Community

Dean said:

Those who cannot afford a mobile are both unlikely to represent profitable customers ...

But you're proposing to make mobile phone ownership compulsory to participate in your digital ID scheme.  I know plenty of "profitable customers" in middle Australia who don't have a mobile, or who only use their phone -- wait for it, wait for it -- to make calls. They would object strenuously to being forced by a bank let alone a government into such a scheme.

Clearly it is cheasper to provide the end user with a mobile than a government ID card, drivers license, passport, credit card, bank card, market-sellers permit etc, etc and all the required infrastructure of each. Something someone with an eye on the big picture would be acutely aware of.

This is nonsense. 

I'm assuming from your past writings that the idea is to carry multiple virtual credentials on the phone.  Nothing wrong with that per se (so long as the phone isn't the only medium available).  But by far the greatest proportion of the expense of issuing credentials (licences, passports, bank cards) is the business process of establishing the person's bona fides.  So the medium on which you then carry the credential is a tiny part of the issuing cost.  Likewise, the great majority of the infrastructure cost associated with processing electronic credentials in action is related to backend systems at the respective service providers; these are constant whether the credential is carried on a phone or a card. Buying someone a phone will be significantly more expensive than issuing them plastic cards, even smartcards, even one smartcard for every credential.

Stephen Wilson, Lockstep.

It's a really serious error to imagine fingerprint readers being integrated with a smartphone touch screen, as shown in the video.  One leaves one's fingerprints all over the screen as a matter of course.  Using fingerprint biometrics on a portable device is exactly as bad as writing the PIN on the back of your credit card.

Steven Murdoch and Ross Anderson raise many good points, including the phishability of 3D Secure, and the way it will train people to stray from standard security advice.

One quibble: I wouldn't call 3D Secure a "Single Sign On" system. If I have two Visa cards from different issuers, then my 3D Secure experiences will not interoperate, and will look and feel quite different, because as the authors point out, the real time authentication mechanism is left to the choice of the issuer.

They're right of course that economics trumps security in this exercise.  Yet there's still a stark architectural question that begs answering in all this.  What really necessitated such a radical change to the decades old Four Party card settlement model? 

An important feature of the Four Party model is that it means customers’ transactions are distanced from the issuer; as the authors say, this is good for customer privacy.  It’s also architecturally elegant for payment information to flow between cardholder and merchant in real time, and between acquiring bank and issuing bank in batch time.

In contrast, 3D Secure joins the cardholder to their issuer in real time, to effect the authentication step. This forces unusual and inconsistent behaviour onto the user, creates bottlenecks, and probably creates new vulnerabilities due to the sheer complexity and novelty. 

K.I.S.S.!

Michael makes some really good points about the duopoly and the motivations for the credit card companies to act.  The standardisation dynamic has shifted with de-mutualisation.

I agree that the problem is not just technical.  But it has to be said that the technical aspects of the CNP fraud problem are not so great that they necessitate a wholesale change in online payments with regards the user's experience, the architecture, the four party model, and merchant liability. 

To my mind, the four party model is still perfectly fine.  The technical problem lies at one precise point in the process: merchants are vulnerable to replayed cardholder details, because today they cannot tell stolen ones and zeros from the real thing.  That problem can be solved directly and robustly by asymmetric cryptography (applying the same techniques at the web browser as what are applied at EMV terminals; the cryptographic building blocks are all standard now).

"Stand the test of time"?  First Dean's solution needs to stand the test of public scrutiny.

Thanks Rob.

Re body scanners, you say: "Nothing works 100%. Maybe body scanners 1.0 dont work that great. In 5 years maybe they will. Technology gets better."

You might be right (and I sincerely hope you are; I am all for improved airport scanning).  But if scanners today "don't work that great", then I think it's incumbent on you to be more cautious about their potential adverse effects.  The way you used body scanners to condemn privacy advocates seemed to be based on a presumption that the technology today is working perfectly.

My point was that going back at least 10-15 years, we have become a culture that lives in the fishbowl, a far from embryonic 300-400 million Facebookers are content with it. And when people scream they want privacy, but give up all their data to get a 10% discount at a shoe store, they contradict themselves, show their ignorance, then vote privacy and make the job of the security professional difficult ...

Well I think you're exagerating a bit that people will "give up all their data" for that discount; many shoppers are more canny than that, and will consciously manage the stories they tell retailers about themselves. Also, Facebook users are not all "content"  Many of them get pretty shirty when the organisation exploits their information.

Having said that, I do agree that people are all over the place.  As Daniel Solove wrote, "Privacy is a concept in disarray. Nobody can articulate what it means".  Not that privacy is dead mind you.  

So I have three observations to offer on the above paragraph.  First, it's still early days isn't it?  A lot more research needs to be done before we know what the Facebook experience means for social policy.  300-400 million looks like a big number, but what does it really mean?  Is this cohort representative of society at large?

Second, if we're living in a fish bowl, then it is not entirely by choice.  Generally speaking, nobody has asked for their number plates to be logged, for Google to publish photos of their houses and street numbers (together with their cars and boats), for their bus tickets to be linked to their credit cards, or for their different financial data streams to all be joined up.  The idea that consenting Facebook users care less about privacy (even if it's true) is totally separate from the rise of surreptitious and un-consented surveillance.

And third, a lot of this points to the rich complexity of the human condition! People are contradictory.  I would agree that the majority of Internet users probably don't have much of a clue about what's going on under the covers, but my response is that they need better protection, including protection from themselves.

If I may, I'd like to keep debating the substantive issues in what was held up to be a 'well thought' blog post. These are important issues, I'm sure all would agree.

"Forget privacy, think security" Rob loudly proclaimed before going gleefully to the latest poster-child for the privacy-is-dead movement: full body scanners.

... people are freaking about full body scanners at the airports and the privacy issues involved. This isn’t a privacy issue, it’s a security issue. If you have to show a black and white image of your bum bum to avoid the plane from being blown up, so be it. Otherwise don’t fly.

But if we run with scanners as a security issue, we don't get very far.  In a recent exercise in Germany, a scanner failed to detect explosives secreted on a subject's body. Bruce Schneier's conclusion: "Full-body scanners: they're not just a dumb idea, they don't actually work".

And so it seems privacy really is the issue after all.  The example of the full body scanner was used as a Trojan Horse to deliberately polarise the debate, to make privacy advocates appear as though they have their priorities wrong.  

These privacy-vs-security strawmen arguments turn out to be pointless when the security doesn't actually work.  National security advocates do have a point that privacy should not trump safety, but nobody ever said it should.  What privacy advocates call for is genuine risk analysis, and a skeptical, less trigger-happy approach to each new gadget.

I say security theatre should not be allowed to automatically trump human rights.

And that's not just propaganda, but it's astonishingly contemptuous to boot. Who are you to refer to people as "cattle"? 

Do you seriously think that three years of Facebook plus another five years for your prediction is enough time to adjudge the death of privacy, one of the pillars of civilisation?  Or is it just self-evident that temporary inhibition on the part of selected exuberant twenty-somethings (lubricated by the sheer fun of online social networking) equates to the rest of society changing their deep values?

Maybe you're right, in which case I expect to see on the Internet in 2016 the vote you cast in the Presidential Election, your salary, your census form, all your medical records, and the odd picture of you snapped through the bedroom window by the Google Streetview camera when you forgot to shut the curtains. 

Seriously, to brand privacy as an "illusion" while putting the still embryonic Facebook experience on a social policy pedestal, is a fantastic double standard.

Rob, come off it.  I do write lots of posts, and lots and lots of papers, mostly optimistic, mostly constructive (especially in respect of the possibility of having privacy and security at the same time).

I don't usually slam others, in fact I let most of your own posts "go through to the keeper" as we say in the cricketing world. 

I did slam your post and really, you should not be surprised.  Surely you set out to provoke people by caricaturing privacy proponents?  You talk about 'screaming privacy advocates'. You state baldy that "privacy is in-fact dead and an illusion".  I'm very happy to debate real issues.  Like whether or not full body scanners will be effective (Bruce Schneier as usual is strong and careful on this topic).  But your advocacy of body scanners perversely opens, not with a security analysis, but with ambit claims that privacy is dead.

Your privacy analysis is naive, so much so that it seems to be ideologically driven. Your assertion that "If you want to participate in society you have no choice but to give up your privacy" flies in the face of decades of law making in the USA.  Your statement that your "social Security number ... IS your National ID" is technically wrong.  There are laws that try to stop the SSN being a national ID.  Sure the laws don't work all that well, but the way you energetically capitalise "IS your national ID" is polemic, isn't it?  You're clearly playing the role of advocate, urging us to get over a lack of privacy, rather than maybe strengthen the law.

You don't give credit to the subtley and complexity of these issues.  This is a classic furphy: "If you kill someone then drive down the highway, your chances of getting caught increase because your license plate is recorded through the toll. This is a good trade off for the family of the victim." But that's just a bit selective.  A counter example is the ability for wrong doers to track their victims by raiding honey pots like traffic data.  In Australia there are cases of serious crimes (in one case murder) being facilitated by database administrators looking up the home address of ex girlfriends. 

You can't just go and automatically log everyone's movements because now and then some extra data has been useful to the police.  Rather than anecdotes, let's see a threat analysis that shows the real benefits of e.g. recording all number plates on motorways, and an analysis that fairly looks at the likely evasive responses of your intended targets.  Like, maybe your fleeing murderer will think of using the backroads?

Privacy 101 holds that personal information should not be collected without a reason.  Blithely ignoring this principle as you appear to, sets up just as many dangerous scenarios as good ones.

Sorry Robert, I don't buy it. You say you're not selling something, but you align yourself with the chief of Sun and the founder of Facebook, and then feed us a cute sound grab that provocatively polarises security and privacy. Don't you have time to look at the nuance?  If not, why not? 

McNealy and Zuckerberg are clearly selling something!  Anyone who cites Zuckerberg as an authority on privacy has been zucked in.  Are we to all re-calibrate our privacy expectations in line with Tila Tequilla?  Isn't the social networking phenomenon just a little bit too new to stand the test as a new "social norm"?  The Facebook population is dominated by the young, who tend to be risk takers.  We don't let 21 year old males set road safety policy, and we shouldn't let them set privacy policy either.