Charlie's Diary

[ Site Index] [ Feedback ]

Thu, 27 Oct 2005

And enough of that ...

I'm going to drop the biometrics topic for a while. (Stand by for something completely different.)

In the meantime, I'd just like to add that the uncorrected proofs of the Ace trade paperback of "The Atrocity Archives" arrived today, and they look great! It's officially on sale as of January 3rd, and I'll add a "buy it now" link shortly.

posted at: 14:06 | path: /misc | permanent link to this entry

Flawed reasoning

I said (last week) I'd dissect Dave's responses to my comments on biometric payments. Having had time to digest them, I'm not sure such a dissection is necessary. Rather, I'd like to make some observations:

Firstly, Dave is right in one key observation -- that Visa, Mastercard, and the other card issuing agencies screw the merchants with their fees and the public with their interest rates. (Here in the UK, Barclaycard, one of the most respectable -- and biggest -- card issuers, charges as standard an APR of around 19% on outstanding balances on their credit cards. This is in the context of a bank base rate almost 14% power. Such interest rate gouging is normally associated with loan sharks, and their treatment of small merchants is little better.)

Moreover, the credit/debit card infrastructure is an improvised Heath-Robinson lashup. What originated as a modest voucher-payment system aimed at business travellers in the 1950s has sprouted into a monstrous half-assed identity verification system using a combination of cards and passwords (your PIN) that provide access to the banking system for virtually everyone. Additional features have been bolted on top of the original specifications, compromising the security and integrity of the system. Nobody in their right mind would have designed a system like this, but nobody in their right mind did so -- it just sort of grew, and replacing it is, on the face of things, a good idea.

However, replacing the existing infrastructure purely because the proposed replacement is cheaper is not the right reason.

One of the things I picked up during my time inside Datacash is that the business of banking is not, at heart, about lending money: it's about managing risk. If you extend credit to people, and in return they refund the loans and pay you fees or interest, your profits depend not only on the interest rate, but on the proportion of borrowers who default on their payments. It also depends on the degree to which you are exposed to fraud. Identity theft is the current fashionable form of fraud carried out by individuals and small groups of criminals, because flaws in the existing banking and credit infrastructure make it relatively easy to perpetrate.

Now, biometric systems in general do not prevent fraud. All they can achieve is to verify that an individual possessing certain physical characteristics was involved in one or more transactions. (Furthermore, the error rate is sufficiently high in most systems that you may not even be able to prove that much.) If you can obtain biometrically authenticated identification tokens using, say, a stolen birth certificate or the birth certificate of a baby who died at the age of 18 months in a foreign country (and who has therefore not had a death certificate filed in their country of birth) you can quite easily masquerade as someone else -- and because biometric ID is being mis-sold as a tool for providing proof of identity, rather than as a mechanism for confirming continuity of identity a successful identity thief who has equipped themselves with valid biometrics is in a position to manipulate the trust we place in these supposedly infallible markers (as the biometrics companies would like us to believe in them).

If I have a beef with the deployment of biometrics, it's not so much with micropayment systems such as BioPay's -- where the amount at stake is low -- but with the systematic misrepresentation by government agencies of an intrusive government identity registry as a security feature. Rather than going into it at length here I'd just like to refer interested readers to comments by Microsot UK's National Technology Officer, Jerry Fishenden, who warns that the UK ID card scheme will trigger massive identity fraud, to Barry Kefauver of the International Civil Aviation Organization who says that biometric passports alone won't counter terrorism threats, and to Bruce Schneier who points out that biometric identification systems are no stronger than the protocol used to register a new user on the system (which is to say, they're as weak as the weakest acceptable documentation required to obtain an ID).

Biometrics are only really useful when there's a trusted path from the reader to the verifier, and when new identities on the system are confirmed with a high degree of precision. If there's a loose link in the chain -- for example, if fingerprint data are sent over a data network for authentication using weak encryption, or if documents are mailed via fraud-riddled postal services where they can be intercepted by criminals, they offer no additional margin of security over existing practices -- and indeed, may make things much worse because of the widespread perception that biometrics prove identity rather than indicating continuity.

[Discuss criminal futures]

posted at: 14:02 | path: /sing | permanent link to this entry


Is SF About to Go Blind? -- Popular Science article by Greg Mone
Unwirer -- an experiment in weblog mediated collaborative fiction
Inside the MIT Media Lab -- what it's like to spend a a day wandering around the Media Lab
"Nothing like this will be built again" -- inside a nuclear reactor complex

Quick links:

RSS Feed (Moved!)

Who am I?

Contact me

Buy my books: (FAQ)

Missile Gap
Via Subterranean Press (US HC -- due Jan, 2007)

The Jennifer Morgue
Via Golden Gryphon (US HC -- due Nov, 2006)

Via (US HC -- due June 30, 2006)

The Clan Corporate
Via (US HC -- out now)

Via (US HC)
Via (US PB -- due June 27, 2006)
Via (UK HC)
Via (UK PB)
Free download

The Hidden Family
Via (US HC)
Via (US PB)

The Family Trade
Via (US HC)
Via (US PB)

Iron Sunrise
Via (US HC)
Via (US PB)
Via (UK HC)
Via (UK PB)

The Atrocity Archives
Via (Trade PB)
Via (Trade PB)
Via Golden Gryphon (HC)
Via (HC)
Via (HC)

Singularity Sky
Via (US HC)
Via (US PB)
Via (US ebook)
Via (UK HC)
Via (UK PB)


Some webby stuff I'm reading:

Engadget ]
Gizmodo ]
The Memory Hole ]
Boing!Boing! ]
Futurismic ]
Walter Jon Williams ]
Making Light (TNH) ]
Crooked Timber ]
Junius (Chris Bertram) ]
Baghdad Burning (Riverbend) ]
Bruce Sterling ]
Ian McDonald ]
Amygdala (Gary Farber) ]
Cyborg Democracy ]
Body and Soul (Jeanne d'Arc)  ]
Atrios ]
The Sideshow (Avedon Carol) ]
This Modern World (Tom Tomorrow) ]
Jesus's General ]
Mick Farren ]
Early days of a Better Nation (Ken MacLeod) ]
Respectful of Otters (Rivka) ]
Tangent Online ]
Grouse Today ]
Hacktivismo ]
Terra Nova ]
Whatever (John Scalzi) ]
Justine Larbalestier ]
Yankee Fog ]
The Law west of Ealing Broadway ]
Cough the Lot ]
The Yorkshire Ranter ]
Newshog ]
Kung Fu Monkey ]
S1ngularity ]
Pagan Prattle ]
Gwyneth Jones ]
Calpundit ]
Lenin's Tomb ]
Progressive Gold ]
Kathryn Cramer ]
Halfway down the Danube ]
Fistful of Euros ]
Orcinus ]
Shrillblog ]
Steve Gilliard ]
Frankenstein Journal (Chris Lawson) ]
The Panda's Thumb ]
Martin Wisse ]
Kuro5hin ]
Advogato ]
Talking Points Memo ]
The Register ]
Cryptome ]
Juan Cole: Informed comment ]
Global Guerillas (John Robb) ]
Shadow of the Hegemon (Demosthenes) ]
Simon Bisson's Journal ]
Max Sawicky's weblog ]
Guy Kewney's mobile campaign ]
Hitherby Dragons ]
Counterspin Central ]
MetaFilter ]
NTKnow ]
Encyclopaedia Astronautica ]
Fafblog ]
BBC News (Scotland) ]
Pravda ]
Meerkat open wire service ]
Warren Ellis ]
Brad DeLong ]
Hullabaloo (Digby) ]
Jeff Vail ]
The Whiskey Bar (Billmon) ]
Groupthink Central (Yuval Rubinstein) ]
Unmedia (Aziz Poonawalla) ]
Rebecca's Pocket (Rebecca Blood) ]

Older stuff:

June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002
April 2002
March 2002
(I screwed the pooch in respect of the blosxom entry datestamps on March 28th, 2002, so everything before then shows up as being from the same time)

[ Site Index] [ Feedback ]

Powered by Blosxom!