Token ring – a digital ID solution

The latest event organized by DIG ID (the Melbourne Digital Identity Meetup) featured a Q&A with Steve Shapiro, CTO of Token, moderated by Alan Tsen, General Manager of Stone & Chalk Melbourne. Given the current level of interest in solutions to address online fraud, ID theft, data protection, privacy and personal security, the discussion covered a lot of conceptual and technical topics in a short space of time, so here are some of the key points.

First off, Steve spoke about his start-up and tech journey, that took him from IM (Digsby, Tagged, Bloomberg IB), to cryptocurrency and digital wallets (Case), to digital ID with the Token ring. The pivot towards an ID solution came about after working on Case, where he realized that most consumers don’t understand private key management and the issue of permanence (as compared to the internet, where password re-sets are relatively easy, and often regularly enforced upon users).

If the goal is to provide fool-proof but highly secure end-user authentication, the solution has to focus on the “signing device”, by making it much easier than the status quo. Hence the combination of two-factor authentication (2FA) and bio-metrics to enable Token ring users to live key-less, card-less and cashless, and without having to constantly remember and update passwords. In short, the Token ring works with anything contactless, as long as the relevant permission/authentication protocol layer (challenge and response process) is compatible with the ring’s circuitry.

In assessing the downside risk, gaining consumer adoption is critical, to ensure that users see the benefits of the convenience combined with the credentialing power. Equally, success will depend on the ability to scale as a hardware manufacturer, and the potential to drive traction through virality.

There is still a lot of design work to do on the hardware itself (to enable assembly, customization and distribution as locally as possible). And the platform needs to bring on more partner protocols, especially in key verticals. At the end of the day, this is still a Blockchain solution, with a UX layer for the cryptographic component.

When asked about the future of ID, Steve felt that in the medium term, consumers will no longer have to carry around multiple cards or have to remember multiple passwords. Longer term, governments will no longer be the central authority on managing ID: unlike today, a driver’s license will no longer be the gold standard – instead, solutions will be based on decentralized, contextualized and user-defined ID.

This led to a discussion about Sovereign IDe-government and digital citizenship (e.g., Dubai and Estonia) – and the break up of big government in favour of more city-states. (Which could result either in a “small is beautiful” approach to self-governing and sustainable communities, or a dystopian nightmare of human geo-blocking, as in a film like “Code 46”).

For the tech buffs, the Token ring’s IC hosts a total of 84 components, including the main secure element (as with mobile phones and other devices), finger print reader, optical scan, Bluetooth, NFC, accelerometer, MCU, Custom inductive charging etc.

Finally, there was a discussion about the risk of cloning, mimicking or breaching the unique and secure ID attributes embedded in each Token ring. While it is possible for users to encrypt other knowledge components as part of their individual access verification and authentication (e.g., hand gestures), there is still a need to rely upon trusted manufacturers not to corrupt or compromise the secure layer. And while the public keys to core protocols (such as credit cards and swipe cards) are maintained by the protocol owners themselves and not stored on the device or on Token’s servers, it will be possible for other third parties to on-board their own protocols via a SDK.

Next week: Startup Vic’s EdTech Pitch Night

 

 

Personal data and digital identity – whose ID is it anyway?

In an earlier blog on privacy in the era of Big Data and Social Media, I explored how our “analog identities” are increasingly embedded in our digital profiles. In particular, the boundaries between personal/private information and public/open data are becoming so blurred that we risk losing sight of what individual, legal and commercial rights we have to protect or exploit our own identity. No wonder that there is so much interest in what blockchain solutions, cyber-security tools and distributed ledger technology can do to establish, manage and protect our digital ID – and to re-balance the near-Faustian pact that the illusion of “free” social media has created.

Exchanging Keys in “Ghostbusters” (“I am Vinz Clortho the Keymaster of Gozer”)

It’s over 20 years since “The Net” was released, and more than 30 since the original “Ghostbusters” film came out. Why do I mention these movies? First, they both pre-date the ubiquity of the internet, so it’s interesting to look back on earlier, pre-social media times. Second, they both reference a “Gatekeeper” – the former in relation to some cyber-security software being hijacked by the mysterious Praetorian organisation; the latter in relation to the “Keymaster”, the physical embodiment or host of the key to unleash the wrath of Gozer upon the Earth. Finally, they both provide a glimpse of what a totally connected world might look like – welcome to the Internet of Things!

Cultural references aside, the use of private and public keys, digital wallets and payment gateways to transact with digital currencies underpins the use of Bitcoin and other alt coins. In addition, blockchain solutions and cyber-security technologies are being deployed to streamline and to secure the transfer of data across both peer-to-peer/decentralised networks, and public/private, permissioned/permissionless blockchain and distributed ledger platforms. Sectors such as banking and finance, government services, the health industry, insurance and supply chain management are all developing proofs of concept to remove friction but increase security throughout their operations.

One of the (false) expectations that social media has created is that by giving away our own personal data and by sharing our own content, we will get something in return – namely, a “free” Facebook account or “free” access to Google’s search engine etc. What happens, of course, is that these tech companies sell advertising and other services by leveraging our use of and engagement with their platforms. As mere users we have few if any rights to decide how our data is being used, or what third-party content we will be subjected to. That might seem OK, in return for “free” social media, but none of the huge advertising revenues are directly shared with us as ordinary end consumers.

But just as Google and Facebook are facing demands to pay for news content, some tech companies are now trying to democratise our relationships with social media, mobile content and financial services, by giving end users financial and other benefits in return for sharing their data and/or being willing to give selected advertisers and content owners access to their personal screens.

Before looking at some interesting examples of these new businesses, here’s an anecdote based on my recent experience:

I had to contact Facebook to ask them to take down my late father’s account. Despite sending Facebook a scanned copy of the order of service from my father’s funeral, and references to two newspaper articles, Facebook insisted on seeing a copy of my father’s death certificate.

Facebook assumes that only close relatives or authorised representatives would have access to the certificate, but in theory anyone can order a copy of a death certificate from the UK’s General Register Office. Further, the copy of the certificate clearly states that “WARNING: A CERTIFICATE IS NOT EVIDENCE OF IDENTITY”. Yet, it appears that Facebook was asking to see the certificate as a way of establishing my own identity.

(Side note: A few years ago, I was doing some work for the publishers of Who’s Who Australia, which is a leading source of biographical data on people prominent in public life – politics, business, the arts, academia, etc. In talking to prospective clients, especially those who have to maintain their own directories of members and alumni, it was clear that “deceased persons” data can be very valuable to keep their records up to date. It can also be helpful in preventing fraud and other deception. Perhaps Facebook needs to think about its role as a “document of record”?)

So, what are some of the new tech businesses that are helping consumers to take control of their own personal data, and to derive some direct benefit from sharing their personal profile and/or their screen time:

  1. Unlockd: this Australian software company enables customers to earn rewards by allowing advertisers and content owners “access” to their mobile device (such as streaming videos from MTV).
  2. SPHRE: this international blockchain company is building digital platforms (such as Air) that will empower consumers to create and manage their own digital ID, then be rewarded for using this ID for online and mobile transactions.
  3. Secco: this UK-based challenger bank is part of a trend for reputation-based solutions (e.g., personal credit scores based on your social media standing), that uses Aura tokens as a form of peer-to-peer or barter currency, within a “social-economic community”.

Linked to these initiatives are increased concerns about identity theft, cyber-security and safety, online trust, digital certification and verification, and user confidence. Anything that places more power and control in the hands of end users as to how, when and by whom their personal data can be used has to be welcome.

Declaration of interest: through my work at Brave New Coin, a FinTech startup active in blockchain and digital assets, I am part of the team working with SPHRE and the Air project. However, all comments here are my own.

Next week: Investor pitch night at the London Startup Leadership Program

Personal vs Public: Rethinking Privacy

An incident I recently witnessed in my neighbourhood has caused to me to rethink how we should be defining “privacy”. Data protection is one thing, but when our privacy can be compromised via the direct connection between the digital and analog worlds, all the cyber security in the world doesn’t protect us against unwanted nuisance, intrusion or even invasion of our personal space.

Pressefotografen mit KamerasScenario

As I was walking along the street, I saw another pedestrian stop outside a house, and from the pavement, use her smart phone to take a photograph through the open bedroom window. Regardless of who was inside, and irrespective of what they were doing (assuming nothing illegal was occurring), I would consider this to be an invasion of privacy.

For example, it would be very easy to share the picture via social media, along with date and location data. From there, it could be possible to search land registries and other public records to ascertain the identity of the owners and/or occupants. And with a little more effort, you might have enough information to stalk or even cyber-bully them.

Privacy Law

Photographing people on private property (e.g., in their home) from public property (e.g., on the street outside) is not an offence, although photographers must not cause a nuisance nor interfere with the occupants’ right of quiet enjoyment. Our current privacy laws largely exclude this breach of privacy (unless it relates to disclosure of personal data by a regulated entity). Even rules about the use of drones are driven by safety rather than privacy concerns.

Since the late 1990’s, and the advent of spam and internet hacking, there have been court decisions that update the law of trespass to include what could be defined as “digital trespass”, although some judges have since tried to limit such actions to instances where actual harm or damage has been inflicted on the plaintiff. (Interestingly, in Australia, an act of trespass does not have to be “intentional”, merely “negligent”.)

Apart from economic and financial loss that can arise from internet fraud and identity theft, invasion of privacy via public disclosure of personal data could lead to personal embarrassment, damage to reputation or even ostracism. (In legal terms emotional stress falls within “pain and suffering”).

Data Protection Law

The Australian Privacy Principles contained within the 1988 Privacy Act apply to government agencies, private companies with annual turnover of $3m or more, and any organisations trading in personal data, dealing with credit information or providing health services. There are specific provisions relating to the use and misuse of government-derived identifiers such as medical records and tax file numbers.

The main purpose of the privacy legislation is to protect “sensitive” information, and to prevent such data being used unlawfully to identify specific individuals. At a minimum, this means keeping personal data such as dates of birth, financial records or hospital files in a secure format.

Some Practical Definitions

The following are not legal definitions, but hopefully offer a practical framework to understand how we might categorise such data, and manage our obligations towards it:

“Confidential”

Secret information that must not be disclosed to anyone unless there is a legal obligation or permission to do so. (There are also specific issues and exceptions relating to “classified information”, public interest matters, whistleblower protection and Freedom of Information requests.)

“Private”

Information which is not for public or general consumption, although the data itself may not be “confidential”. May still be subject to legal protection or rights, such as the right of adopted children to discover the identity of their birth parents, or the right of someone not to be identified as a lottery winner.

“Personal”

Data that relates to, or can specifically identify a particular individual. An increasing issue for Big Data, because data that otherwise resides in separate locations can now be re-connected using triangulation techniques – scrape enough websites and drill down into enough databases, and you could probably find my shoe size.

“Public”

Anything that has been published, or easily discoverable through open search or public database retrieval (but, for example, does not include my past transactions on eBay unless I have chosen to disclose them to other users). My date of birth may be a matter of record, but unless you have authorised access to the relevant database or registry, you won’t be able to discover it and you certainly shouldn’t disclose it without my permission.

Copyright Law

One further dimension to the debate is copyright law – the ownership and related rights associated with any creative works, including photographs. All original content is copyright (except those works deemed to be in the “public domain”), and nearly all copyright vests with the person who created the work (unless they have legally assigned their copyright, or the material was created in the course of their employment).

In the scenario described above, the photographer would hold copyright in the picture they took. However, if the photograph included the image of an artwork or even a framed letter hanging on the wall, they could not reproduce the photograph without the permission of the person who owned the copyright in those original works. In some (limited) situations, a photograph of a building may be subject to the architect’s copyright in the design.

Curiosity is not enough justification to share

My personal view on all this is that unless there is a compelling reason to make something public, protecting our personal privacy takes precedent over the need to post, share or upload pictures of other people in their private residence, especially any images taken without the occupants’ knowledge or permission.

Just to clarify, I’m not referring to surveillance and monitoring by the security services and law enforcement agencies, for which there are understandable motives (and appropriate safeguards).

I’m saying that if we showed a little more respect for each others’ personal space and privacy (particularly within our homes, not just in cyberspace) then we might show a little more consideration to our neighbours and fellow citizens.

Next week: It’s OK to say “I don’t know”