We will be giving a draft of our report forecasting the impact of emerging technologies to the CSIA next week, if we don’t collectively develop writer’s cramp. It is based on what you have told us on this blog and what’s been put up on our wiki. Since you did so much to build it, you get the chance to inspect it before it’s delivered.

We will post it in stages on the wiki and excerpt it here. In total, it is to be 20 pages in length. In a previous post, we told you which subjects would be covered in the report. We also took the decision to highlight 3 issues for more in-depth exploration, those issues being Identity Management, Convergence and Nanotechnology.

Here is the overview for the Identity Management section, followed by our thoughts on the implications for UK government. The entire section will be on the wiki’s Identity Management page. If you don’t think this is what we should be telling the Cabinet Office, tell us here or on the wiki, or email me at tom dot fuller at kable dot co dot uk.

Identity Management Overview

The topic is discussed in depth here:

Not truly an emerging technology, identity management is an emerging discipline growing out of IT security and password/certification authentication and communications. Of the relatively tiny number of academic publications and patent filings found at Scirus (a cross-disciplinary database of scientific publications), 89% of journal publications and 93% of patent filings with the phrase “identity management” in the title, abstract or text were published after 2002. It must be emphasized that little work has been done in this field; only 321 academic publications are found on Scirus and 597 patent applications in total. This compares with 17,833 academic publications and 8,309 patent applications for “biometrics.”

Identity management issues transition to information assurance issues, sometimes seamlessly. ID management has a tighter focus, concerning itself with the management of the identity life cycle. However, it should be noted that

if identity management fails, information assurance is impossible

Citizen-Centric

• Do I trust the system that holds the information used to authenticate my identity? Will they lose it, sell it or abuse it?
• Can I manage the multiple logins and passwords mandated by the numerous systems I interact with?
• Do I have to continuously re-enter the same information time after time, frustrating me and increasing the chances of an error on my part or on the system’s?

Implications for UK government

• Biometric information used in identity management should be encrypted prior to transmission. Encrypted biometrics enables a more robust data management programme
• The most successful systems rely on user input and verification of data.
o Amazon and eBay have systems that are more robust than banks, as they get information directly from the user alone, and prompt for updates with each transaction. Banks get information from customers too, but it is at the beginning of the relationship and they do not prompt for information change, and side inputs from other sources (credit rating agencies, etc.) are prone to much higher error rates.
o Information assurance programmes willing to accept private sector verification of identity might well consider using retailers that make home deliveries, looking for recency of successful interaction rather than length of relationship.
 The number of online shoppers was estimated at 14.5 million in 2005, including 2.7 million over age 55.
• Information assurance programmes that do not carefully vet every element of identity management procedures in sub-hierarchies should not rely on those organisations’ attestations of verified identity.
o An ongoing audit programme including attempts to defeat individual systems should be a vital part of any information assurance programme
o More importantly, the audit programme should try to construct false identities using information from a variety of systems to establish bona fides, with a goal of getting drivers’ licenses and passports. Information from these efforts should be shared only with system owners in efforts to improve system performance, to improve co-operation with affected organisations
• Of pressing current interest is the use of mobile wireless networks for Internet access. Laptop computers that use an unsecured network should not have confidential information on them, nor should they be permitted access to confidential information. Identity management protocols should identify the status of a user’s network connection and politely deny access until a secure connection can be established. Individual laptop computers that permit storage of or access to confidential information should be configured to prevent access to unsecured networks.
o As the physical security of laptop computers is not addressed elsewhere in this report, we take this opportunity to note that:
 laptops should have a proximity alarm installed to remind the user not to leave a laptop behind,
 a form-based permission mechanism should be used to minimise the loading and retention of confidential information on laptops. This could include automatic destruction of sensitive data after a date set by the user
 GPS tracking should be used to retrieve lost or stolen laptops
 Preparations should begin now for similar security protocols for mobile phones and PDAs to future-proof identity management systems prior to introduction of devices with capabilities much greater than present versions

Have at it!

Here we go again with what we hope is a week’s worth of news regarding the issues that Blindside is commissioned to cover:

As usual, we start at Kable, with this report about SOCITM offering to help pass on IT security skills: “The Society of Information Technology Management has developed a framework for passing on IT security skills. It has issued an invitation to UK organisations to run programmes based on the materials it developed for the EU funded iScan initiative, it said on 29 June 2007.”

Also from Kable, news that the UK, Europe and the US are planning to upgrade their border databases by using multiple forms of biometrics to identify people. Money quote: “There’ll never be a situation where the world will agree to have one biometric,” said Paul at a Homeland Security Conference in Brussels on 26 June 2007. “What we will have is a multi-modal environment.” Hope they don’t store all the data in one place. Hope also that when they send that information it’s encrypted. Hope they also use a good data management system. But no discussion of any of thosse topics.

From the Risks Digest, news that in the U.S. Department of Homeland Security, “computers and cyber systems have been infected with viruses and malicious scripts that could compromise passwords and information on U.S. citizens, intelligence operations and the nation’s critical infrastructure.” Oops.

Via Bruce Shneier, we learn from Wired that, surprise, data collected for one, innocent reason can on occasion be used later for reasons less honorable. “We learned the news in March: Contrary to decades of denials, the U.S. Census Bureau used individual records to round up Japanese-Americans during World War II.

The Census Bureau normally is prohibited by law from revealing data that could be linked to specific individuals; the law exists to encourage people to answer census questions accurately and without fear. And while the Second War Powers Act of 1942 temporarily suspended that protection in order to locate Japanese-Americans, the Census Bureau had maintained that it only provided general information about neighborhoods. New research proves they were lying.”

If you don’t think this is relevant, watch the career moves of NHS staff with Middle Eastern or Pakistani origins in the next few months.

Also via Bruce, this article in Technology Review that talks about CCTV cameras designed to blur faces automatically. So we could monitor movements and protect privacy, if we wanted.

Boasting or targeting? Via the Institute for the Future comes a link to a mash-up of a map of the United States with the location of nanotechnology companies, research centres and organisations. Looking at the map, I am sadly reminded both of the old video game Missile Command and the security issues around mash-ups.

Whoops! Late for a meeting, so that’s all for today.