If you don’t like their money, you can start your own. If the identity and authentication infrastructure is in place, it will be easy. Focusing on money, then, I think I can say that the impact of the new identity will be profound: so profound, in fact, that identity will be the new money.
Implications
So I argue here that identity becomes the key to transactions and a crucial individual resource that needs to be looked after by responsible organizations. We all need to start planning for the transition to identity-based transactions.
There is the social impact to be considered. We need to find a way for the infrastructure to deliver privacy and security to individuals and organizations. There should be no further discussion of the ‘balancing’ of privacy and security as if there is an unavoidable trade-off between them. We need both.
The business impact will be, inevitably, creative destruction at the heart of capitalism. New businesses, and new business models, will spring up to use the new technology and the new social graph.
Finally, the technological impact will shape the trajectory of new products and services. If there is some form of utility identity infrastructure that, as I hope, delivers both privacy and security to people, devices and organizations, then it should be standardized and accessible for open, transparent and non-discriminatory use.
This book ends by considering these impacts, and making three practical and positive suggestions for policymakers.
Chapter 2
Identity is broken
I am not made like any of those I have seen. I venture to believe that I am not made like any of those who are in existence. If I am not better, at least I am different.
Jean Jacques Rousseau (1712–78)
A letter in the Daily Telegraph’s ‘Money’ section (2 October 2009) sprang out at me because it exemplified the problem of identity in modern life. The letter came from someone who had tried to open a bank account with HSBC, but who didn’t have a current passport or driving licence. She wrote: ‘When I explained this at a branch, it was suggested that I ask the police station for proof of identity.’ She dutifully went to the local constabulary, who told her that they had never heard of such a thing unless she had a criminal record. Thinking it seemed odd that you can only have a bank account if you have a criminal record, she returned to the branch to be shown a list of documents that the bank would consider acceptable for the purposes of account opening, and this time they suggested a letter from Her Majesty’s Revenue & Customs (HMRC). She reports ‘I duly went to the local tax office, where the assistant said she wished banks would stop sending people there... they would not waste public money providing such letters for banks.’
The letter goes on to list the documents that she had presented and had had rejected by the bank: an out-of-date passport, a birth certificate, a current payslip from an employer (the local council, for which she had worked for more than two decades), a work ID card (complete with microchip), utility bills, statements from another bank, house deeds and a voting card. Any one of these would have got you a job with the bank, but not, it seems, an account.
In a way, oddly, banks don’t really care about your identity. They care about the credit history of whatever persistent persona you present to them. They are complying with stringent ‘know your customer’ (KYC) regulations. These have nothing to do with any real identity security. At the moment, if you come and open an account with, say, a North Korean passport, the bank cannot possibly know whether it is a genuine passport or not, but it doesn’t matter, since the obligation on them is simply to keep a copy of it. If they do this, and the passport subsequently turns out to be false, it’s not their problem.
On a practical, prosaic, day-to-day basis, identity is broken and we need a new model.
Police dog
Identity has been broken since the earliest days of the online world. Remember that old cartoon, ‘On the Internet, no one knows you’re a dog,’ from the New Yorker in 1993? When I first started going to Internet conferences, this was in every presentation, including mine, but I was using it make a different point, which was that although in cyberspace, no one knows you’re a dog, no one knows you’re with the Federal Bureau of Investigation (FBI) either. Come to that, no one knows whether you’re a real person or a police-controlled software agent, cruising the Net looking to ensnare miscreants in dirty deals! I said this many years before reading that this is exactly what law enforcement agencies were doing, going undercover with false online profiles to communicate with suspects and gather private information, according to an internal Justice Department document.13 I’m not being critical: I want the police to use the Internet to catch the bad guys.
The point is to flag up that the legitimate interests of law enforcement must be taken into account when we begin to think about how identity should work. This task is actually quite difficult, because the way that identity works in the virtual world is not an analogue of the mundane world.
Multiple personalities
When it comes to the virtual world, multiple personalities are both real and actually desirable. Using different ‘personae’ across different types of transactions will become natural to us. Just as you use a different email address for work and personal messages, you will use a different identity in work and personal situations. This is a good thing; having only one identity that you have to use in all situations is not.
Travellers to Iran are forced by police at Tehran airport to log in to their Facebook accounts. Their passports are confiscated if they have posted criticism of the regime, which makes me wonder why everyone doesn’t take the precaution of creating a dummy Facebook account in their real name. (I’m going to make one and post a paean to Iran’s spiritual leaders just in case I am ever detained by Revolutionary Guards and forced to log in.) But will this be enough? Remember what happened to the British film-maker David Bond when he made his noted documentary Erasing David about trying to disappear? The private detectives that he had hired to try and find him simply went through Facebook. They pretended to be him and set up a new page, using the alias Phileas Fogg. Then they sent messages to his friends, suggesting that this was a way to keep in touch now that he was on the run. Most of the friends got in contact.
So even if you are careful, your friends will blab. There’s no technological way around this: so long as someone knows which alias is connected to which real identity, the link may be uncovered. Probably the best we can do is to make sure the link is held by someone who will not open the box to anyone without a warrant. More on this in Chapter 3.
Progress?
The UK government has forced the banks to spend almost a billion pounds on the Current Account Switching System (CASS), reducing the time taken to switch bank accounts from three weeks to one. Yet if I, as a Barclays customer for nearly four decades, decide to go and open an account with Nationwide, I will still have to produce a physical copy of my gas bill and a passport, and they will still have to make photocopies to store. Why can’t I just use my very secure Barclays online banking login to log in to Nationwide and open an account? Surely Nationwide trusts Barclays – doesn’t it?
We have radio waves and transistors and a nuclear-powered robot trundling around on Mars but we don’t have a working identity infrastructure. But before we can say what this infrastructure should be, we need to determine the identity paradigm (in the correct sense of the word: a model of identity) and then develop a narrative around it. John Clippinger writes about the power of identity narratives,14 and I agree strongly, but we currently lack shared narratives in this area. We need stories to help people understand how identity should work, just as the story of Star Trek helped us to understand how communications should work.
Anglo-Saxon