[Dave Birch] Over at the London “Internet Identity Day“, there was a fleeting discussion that I thought deserved more reflection. It was about the extent to which secure e-mail or secure document transfer is a driving application for digital identity. I’d been thinking about it a couple of weeks ago because Cory Doctorow’s review of Tom Watson’s book on the Murdoch “hacking” scandal touched on an aspect of the story that has been bothering me.
But what on Earth are all these rich and powerful people doing sending unencrypted emails? Why do ministers of the government use voicemail servers operated by big, dumb phone companies like Vodaphone, instead of privately maintained Asterix instances run by Parliament’s IT department… How is it that lawyers and clients send cleartext documents to one another, and how is it that ministers and civil servants keep the nation’s most important information on unencrypted hard drives?
I saw a similar comment in a newspaper discussion (apologies for not remembering where) about the Barclays rate-fixing scandal. A reader wondered why any bank would employ traders stupid enough to commit a conspiracy to e-mail and instant messaging logs that the knew were being monitored unless they were a) genuinely unaware that what they were doing was wrong or b) idiots who didn’t understand how the interweb tubes work. Surely, you would think, if you were a clever trader who want to conspire with peers you would devise some sort of code that didn’t look like a code, a bit like the British fishermen in the cod wars.
From 1928, the British trawlers were equipped with radio and started passing coded messages between themselves to alert each other when Coast Guard vessels were in and out of harbour. “Grandmother is well” meant that the Coast Guard were in port, for example. In an early example of governments attempting to legislate new technology, the plucky Icelanders made it illegal send to coded wireless messages. This had no impact whatsoever, of course: British seafood companies simply devised new code systems for the trawlers to use. Think about it: how on Earth would an Icelandic wireless operator know whether “Tottenham Hotspur are the pride of North London” was a coded message or gibberish?
[From Digital Identity: Codpiece]
Why didn’t they use secure messaging anyway, just in case rival traders were peeking at their stuff? I may know. A while back, one of Consult Hyperion’s financial services customers was working on a project that they wanted to keep under wraps, so they asked us (along with some of the other suppliers) to encrypt and sign all project documentation. So we all went over to using S/MIME. It took, as I recall, a few days of constant messing about to get the right certificates distributed and installed in Outlook, then we were good to go. It lasted about a day before the customer’s IT department asked us to turn off encryption, because the spam filters at their end were escrowing all encrypted messages because they thought they might be viruses, or something like that. So we turned off encryption and went with signing only. This lasted about a day more, then we were asked to turn that off too because it didn’t worked properly with the corporate e-mail gateway. So we went back to what we were doing before, which was putting documents into passworded zip files.
OK, so perhaps I do understand why Ministers of the Crown are sending plaintext. Hardly satisfactory, and not only because agents of foreign powers might have access to the Right Honourable Member for News International’s e-mails. With no identity infrastructure, and therefore no workable encryption infrastructure on top of it, there’s nothing that can be done about this. But with a working identity infrastructure, as was pointed out at ID Day, this becomes a straightforward problem to solve: you encrypt e-mails with a key that is backed-up and made available to law enforcement after due process and you sign e-mails with a private key that is kept in tamper-resistent hardware and never disclosed. If hackers, journalists or the council get into your e-mail, it’s all encrypted and they can’t read it. End of. It’s not rocket science. I’m not saying that technology can completely override traders. For example, we’ve all pressed “reply to all” by mistake and sent messages to people who weren’t supposed to see them.
A banker at UBS has allegedly cost the Swiss bank an estimated $10m (£6.2m) in fees after he sent an email detailing General Motors’ upcoming flotation to more than 100 people.
But what is the demand for secure e-mail, secure messaging and secure storage? After all, secure e-mail has been around in principle from the earliest days of the interweb and still no-one uses it. The idea of the “digital post office” comes round from time to time to build on this.
Australia Post has announced it will create a “Digital MailBox” for every Australian, as of April 2012.
Perhaps the time is right, but I can’t help observing that a great many such initiatives have come and gone. I just don’t think that this sort of thing will be the “killer app” for identity infrastructure. People say they care about security but they send e-mails in plain text, conduct criminal conspiracies on instant messaging and leave files on password “protected” cloud stores. I think we should look elsewhere, at areas where identity security is a real problem. Reid Hoffman made a good point about this in Forbes a while back.
Validated check-ins and reviews: One potential downside of most consumer review sites is that published opinions are dominated by a small, vocal minority. There’s value in getting a broader sampling of people to share their views. A growing percentage of reviews on sites like Yelp and check-ins on sites like Foursquare will over time be tied to actual transaction activity. When you and your friends buy, you’ll be asked via email or text message if you’d like to check-in or provide a review. As a result, more customers will provide feedback and recommendations, and the information they provide will be better validated, in connection with actual transaction activity. A review or check-in will carry additional weight when it’s been validated.
As I have long advocated, linking reviews to wallets is a good idea but it needs a bit of special sauce to ensure honesty: pseudonymity. When you pay your hotel bill, your wallet sends a blinded token to the hotel which then signs and returns it. Your wallet unblinds the token. When you log in to Trip Advisor, or whatever, you can send the token to them. The token proves that you stayed at the hotel, but is mathematically unlinkable. Trip Advisor and the hotel and the other viewers can know for sure that you stayed in the hotel but your Trip Advisor account can remain anonymous. It’s a win-win-win and would put code into wallets that would give us all of the other security we want (e.g., secure messaging) as a byproduct.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers