for a product manager for identity. The job description posted is for a “top-flight identity product professional with industry experience in physical and digital identity to join us on the journey of replacing the physical wallet”). Maybe Apple is going to be the someone else who is going to deliver mass market digital identity.

They can do it, and I’m hardly the only person to have said this. A couple of years ago here in Forbes, for example, Panos Mourdoukoutas predicted that Apple’s next big revenue source wouldn’t be another device, but the “monetization of the ID Apple assigns to its customers”. This prediction, I should stress, was not especially radical or unusual. Indeed, back in 2016 I was working on the strategic assumption that this was an inevitable direction. I wrote at the time that “it is a very short step from Apple Pay to Apple ID, where revocable identification tokens are loaded into the tamper-resistant hardware”. This was hardly a mystical prediction. I was merely building on the obvious fact that if the “secure enclave” inside an iPhone is safe enough to store payment tokens then it is safe enough to store a variety of the virtual identities that I will need in the online future, having written back in 2015 that if my “Apple ID” provides a convenient mechanism for mutual recognition in person and on line, it will be indispensable in short order.

(Without getting distracted by technical details, it is important to note that what Apple appear to envisage is that a device — such as an iPhone, to highlight the obvious example — will be storing credentials obtained from a variety of sources. My hope is that Apple, Google and others support an interoperable standard — W3C VC, to highlight the obvious example — so the credential providers and users will move to authorisation-based transactions as soon as possible.

So the idea that the platforms might step in and provide the digital identities that will be crucial to our online existence — because banks, governments and others have not — is not what is new. What is new, and why we are talking about identity now, is the coronavirus and the extent to which is has both illustrated the problems caused by not having digital identities and accelerated the drive toward workable solutions. Suddenly we are having to figure out not only how to shop and bank online but how to work, learn, visit the doctor, vote (to pick a very current and contentious example) and access government services online. In the UK, as in the USA, we don’t yet have anything like the infrastructure needed to do this so we end up with costly and imperfect silo solutions.

My point is that we need to put some serious thought into developing a digital identity infrastructure. And we must think about how that infrastructure will evolve and develop. Does the USA want a system as in China where you have a single identity that must be used to do everything and the government knows what you are doing at all times? That has some interesting consequences! For example, for years, the government there has been trying to stop kids from playing too many video games. Now the Chinese have ruled that anyone wanting to play a game must log in using a state-run authentication rolling out this month.

Now, that may be the right way to run a country or the wrong way. That’s not my point. My point is that we need to think about the problem and make some choices about what we want because if you think that digital identity is just about making it easer to log in to your bank, you are wrong. Should the government know that you have logged in to my bank? Should Apple know that I am playing Fornite? Should Facebook know that you are voting online? How exactly can we design an infrastructure to deliver both privacy and security? These are serious questions: Digital identity is the foundation of existence in an online society and choices that are made about how those identities work will be fundamental to how that society is going to work in the future. We need to begin this discussion now.

[This is an edited version of an article first published on Forbes, 29th August 2020.]

All the news that’s fit to ID

I came across an interesting story via my old chum Charles Arthur’s consistently interesting “Overspill” blog. The story concerns on Oliver Taylor, a student at England’s University of Birmingham. From his picture, he appears to be normal looking twenty-something. From his profile he appears to be a coffee-loving politics junkie with an interest in anti-Semitism and Jewish affairs, with bylines in the Jerusalem Post and the Times of Israel.

Why is this interesting? For two reasons. First of all because I was involved in an interesting Twitter debate with two thoughtful identity commentators, Tim Bouma and Jonathan Williams during which this issue of “anonymous” contributions to newspapers happened to come in to the conversation and it made me think about the same issues as Charles’ story. Tim had mentioned writing for a newspaper that had kept his real name off of his stories, and I responded that if they knew who you were, then you were not anonymous.

Secondly, because Oliver’s picture was created by an AI. It’s a fake face that doesn’t belong to any living human being. It was composed to be a human face that any of us would be able to recognise and distinguish, but it is entirely synthetic.

Oh, and Oliver doesn’t exist.

Charles notes that “two newspapers that published his work say they have tried and failed to confirm his identity”. But wait. Shouldn’t newspapers try and fail to confirm someone’s identity before they publish a story?

Shouldn’t newspapers try and fail to confirm someone’s identity before they publish a story? Click To Tweet

Well, no. That doesn’t work. What about whistleblowers? What about privacy in general? If the newspaper knows who Tim Bouma is then his personal data is at risk should the newspaper be compromised or co-opted. There seems to be a conflict between newspapers wanting honest opinions and newspapers needing to know identities, even if they are hopeless at telling a real identity from a fake one.

The way out of this dead end is to understand that what the newspaper should be checking for this kind of story is not the identity of the correspondent but their credentials. I doesn’t matter who Oliver Taylor is, it matters what Oliver Taylor is. It ought to be part of our national digital identity strategy (which we don’t have) to create a National Entitlement Scheme (NES) instead of some daft 1950s throwback digitised version of a national identity card. In the NES, it then becomes part of the warp and weft of everyday life for a correspondent with something interesting to say to use his persistent pseudonym “Oliver” to post his comments along with his anonymous IS_A_PERSON credit and his anonymous IS_A_STUDENT (BIRMINGHAM) credential.

That way, the newspaper gets the information it needs to obtain a story of interest and perhaps worth publishing, while even if they are socially-engineered by genius hackers, they cannot disclose the real identity of the correspondent because they don’t know it. The mention of social-engineering, by the way, brings into focus the recent Twitter hack. What’s generally true for newspapers is generally true for Twitter: who I am is none of their business, something I written about at exhausting length before.

Incidentally, it doesn’t take hackers to obtain personal information from a platform because as I am sure you will recall, two of Twitter’s former employees have been charged in the US with spying for Saudi Arabia. The charges allege that Saudi agents sought personal information about Twitter users including known critics of the Saudi government. If Twitter doesn’t have your personal information, then it can’t  be leaked, stolen or corrupted.

There is a way forward, and cryptography can deliver it using tried and tested (albeit counterintuitive) techniques.

Don’t listen to technologists (eg, me) listen to the anthropologists

I thoroughly enjoyed the FS Club discussion with eminent futurologists looking back on their predictions from the year 2000 (and learning from them where they were wrong) and looking forward t0 2040. I especially enjoyed it because one of the speakers was Gill Ringland. Gill is now a Director of Ethical Reading, set up to energise an ethical business climate in the Thames Valley, but in the past was head of strategy at ICL amongst other things. I had the good fortune to meet her way back, at the 2012 Digital Money Forum.  I’d been very impressed by a report that she’d written and asked her to come along and give a presentation about it. She gave a super talk about her exploration of the world of financial services in 2050 from the report “In Safe Hands” (published at Long Finance).

IMFS Scenarios

I wrote at the time that she had used a tried and tested scenario planning technique (the same one that I always use these days) to generate a 2×2 matrix of four scenarios imagined using the “Washington consensus” vs. “Community-based values” on one axis and “mundane” and “virtual” (essentially) on the other axis to reflect the extent to which real or virtual communities come to shape the economy and therefore financial services. Gill explained at the time that in order to create scenarios (i.e., internally-consistent views of possible futures) for a generation from now, she found it useful to look two generations back, and consider the asset classes managed by the financial services industry in 1930. These were broadly commodities, cash, equities and brains. Looking forward, she added a fifth asset class based on demographics for 2050.

Transactions, therefore, become the exchange of these asset classes (but in digital form, of course). This seems to me especially interesting in a city-centric context because, for example, a permit to reside in a desirable city could well become a key tradable commodity. Indeed, this view was reinforced in the FS Club discussion, where the even more expensive view that cities might begin to dictate the policies and trajectories of the nation state was put forward. In this context, Gill’s prescient narrative of the “C50” (the organisation of the 50 richest city-states that will replace the G20 as the mechanism for “managing” the world economy) which came from her “Many Hands” scenario, forms a solid narrative around the future economic organisation of a successful, functional world. As Martin Wolf wrote in the FT around that time “this is the age of cities, not of national economies” (going to say that “it is high time London became a true city state).

(This surely implies that the “cash” of cities will become the most important kind to the average person. In other words, having abandoned Sterling for London Lolly and US Dollars for New York Notes and LA Loonies, will these be sufficient to provide the medium of exchange for the future economy. Right now, almost all transactions are local and even at the national level only 1%-2% of European transactions are cross border. If I live in London and use London Lolly for the train, for lunch and at the supermarket, is it such a big deal to convert it to Moscow Moolah to buy something online? Especially when your phone does it for you?)

A world economy built up from cities and their hinterlands will obviously demand different financial services and institutions from one based on national economies. This was foreseen by the wonderful Jane Jacobs’ work “Cities and the Wealth of Nations” that was published way back in 1984. My Jacobs-influenced city-centric perspective was reinforced when I happened to read a Canvas8 report “The city an an identity anchor” (which echoed Gill’s points about identity, which I’ll return to in a minute) and then the World Economic Forum (WEF) 2017 report “Cities, not nation states, will determine our future survival”.

What this means to me is that the future sense of identity will be city-centric, with people seeing themselves as Londoners and New Yorkers rather than Brits and Yanks, a view that the COVD-19 crisis seems to have reinforced. Their loyalties will be more local than ours and the relationships between cities will replace the relationships between countries as the most important tensions and dynamics. I can’t help but wonder if cities will begin by forming trade pacts and then moving on to form defence alliances, bearing in mind that the wars of the future will be fought in cyberspace. Never mind national identity in the India (Aadhar) model or provincial identities as in Canada. What if these specific city identities are the core of the future digital identity models?

Passports in Pimlico

This leads me to wonder yet again what the model of city-centric identity might be. How will those identities relate to trade, commerce and society as a whole? Which attributes will be the valuable ones (beyond is_a_person, of course) and which will atrophy to form vestigial credentials of no practical value? When discussing the C50 scenarios back in 2012, Gill made a passing but powerful observation on future transactions and it has stayed central to my thinking on the topic. She said that individuals will protect their “personal identity, credit ratings and parking spaces” at all costs and I think this is a powerful and imaginative narrative to group ideas about attributes and credentials.

Personal identity. I might take issue with Gill here and say “personal identities” but I know what she means. An infrastructure that delivers both security and privacy to identity transactions of call kinds will be needed to support the reputation economy of the networked society. There is no possibility of social media and social democracy co-existing in this future scenario without such an infrastructure.

Credit rating. The commercial reputation that means that you can buy or sell, whether an individual or an organisation will be central to economic existence. In a networked society, this is more likely to be something that comes from the social graph than the conventional credit rating of today.

Parking spaces. This means the (tradeable) right to reside in a particular place. These rights will certainly be of critical importance to the individual, since their own identity will be closely related to the city (and hinterland) of residence. There’s no reason why (for example) London and Scotland should have the same immigration rules. If that sounds a little far-fetched, I can tell you that it is happening right now. I came across an interesting case study from Denmark via the social anthropologist Camilla Ida Ravnbol from the University of Copenhagen. Since the COVID-19 crisis has restricted travel, any “permission to work in Copenhagen” document has become a valuable traded commodity in the marginalised Roma community that needs access to the city to earn money (by collecting materials for recycling, for example).

In the language of digital identity, digital money and digital diligence, then, this line of thinking imagines a reputation economy anchored in the mundane which is (as I explored in my book “Before Babylon, Beyond Bitcoin“) a landscape animated by new technology but shaped by physical as well as virtual communities. What does this all mean for transactions? What does it mean for the future of the financial system? Or, more specifically, to answer the question asked at the very beginning, what does it mean for the world in 2040?

Well, I don’t know. But if I wanted to find out, I’d start by talking to social anthropologists. Fortunately, Camilla I will be chairing a session that touches on these issues along with Atreyee Sen at the European Association of Social Anthropologists conference in July. As the conference is now online, you can sign up and log in online to join us here. We are Panel 57, “Digital encounters, cashless cultures: Ethnographic perspectives on the impact of digital finance on economic communities”, so please do pop in and take part in the discussion.

 

What is the point of the “travel rule”?

A couple of years ago, as you may have read in the Financial Times at the time, the Financial Action Task Force (FATF) extended their recommendations to include cryptocurrency exchange and wallet providers and such like, referred to as Virtual Asset Service Providers (VASPs). This meant that all countries must supervise and monitor these, and that they should apply anti-money laundering and anti-terrorist financing controls: that is, customer due diligence (CDD), suspicious transaction reporting (STR) and the “travel rule”.

The decision to apply the same travel rule on VASPs as on traditional financial institutions was greeted with some dismay in the cryptocurrency world, because it means that the service providers must collect and exchange customer information during transactions. The technically non-binding guidance on how member jurisdictions should regulate their ‘virtual asset’ marketplace included the contentious detail that whenever a user of one exchange sends cryptocurrency worth more than 1,000 dollars or euros to a user of a different exchange, the originating exchange must send identifying information about both the sender and the intended recipient to the beneficiary exchange. The information must also be recorded and made available to “appropriate authorities on request”.

This identifying information, according to the FATF Interpretive Note to Recommendation 16, should include name and account number of the originator and benefactor, the originator’s (physical) address, national identity number (or something similar) or date and place of birth. In essence, this means that personal information will be smeared all over the interweb tubes. My good friend Simon Lelieveldt, who is very well-informed and level-headed about such things, said at the time that this is a “disproportional silly measure by regulators who don’t understand blockchain technology”, which may be a little harsh even if not too far from the truth.

Anyway, some folks from the land of crypto have put together a standard for implementing the travel rule in the hope of spurring interoperability and reducing the costs for all involved. The standard, known as IVMS101, defines a uniform model for data that must be exchanged by virtual asset service providers (VASPs) alongside cryptocurrency transactions. The standard (you can download it here) will identify the senders and receivers of crypto payments, with such information “traveling” alongside the cryptocurrency transactions but along a separate path (that is, the IVMS101 messages do not themselves need the blockchain or any other crypto infrastructure).

(If you are wondering why it’s called IVMS101, it’s because the SWIFT MT101 message is the global standard request for the electronic transfer of funds from one account to another. For those of us in the payments world, MT101 is mother’s milk: mandatory Tag 20 Sender Reference, optional Tag 21 Customer Specified Reference and so on and so on. The MT101 message is used throughout the business world to send bulk payment instructions (ie, a header and multiple payment instructions in a single message). There is also the MT103 message that instructs a single transfer but this is mainly used to move funds between banks and other financial institutions such as money transfer companies.)

IVMS101 is pretty thorough and it sets out in detail what messages should be passed from (eg) one Bitcoin exchange to another, along the lines of:

if the originator is a NaturalPerson then either (
     geographicAddress
with an addressType value of GEOG or HOME or BIZZ
     and/or customerNumber
     and/or nationalIdentification
     and/or dateAndPlaceOfBirth )
is required.

This sort of thing is needed because there’s no global standard digital identity that could be attached to messages so market participants have to make do with national solutions or proxies. Nevertheless, it’s a good standard (as you’d expect when you see who wrote it) but uncharitable persons might well be asking what the point of it is because law enforcement agencies can already get this information by presenting a warrant. What the travel rule does is to, essentially, automate mass surveillance without a warrant or any other oversight and force personal information on to marketplace intermediaries (where, in my opinion, it doesn’t belong – my date and place of birth is no business of either intermediary exchanges or, indeed, the destination exchange). What’s more, since the travel rule is for value transfers between exchanges, it seems rather unlikely that it will catch any criminal flows at all.

I, for example, have a Coinbase hosted Bitcoin wallet and a Bitcoin wallet on a USB stick. If I want to send money to criminals, I will transfer it from my Coinbase wallet to my USB wallet and then from my USB wallet off via mixers to the criminal’s USB wallet and the travel rule is irrelevant. The uncharitable people mentioned earlier will undoubtedly observe that since the actual travel rule doesn’t seem to have stopped money laundering which is a massive global industry, there’s no obvious reason why the virtual travel rule will stop electronic money laundering on a similar grand scale.

Writing in this month’s Chartwell “Compass” magazine, Omar Magana hits the nail on the head with respect to the travel rule, asking if “the enforcement of a regulation that was created over 20 years ago for a fast-evolving industry, may not be the best approach”. Note that he is not arguing against regulation, he is arguing (as I do) for a form of regulation more appropriate for our age (for which I use the umbrella term “Digital Due Diligence”, or DDD) using artificial intelligence and machine learning to track, trace and connect the dots to find the bad actors.

I am genuinely curious to learn more about whether the travel rule will make the slightest difference to the money launderers, so please do let me know in the comments whether such scepticism is misguided or whether the travel rule will make the world a safer place.

Some off-the-cuff comments on in-the-cuff payments

It’s amazing what sort of things trendy youngsters in the payments space are getting up to these days. Only today, I read that the UK-based DressCode has released “the ultimate in geek chic“, which turns out to be a shirt with a pocket in the cuff to hold a contactless chip for payments.

The ultimate in geek chic? Sorry dudes. I had a Thomas Pink “Commuter” shirt back in 2006! The Commuter shirt had two features that I really liked at the time. It had a channel running up the inside to carry earphone cables tucked away out of sight. These connected through a hole in a side pocket so that you could keep your iPod snug and out of the way while strolling through London’s fashionable West End listening to the mighty Hawkwind. The shirt also had that second pocket in the cuff to hold a contactless card.

It was designed really for Oyster cards, but we put Visa cards in the pocket to make purchases using standard POS terminals with contactless interfaces. As I recall, we bought a few of them as presents for some of our favourite customers as well! Anyway, I went upstairs and got it out of the wardrobe to model it for you:

Untitled

The point I used to make was that contactless was about more than the interface, it was about form factors and that it would lead to innovation and I used the shirt to show an example of innovation beyond the card itself. Although the shirt was fun and helped to make an interesting demo about contactless payments in conference presentations, I thought it had two design flaws.

First of all, the pocket was behind the cuff on the top of the wrist. This meant you had to lay the back of your forearm across the contactless POS terminal or Oyster card reader. The pocket really should have been on the underneath of the forearm near the wrist to make paying a more natural action.

The second problem was that if you were wearing a suit and coat, it was hard to get the card close enough for the reader. I remember thinking at the time that I wished that the pocket was in my suit rather than in my shirt.

Naturally, being a consultant rather than an entrepreneurial business go-getter my thoughts went no further. I was surprised to see that only eight years later some entrepreneurial Aussies went and did just as I’d thought about, and put the payment card pocket in the suit! I found out that the dynamic and chic (I assume) menswear specialists M.J. Bale and Visa had teamed up to create a suit with a contactless payment chip and antenna woven into the sleeve! Apparently the “power suit will let men pay ‘invisibly’ wherever Visa payWave is accepted”. I expect they were planning something for the ladies too but it’s not mentioned in the article.

 

Anyway, how fun. These days of course I wouldn’t use either the cable run (because I have AirPods – in fact I have AirPods2 which are absolutely awesome) or the card (because I have a smartphone and that’s what I use to pay). Nevertheless, I wish DressCode all the best with their chic project.

Unknown, known and verified

The stain of racism in football is, you will be unsurprised to learn, not confined to Bulgarian stadia. It’s a serious and unpleasant problem on social media too. To the extent that the noted association footballer Mr. Harold Macguire has been talking about it. According to The Daily Telegraph, “Maguire urged Instagram and Twitter to make users identify themselves in the same way as betting apps after his teammate Paul Pogba was subjected to a torrent of ‘disgusting’ racial abuse from anonymous trolls”.

Many other people seem to think that we should do something about this. Following Mr. Macguire’s analysis, the historian Damian Collins MP (chair of the Digital, Culture, Media and Sport select committee in the UK Parliament) said “Account verification should be more widely available and become the norm. I think accounts should be verified, it can’t be right that cowards and racists can hide behind the anonymity of social media to attack people, often using multiple bogus accounts”. This is an interesting observation that jumbles two different issues together: proving the account “David Beckham” points to a specific person, and proving that the specific person it points to is the former Manchester United winger David Beckham. The first is about attaching attributes to a real-world entity, the second about is about the reputation of the real world identity. Thinking these two things through separately is, I think, a key to finding a workable solution to the social media mess, but back to that later.

Another MP, the lawyer Norman Lamb (chair of the Science and Technology select committee) also commented, saying that if social media companies did not act to clean up abuse then the incoming online regulator should take action. It’s not clear to me what he means by “clean up abuse” since it seems implausible that Twitter could monitor billions of messages every day to remove those that cause any offence to anyone (I assume Mr. Lamb doesn’t want them to remove tweets calling for human rights in certain countries, for example).

(In fact it is not at all clear to me what the incoming regulator is going to do at all, but that it is a different matter.)

It’s also not clear to me what MPs and other commentators mean by “bogus accounts”. But from the context, I assume that they mean accounts that cannot be linked to some other identifier that MPs think is a legitimate form of identity, such as the aforementioned passport.

It’s not a new or interesting idea to try to link social media accounts to government-issued identity, as they do in (for example) China. A while back, to pick on one example, the noted entrepreneur Mark Cuban adumbrated Mr. Maguire by saying that “It’s time for @twitter to confirm a real name and real person behind every account, and for @facebook to to get far more stringent on the same. I don’t care what the user name is. But there needs to be a single human behind every individual account”.

Cuban is as wrong about the real names as Macguire and the MPs are, because anyone familiar with the topic of “real” names knows perfectly well that they make online problems worse rather than better. One example that springs to mind to illustrate this is when the dating platform OKCupid announced it would ask users go by their real names when using its service (the idea was to control harassment and promote community on the platform) but after something of a backlash from the users, they had to relent. Forcing the use of real names in a great many circumstances will mean harassment, abuse and perhaps even worse.

You can understand why. Why on Earth would you want people to know your “real” name? That should be for you to disclose when you want to and to whom you want to. In fact the necessity to present a real name will actually prevent transactions from taking place at all, because the transaction enabler isn’t names, it’s reputations. And pretty basic reputations at that. I think that online dating, frankly, provides a useful way of thinking about the general problem of online identity. In this case, just knowing that the object of your affections is actually a real person and not a bot (remember, in the famous case of the Ashley Madison hack, it turned out that almost all of the women on the site were actually bots) is probably the most important element of the reputational calculus central to online introductions, but after that? Your name? Your social media footprint? 

There are plenty of places where I would not want to log in with my “real” name or by using any information that might identify me: the comments section of national newspapers, for example. “Real” names don’t fix any problem because your “real” name is not an identifier, it is just an attribute (refer back to the David Beckham example) and it’s only one of elements that would need to be collected to ascertain the identity of the corresponding real-world legal entity anyway. 

What social media needs, and what will help with Mark Cuban’s actual problem with being sure that there is a “single human” behind an account, is the ability to determine whether you are a known real person or not. The problem with bots on social media is just as serious as the problem of racism. Without commenting on the politics of an individual issue, I could have chosen any of a thousand examples to make this point. Here’s just one, from the UK press yesterday: “Almost all of the ten most active Brexit Party supporters on Twitter appear to be automated bots, according to new research“.

The way forward is surely not for Twitter et al to try and figure out who is a bot and whether they should be banned (after all, there are plenty of good bots out there) but for Twitter et al to give their users the choice. Why can’t I tell Twitter that I only want to see tweets from real people that can be identified? It’s none of my business who the person actually is and it’s none of Twitter’s business either. But if someone knows that @dgwbirch is a real person, that’s enough. Harry Macguire can read my tweets in comfort, knowing that if I commit a criminal offence then the police can go to someone to find out who I am.

So who is that someone who knows whether I am a real person or not? Working out whether I am a person or not is a difficult problem if you are going to go by reverse Turing tests or Captchas. It’s much easier just to ask someone else who already knows whether I’m a bot or not.

There are plenty of candidates. There’s the Post Office I suppose. And the school. And the doctor. In fact, there are lots of people who could testify to my existence. But the obvious place to start is my bank. So, when I go to sign up for internet dating site, then instead of the dating site trying to work out whether I’m real or not, the dating site can bounce me to my bank (where I can be strongly authenticated using existing infrastructure) and then the bank can send back a token that says “yes this person is real and one of my customers”. It won’t say which customer, of course, because that’s none of the dating site’s business and when the dating site gets hacked it won’t have any customer names or addresses: only tokens. This resolves the Cuban paradox: now you can set your preferences against bots if you want to, but the identity of individuals is protected.

What is crucial here is the IS_A_PERSON attribute. Twitter, for example, should mark my account as of unknown origin until it sees this attribute. Of course, Twitter will want to see it in the form of a verifiable credential signed by someone who they can sue if it turns out I’m not a person after all, but you get the point. When I sign up to Twitter I am “unknown”. When they get a valid IS_A_PERSON credential from me, then my status changes to to “known”. Once I am known, then I can go on to be verified if I want to be.

Uknown to Verified - LinkedIn Version

 

Most normal people, I imagine, will leave their Twitter account in the default setting of “known only”. Some people might want to go tighter with “verified only”. If nutters want to post racist abuse about footballers, then they will be posting it to each other and the vast majority of us will never be bothered with them again.

(When I last tried to get my account verified at Twitter, they turned me down. They didn’t say why, but presumably they thought that some of my tweets must have been machine-generated or something.)

Look. This is an important issue that I have been posting about for years, to no avail. Anne Marie Slaughter summed the situation up in the FT last year, saying that “with the decline of traditional trusted intermediaries, and the discovery that social media account holders may well be bots, we will crave verifiability”. This is absolutely spot on, and we need to construct the networks capable of delivering this verifiability or we collapse into a dystopian discourse where no-one believes anything. The knee-jerk “present your passport to use Twitter” is not the way forward. Technology means that we can deliver verifiability in a privacy-enhancing manner, so let’s do it.

SCA and SSCA

We’re seeing a lot about strong customer authentication (SCA) at the moment because of the requirement of the Second Payment Services Directive (PSD2) that comes into force next week on Black Friday (Friday 13th September). That’s because there’s a lot of fraud online, it’s getting worse and the strong authentication of people (in this case, online customers) is seen as being a way to tackle it. PSD2 demands SCA, and this means that European banks and Payment Service Providers (PSPs) have had to up their game.

Strong authentication, in this context, means “two factor authentication” (2FA). What 2FA means is that you must present two “factors” to demonstrate you are who you say you are. The three factors you can choose from are something you have, something you are and something you know (or, in my case, something I had, something I was and something I’ve forgotten). When you buy something in a shop, for example, you present a credit card (something you have) and put in a PIN (something you know). When you enter the country, you present something you have (a passport) and show your face (something you are). SCA is already being implemented by the UK banks, although in an unpredictable manner. Some banks send a code via their mobile banking app, some send a text, some allow you to choose e-mail instead, some will call a landline and some require the use of a card-reader dongle-thingy. As far as I can tell, none of them use a common app such as Microsoft Authenticator.

I’m actually quite surprised to see that some of them are still using text messaging to send a “one time password” (OTP) to customers for authentication. It’s not because, as the British newspapers were quick to point out, people who can’t get a mobile signal or don’t own a mobile phone face, as The Guardian put, it being “frozen out of internet shopping as banks are increasingly insisting that online payments are verified by text”. This is indeed a valid concern, but what I find most disturbing about this report is that anyone is verifying online payments, or indeed any other important online transaction, by insisting that they are authenticated by text messages! With the explosion of “smishing” (ie, phishing attacks via SMS) and the daily tales of account takeover, bitcoin theft and payment fraud carried out via SMS, you really do have to wonder why text messaging is still being used in this context.

This is hardly a new issue. More than a decade ago I wrote about the comments of Charles Brookson, then the head of the GSMA security group who, when talking about the use of SMS for financial services, made the point that SMS has, to all intents and purposes, no security whatsoever. Structurally, it has always seemed to me to be irresponsible for financial institutions to rely for security on something that is not secure and over which they have no control. Given the prevalence of smart phones, you would think that SMS would be long gone, but it is only now that German banks, for example, are giving up on SMS OTP in response to the PSD2 requirements for SCA.

How will this SMS-less strong authentication be implemented? For payments it will be through the new version of the scheme’s “Three Domain Security” (3DS). 3DS version 2 introduces “frictionless authentication” and will be the main card authentication method used to deliver SCA in Europe. It works by allowing retailers and their PSP to send many more data elements with each transaction. These data elements – such as the shipping address, customer’s device identity and their transaction history – mean that the issuer can carry out more sophisticated risk management.to decide whether SCA is needed or not. In most cases, I would guess (since the issuers will use sophisticated risk management platforms with machine learning and all that sort of thing), no further authentication will be needed. But where it will be needed, Barclaycard (for example) can send a message to the Barclaycard app on my phone and ask me to authenticate myself.

(As it happens, Barclaycard have just sent me another “PINsentry” card reader together with an instructional pamphlet, so I will make every effort to use my Barclaycard online just so I can see how it works. Of course it means I’ll will have to carry the card reader and my Barclaycard around with me at all times in case I want to buy something online, but remember I do this so you don’t have to.)

Barclaycard PSD2 SCA 2FA

In my opinion, the best way forward now is through the bank apps themselves. Google found in their research on authentication for account recovery that whereas 2FA SMS stopped three-quarters of targeted attacks, in-app solutions stopped 90% (and 99% of bulk phishing attacks). It would be good if this approach was adopted across the board – not only for retail payments but for logging in to bank accounts, authorising transfers and everything else. But if customers get mixed up between expecting an e-mail or getting a text, seeing an in-app message sometimes but not other times, then fraudsters will be quick to exploit the situation. In which case (as I suspect) the introduction of strong authentication will actually leader to more fraud. We need both a better and more consistent approach to authentication for financial services. We need to standardise on the approach and the execution and the UX so that consumers can be confident that they are communicating with their bank or whoever.

Standard Strong Customer Authentication

My Consult Hyperion colleague Tim Richards recently set out this problem in a very clear way [The Paypers, 27th August 2019]. He asks us to imagine what would have happened if SCA had been mandated for face-to-face commerce but, as with PSD2, no technological solution was provided. In that case, instead of our EMV-standard chip and PIN payment system we would have had each bank creating its own solution. Then, as has happened online, every time a consumer went into a shop to buy something they would face a different authentication depending on their bank! Tim’s good advice is that regulators need to take a step back, “temporarily drop anti-competition laws and insist that banks come up with a minimum standard for SCA” to support growth in online commerce that is accompanied by real security because customers know what to expect and retailers aren’t disadvantaged by variable SCA experiences leading to cart abandonment.

He’s right, of course. And it terms of implementation it has long been clear that the best architecture for what I am now labelling Standard Strong Customer Authentication (or SSCA) is biometric authentication against a revocable token stored in tamper-resistant local storage. We all carry a device capable of implementing this design at a manageable cost: the mobile phone.

(As an aside, since the mobile phone operators control a standard item of tamper-resistant hardware in all phones — the SIM — why we are not all using a standard authentication from our mobile operators already is a mystery, but that’s a different point and I don’t want to get diverted by Mobile ID Connect here.)

This point is that with really strong authentication, your bank shouldn’t be sending you a text message or an e-mail or whatever, it should be using real cryptography to send a message to the bank app on your mobile phone. So, when you ty to buy something online with your Barclaycard your Barclaycard app pops up on your phone and asks you to authenticate.

If the bank (or anyone else) cannot reach the mobile app then there should be a standard fallback across all service providers which would probably be a voice call thus opening up the use of voice recognition and authentication. And if you are online buying something or transferring money to someone or closing an account and you can’t be reached via the mobile app or by a voice call well… then what are you doing buying things online in the first place?

Surely this is the most practical way forward now that the Financial Conduct Authority (FCA) has confirmed that it will not take enforcement action against businesses who do not implement SCA until March 2021, there is now some time to prepare a mobile-centric SSCA pathway for UK banks and businesses.

Digital identity in the UK – Will big banks or big techs deliver it?

The opening keynote at this year’s London Identity Week was given by Oliver Dowden, the Minister for Implementation at the Cabinet Office. Mr. Dowden is the Minister in charge of the digital transformation of government. To people like me, digital identity is central to digital transformation of government (and the digital transformation of everything else, for that matter) so I was looking forward to hearing the UK government’s vision for digital identity.  In his keynote, the Minister said that the UK is seen as being at the cutting edge of digital identity and that GOV.UK Verify is at the heart of that success.

(On 9th October 2016, Mr. Dowden gave written statement HCWS978 to Parliament, announcing that the government was going to stop funding GOV.UK Verify after 18 months with the private sector responsible for funding after that.)

Right now you can’t use a GOV.UK Verify identity provider to log into your bank or any other private sector service provider. But in his speech the Minister said that he looks forward to a time when people can use a single login to “access their state pension and the savings account”. This, in my opinion, is quite distinct from the single identifier that the Parliamentary Select Committee on Science and Technology called for in their report this week. The Right Honourable Norman Lamb MP, Chair of the Committee, observing that “the current digital service offered by the Government has lost momentum” called for the introduction of a single unique identifier for access to public services.

I have to say that I sort of agree with the Science and Technology Committee on the efficient delivery of public services as well as what the Minister said about a single login across both public and private services. Obviously you’d want the same login scheme but a different persona (an identifier plus credentials) for pensions, pornography and other purchases, but that’s a another issue and not the focus on this discussion.

Identity Week Minister

Back to the Minister’s point though. Yes, it would be nice to have some sort of ID app on my phone (I happen to sit on the advisory board of Biid, who provide just such an app) and it would be great if my bank and Her Majesty’s Revenue and Customs (HMRC) and Woking Council and LinkedIn would all let me log in with this ID. The interesting question is who will provide such a login given that the government does not seem able to. Put a pin in that and we’ll return to it later. Meanwhile, back to the Minister, who made three substantive points in his speech. He talked about:

  • The creation of a new Digital Identity Unit, which is a collaboration between DCMS and Cabinet Office. The Unit will help foster co-operation between the public and private sector, ensure the adoption of interoperable standards, specification and schemes, and deliver on the outcome of the consultation.
  • A consultation to be issued in the coming weeks on how to deliver the effective organisation of the digital identity market. Through this consultation the government will work with industry, particularly with sectors who have frequent user identity interactions, to ensure interoperable ‘rules of the road’ for identity. To me, this sounds like a call for a trust framework of some kind but the Minister did not use those words.
  • The start of engagement on the commercial framework for consuming digital identities from the private sector for the period from April 2020 to ensure the continued delivery of public services. The Government Digital Service will continue to ensure alignment of commercial models that are adopted by the developing identity market to build a flourishing ecosystem that delivers value for everyone.

The Minister had a tight schedule was therefore unable to stay for my subsequent speech. I suggested that the idea of a general-purpose digital identity might be ambitious and a preferable strategy might be to look at who else could deliver the “digital identities from the private sector” used for the delivery of public services, which means delivering inclusive identity services with appropriate security at population scale. Perhaps DCMS has ensured that the UK taken a lead in this respect since, according to Sky News, “thanks to its ill-conceived porn block, the government has quietly blundered into the creation of a digital passport – then outsourced its development to private firms”. One of these firms runs the world’s largest pornography site, Pornhub, so I imagine they know a thing or two about population-scale identity management.

Identity Week Keynote

Assuming that the GOV.UK Verify identities fail to gain traction in the private sector, then I think there are two obvious private sector coalitions that might step in to do this for the government: the big banks and the big techs.

For a variety of reasons, I hope that the big banks are able to come together to respond to the comments of Mark Carney, the Governor of the Bank of England, on the necessity for a digital identity in the finance sector Click To Tweet

Big Banks

For a variety of reasons, I hope that the big banks are able to come together to  respond to the comments of Mark Carney, the Governor of the Bank of England, on the necessity for a digital identity in the finance sector to work with the banks to develop some sort of financial services passport. I made some practical suggestions about this earlier in the year and have continued to discuss the concept with potential stakeholders. I think it stacks up, but we’ll have to see how things develop.

The reason why I’m so keen on this approach is that banks already do the hard work of establishing customer identities for know-your-customer (KYC) purposes but they don’t then do anything with it. So identity is a cost centre, when there is an opportunity for it to be a platform for new products and services. I’m not the only person who thought that the DCMS age verification legislation would be the trigger for a sophisticated federated privacy-enhancing bank-centric ID.

Modifications to open banking could allow bank customers to share data on their identity and their date of birth with third parties in a double-blind way that stops their bank from knowing the site they want to visit, or the site they’re visiting from knowing their identity.

From Don’t let the government’s porn block create a monopoly – 1828.

Well, whether it’s used for age verification or a pensions dashboard, I would have thought that what the European Commission Expert Group on Electronic Identification and Remote KYC Processes calls an “attribute-based LoA-rated KYC framework for the financial sector (ie, a financial services passport) would make a perfect post-Brexit stake-in-the-ground initiative to define the new era by boosting efficiency in the crucial Big Bank sector as well as providing a platform for new products and services for the Big Techs to develop. Talking of which…

Big Techs

I had the good fortune to attend more recent breakfast session with the Minister organised by the Cicero PR people. I have to say that the subject of digital identity came up more than once. There was considerable discussion (under the Chatham House rule) of both the priority of a UK digital identity infrastructure and the means by which it might come into existence. While I voiced my usual opinion that it should be the banks taking the lead, there were other people talking about alternative private sector providers.

It is clear, then, that if the banks can’t get it together then the big techs will  come knocking on the government’s door. I’ll readily admit that when the Minister said “private sector identities” in his speech, the first thought to flash across my brain was “Apple”. The public,  as well has civil servants in other departments who don’t really know or care about digital ID might be saying to themselves, “why can’t we just use ‘sign in with Apple’ to do our taxes?”, and this is a good point. Even if they are not saying it right now, they’ll be saying it soon as they get used to Apple’s mandate that all iOS apps that allow third-party sign-in must support it.

How would you use your Apple ID to log into HMRC? Easy: you log in as you do now after sending off for the password and waiting for it to come in the post and that sort of thing and then once you are connected tell them the Apple ID that you want to use in the future. If you want to be “jackdaniels@me.com” or whatever, it doesn’t matter. It’s just an identifier for the Revenue to recognise you. Then next time you go to log in to the Revenue, you log in as jackdaniels@me.com, something pops up on your iPhone and you put your thumb on it or look at it, and bingo you are logged in to fill out your PAYE without ever having to remember your taxpayer ID or government gateway passport ever again.

Incidentally, you could use this to log in at Pornhub too, because Apple have implemented a form of the persistent pseudonymity that I have long advocated as the core of a practical “privacy settlement”. So, as Wired magazine puts it, Apple’s universal login will let you hide your email address from third-party services. Unlike Facebook, Google and other services, Apple will randomly generate an email address on your behalf, and it then forward communications from the services that you sign up to on to your actual Apple ID address. I’m not joking about Apple delivering an infrastructure for the mass market instead of the government, it’s just that I thought that our forward-thinking innovation-centric banks would be the people to build on it. A couple of years ago I asked “Why doesn’t my bank put a token in my Apple Pay that doesn’t disclose my name or any other personal information… Keep my real identity safe in the vault, give me blank card to top shopping with”

The banks have a chance to to do this if the government, the Bank of England and industry bodies get together and work with them on it. But I wouldn’t be at all surprised to go over to the HMRC web site fairly soon to see “log in with Amazon” and “log in with Apple” next a button with some incomprehensible waffle about eIDAS that I, and most other normal consumers I’m sure, will simply ignore.

Posh and Blocks

While flicking through British Vogue magazine for some moisturising tips, I came across a mention of digital identity! I was surprised and delighted that (just as has happened another of my obsessions, Dungeons and Dragons) what was once the province of nerds and outsiders has become fashionable and cool. Hurrah! Vogue says that secure digital identities for luxury goods are crucial, which is great! I could not agree more. Digital identities are not only for people! I have been writing about the need for digital identities for things for many years, and not only for high fashion (a field where, oddly, I have some experience in the use of NFC applications. On mobile phones to scan designer clothes – but that’s another story).

LFW

 

Some years ago I asked if “the blockchain” (put to one side what this might mean for a moment) might be a way to tackle the issue of “ID for the Internet of Things” (#IDIoT). I said at the the time that I had a suspicion that despite some of the nonsense going on, there might be something there. My reason for thinking that is that there is a relationship between blockchain technology and IoT technology, because we need a means to ensure that virtual representations of things in the mundane cannot be duplicated in the virtual. As I saw it, there were three ways to do this: a database, tamper-resistant hardware or blockchain.

If we look at the database idea first, I explored this more than a decade ago using the example of luxury goods such as watches and asking how would you tell a fake Rolex from a real one. It’s a much more complicated problem than it seems at first. For example: why would Rolex care? I can’t afford a Rolex, so if I buy one at a car boot sale or in China, Rolex isn’t losing a sale. But by wearing the fake, I’m presumably advertising the desirability of a Rolex. So surely they should be happy that people want to wear fakes or not? And if I did have a real Rolex, would I want to wear it in dangerous places where expensive watches get stolen in broad daylight by muggers (eg, London, London or London) or where I might just lose it?

Anyway, regardless of the reasons for it, let’s think about how to tell the real thing from the fake thing using technology. Suppose RFID is used to implement Electronic Product Codes (EPCs) for luxury goods. If I see a Gucci handbag on sale in a shop, I will be able to point my Bluetooth EPC-reading pen at it and read the EPC, which is just a number. My mobile phone can decode the number and then tell me that the handbag is Gucci product 999, serial number 888. This information is, by itself, of little use to me. I could go onto the Gucci-lovers website and find out that product 999 is a particular kind of handbag, but nothing more: I may know that the tag is ‘valid’, but that doesn’t tell much about the bag. For all I know, a bunch tags might have been taken off of real products and attached to fake products.

To know if something is real or not, I need more data. If I wanted to know if the handbag were real or fake, then I would need to obtain its provenance as well as its product details. The provenance might be distributed quite widely. The retailer’s database would know from which distributor the bag came; the distributor’s database would know from which factory the bag came and Gucci’s database should know all of this. I would need access to these data to get the data I would need to decide whether the bag is real or fake.

This is a critical point. The key to all of this is not the product itself but the provenance. A database of provenance (for example) is the core of a system to tell real from fake at scale.

Who should control this database, and who should have access to it, is rather complicated. Even if I could read some identifier from the product, why would the retailer, the distributor or Gucci tell me any about the provenance? How would they know whether I were a retailer, one of their best customers, one of their own ‘brand police’, a counterfeiter (who would love to know which tags are in which shops and so on) or a law enforcement officer with a warrant?

This is where the need for a digital identity comes into the picture. A Gucci brand policeman might have a Bluetooth pen tag reader connected to a mobile. They could then point the pen at a bag and fire off a query: the query would have a digital signature attached (from the SIM or SE) and the Gucci savant could check that signature before processing the query. Gucci could then send a digitally signed and encrypted query to the distributor’s savant which would then send back a digitally signed and encrypted response to be passed back to the brand policeman: ‘No we’ve never heard of this bag’ or ‘We shipped this bag to retailer X on this date’ or ‘We’ve just been queried on this bag in Australia’ or something similar.

The central security issue for brand protection is therefore the protection of (and access to) the provenance data, and this needs a digital identity infrastructure to work properly. If it adds £20 to the price of a Rolex to implement this infrastructure, so what? The kind of people who pay £5,000 for a Rolex wouldn’t hesitate to pay £5,020 for a Rolex that can prove that it is real.

A small brand premium might be rather popular with people who like brands. Imagine the horror of being the host of a dinner party when one of the guests glances at their phone and says “you know those jeans aren’t real Gucci, don’t you?”. Wouldn’t you pay £20 for the satisfaction of knowing that your snooping guest’s Bluetooth pen is steadfastly attesting to all concerned that your Marlboro, Paracetamol and Police sunglasses are all real? Of course you would.

For some goods, we might want to add tamper resistant hardware to the product. I have long been interested in the use of low-cost RFID chips in this context. An example I looked at some years ago was the problem in Korea with the production of counterfeit whiskey. The authentic whiskey producers decided to add an RFID chip to the bottle caps. This chip was coded with a URL and an identifier. When a customer, or a shopkeeper, or a policeman, or in fact anyone else wants to check whether the whiskey is real or not, they touch the cap with their phone and the URL launches a web site that knows the provenance of the identifier and can tell you when and where it was bottled as well as some other information. When a customer opens the bottle, the tag is broken and can no longer be read. That seems to be a cost-effective solution, although it again relies on the provenance database to make it work (otherwise the counterfeiters would just find a way steal the chips).

The mass market IoT, however, amplifier that problem of permission. I have always tried to illustrate this for people in a fun way by using the case study of underwear. It’s one thing for dinner guests to scan my wine bottle to see that it is a real Romanée-Conti and another for them to scan my Rolex to check that it is indeed a first-class far-eastern knock-off, but it’s quite another for them to be able scan my underpants and determine that they date from 1983. How do we turn tags on and off? How do we grant and revoke privileges? How do we allow or deny requests for product or provenance? Once again, we must conclude that not simply digital identity but a full digital infrastructure is needed.

The third approach that I thought worth exploring was that of some form of blockchain. It seemed to me that by using the blockchain to maintain uniqueness, we might find a way to make the IoT a transactional environment. Just as you can’t copy the physical object, but you can transfer it from one owner to another, so you can’t copy a token on a shared ledger, only transfer it from one owner to another. Thus, if you can bind a token to a physical object, you can greatly reduce the cost of managing that object. Hence I was rather interested to read in that Vogue article that Luis Vuitton, Microsoft and Consensus have developed a platform called “Aura” to manage provenance to provide proof of origin and prevent counterfeits using a blockchain. The basic idea is to represent luxury goods as ERC-721 tokens on a private permissioned Quorum blockchain.

Obviously, I don’t have any details about how this will actually work, but LVMH seem to imply that at the time of purchase of one of their brands’ product, the customer can use the brand’s application to receive an “AURA certificate” containing all product information. I assume that if you sell your handbag (or whatever) to a charity shop, you can transfer the certificate to the charity shop’s application. Underlying all of this, there is the token on the blockchain moving from the retailer’s wallet, to your wallet, to the charity shop wallet.

If this works, and it’s simple and convenient for consumers, some sort of app presumably, it will generate an amazing amount of valuable data for brand owners. They will know exactly who has their stuff and how much of it they’ve got. If the app records “fails” as well, then they’ll also know who has the knock-offs too.

Real fakes and fake fakes

My good friend Chris Skinner pointed me at a story about counterfeit art. The art in question, a “Picasso”, is apparently the work of a counterfeiter called Davd Henty. According to The Daily Telegraph, after being exposed as a forger a few years ago, “the publicity led to him being feted on television programmes and his copies – marked clearly as ‘Henty’s’ – now sell for £5,000 and upwards”. This reminded me of something I wrote a decade ago after a visit to Halifax, where I saw an interesting use case for RFID chips that were being bonded into the canvas used for painting. So here’s a picture of such a picture (and me).

RFID_Picture

This caught my eye all those years ago and it’s worth showing it again, because it’s a fascinating case study of using RFID in the real/counterfeit problem space. It’s not just about what’s real and what’s fake.  The picture I am looking at here was painted by John Myatt. If you don’t recognise the name… well, his story  is introduced in The Daily Telegraph this way: “From talented chart-topping songwriter, to Brixton prison for being involved in ‘the biggest art fraud of the 20th century’, John Myatt’s incredible life is now the subject of a Hollywood movie and his artistic talent the focus of a major TV series”.

Interesting guy. Take a look at his “genuine fakes”.

The reason Mr Myatt can make a good living doing genuine fake art, as noted in the Financial Times, is his notoriety as a master forger, which resulted in a six-month prison sentence in 1995. The picture I am looking at has RFID tags bonded to it, but in this case the purpose of the tags is to prove not only that the picture is a fake, rather than real, but that it’s a John Myatt fake and not someone else’s fake. So, basically, the idea is to use a combination of primary and secondary identification technologies to connect product and provenance in such a way as to prove that the picture is a real fake, if you see what I mean. Great stuff.

So if we are going to use technology to create a new identity infrastructure that works for things as well as people, it must not only distinguish real from fake, but fake from fake!

Talking about real fakes, rather than fake fakes, I have an important one at home. I got it after reading about a donation of drawings to Yad Vashem, Israel’s holocaust memorial. The drawings are of the men who worked in the once-secret Nazi operation to produce fake money, a story told in the brilliant film “The Counterfeiters”, which won the 2007 Oscar for best foreign film. It is the true story of Operation Bernhard, which was the Nazi plan to devastate the British economy. The idea, conceived at the very start of the Second World War, was to drop the worthless banknotes over England, thus causing economic instability, inflation and recession. Remember, in 1939 the German people had very recent memory of worthless paper currency devastating the economy, as is well chronicled in Adam Fergusson’s book “When Money Dies”.

The film is based on a memoir written by Adolf Burger, a Jewish Slovak typographer who was imprisoned in 1942 for forging baptismal certificates to save Jews from deportation. The Nazis took Burger and more than a hundred other Jews from a variety of trades—printing, engraving and at least one convicted master counterfeiter, Salomon Smolianoff—and moved them from different death camps to a special unit: “Block 19” in Sachsenhausen concentration camp. There they set about forging first the British and then the American currency. In the end, the prisoners forged around Sterling 132 million, which is about four billion quid in today’s prices.

The Nazis were never able to put their plot into operation. At the end of the war, they packed up all the printers’ plates and counterfeit bills into crates which they dumped into Lake Toplitz in Austria, from which they were subsequently retrieved. Some of the counterfeit notes went to the purchase of war materiel for the nascent Israeli army, some went to collectors. I bought an authenticated Operation Berhard counterfeit “white fiver” from a banknote collector and that is how I came to have a real fake on my wall at home.