English subtitles

← Identity in the 21st Century | David Birch | TEDxSussexUniversity

Bartenders needs to know your age, retailers need your PIN, but almost no one actually needs your name -- except for identity thieves. ID expert David Birch proposes a safer approach to personal identification -- a "fractured" approach -- that would almost never require your real name.

Get Embed Code
8 Languages

Showing Revision 11 created 12/10/2014 by Ivana Korom.

  1. So I thought I'd talk about identity.
  2. That's sort of
    an interesting enough topic to me.
  3. And the reason was,
    because when I was asked to do this,
  4. I'd just read, in one of the papers,
    I can't remember,
  5. something from someone
    at Facebook saying, well,
  6. "we need to make everybody
    use their real names"
  7. and then that's basically
    all the problems solved.
  8. And that's so wrong,
  9. that's such a fundamentally,
    reactionary view of identity,
  10. and it's going to get us
    into all sorts of trouble.
  11. And so what I thought I'd do
  12. is I'll explain four
    sort of problems about it,
  13. and then I'll suggest a solution,
  14. which hopefully
    you might find interesting.
  15. So just to frame the problem,
  16. what does authenticity mean?
  17. That's me,
    that's a camera phone picture of me
  18. looking at a painting.
  19. [What's the Problem?]
  20. That's a painting that was painted
  21. by a very famous forger,
  22. and because I'm not very good
    at presentations,
  23. I already can't remember the name
    that I wrote on my card.
  24. And he was incarcerated in,
    I think, Wakefield Prison
  25. for forging masterpieces by,
    I think, French Impressionists.
  26. And he's so good at it,
    that when he was in prison,
  27. everybody in prison,
    the governor and whatever,
  28. wanted him to paint masterpieces
    to put on the walls,
  29. because they were so good.
  30. And so that's a masterpiece,
  31. which is a fake of a masterpiece,
  32. and bonded into the canvas is a chip
    which identifies that as a real fake,
  33. if you see what I mean.
  34. (Laughter)
  35. So when we're talking about authenticity,
  36. it's a little more fractal than it appears
    and that's a good example to show it.
  37. I tried to pick four problems
    that will frame the issue properly.
  38. So the first problem, I thought,
  39. chip and PIN, right?
  40. I'm guessing everyone's got
    a chip and PIN card, right?
  41. So why is that a good example?
  42. That's the example of how
    legacy thinking about identity
  43. subverts the security
    of a well-constructed system.
  44. That chip and PIN card
    that's in your pocket
  45. has a little chip on it
    that cost millions of pounds to develop,
  46. is extremely secure,
  47. you can put scanning
    electron microscopes on it,
  48. you can try and grind it down,
    blah blah blah.
  49. Those chips have never been broken,
    whatever you read in the paper.
  50. And for a joke,
    we take that super-secure chip
  51. and we bond it to a trivially
    counterfeitable magnetic stripe
  52. and for very lazy criminals,
    we still emboss the card.
  53. So if you're a criminal in a hurry
    and you need to copy someone's card,
  54. you can just stick a piece of paper on it
    and rub a pencil over it
  55. just to sort of speed things up.
  56. And even more amusingly,
    and on my debit card too,
  57. we print the name and the SALT code
    and everything else on the front too.
  58. Why?
  59. There is no earthly reason why your name
    is printed on a chip and PIN card.
  60. And if you think about it,
  61. it's even more insidious and perverse
    than it seems at first.
  62. Because the only people that benefit
  63. from having the name
    on the card are criminals.
  64. You know what your name is, right?
  65. (Laughter)
  66. And when you go into
    a shop and buy something,
  67. it's a PIN, he doesn't care
    what the name is.
  68. The only place where you ever have
    to write your name on the back
  69. is in America at the moment.
  70. And whenever I go to America,
  71. and I have to pay with a mag stripe
    on the back of the card,
  72. I always sign it Carlos Tethers anyway,
    just as a security mechanism,
  73. because if a transaction
    ever gets disputed,
  74. and it comes back and it says Dave Birch,
    I know it must have been a criminal,
  75. because I would never sign it Dave Birch.
  76. (Laughter)
  77. So if you drop your card in the street,
  78. it means a criminal
    can pick it up and read it.
  79. They know the name,
    from it they can find the address,
  80. and then they can
    go off and buy stuff online.
  81. Why do we put the name on the card?
  82. Because we think identity
    is something to do with names,
  83. and because we're rooted
    in the idea of the identity card,
  84. which obsesses us.
  85. And I know it crashed and burned
    a couple of years ago,
  86. but if you're someone in politics
    or the home office or whatever,
  87. and you think about identity,
  88. you can only think of identity in terms
    of cards with names on them.
  89. And that's very subversive
    in a modern world.
  90. So the second example I thought I'd use
  91. is chatrooms.
  92. [Chatrooms and Children]
  93. I'm very proud of that picture,
    that's my son
  94. playing in his band with his friends
    for the first-ever gig,
  95. I believe you call it, where he got paid.
  96. (Laughter)
  97. And I love that picture.
  98. I like the picture of him
    getting into medical school a lot better,
  99. (Laughter)
  100. I like that picture for the moment.
  101. Why do I use that picture?
  102. Because that was very interesting,
    watching that experience as an old person.
  103. So him and his friends,
  104. they get together, they booked a room,
    like a church hall,
  105. and they got all their friends
    who had bands,
  106. and they got them together,
    and they do it all on Facebook,
  107. and then they sell tickets,
    and the first band on the -
  108. I was going to say "menu,"
  109. that's probably the wrong word for it,
    isn't it?
  110. The first band on the list of bands
  111. that appears at some
    public music performance of some kind
  112. gets the sales from the first 20 tickets,
  113. then the next band gets the next 20,
  114. and so on.
  115. They were at the bottom of the menu,
  116. they were like fifth,
    I thought they had no chance.
  117. He actually got 20 quid.
    Fantastic, right?
  118. But my point is,
    that all worked perfectly,
  119. except on the web.
  120. So they're sitting on Facebook,
  121. and they're sending these messages
    and arranging things
  122. and they don't know who anybody is, right?
  123. That's the big problem
    we're trying to solve.
  124. If only they were using the real names.
  125. Then you wouldn't be worried
    about them on the internet.
  126. And so when he says to me,
  127. "oh, I want to go to a chatroom
    to talk about guitars" or something,
  128. I'm like, "oh, well,
    I don't want you to go into a chatroom
  129. to talk about guitars, because
    they might not all be your friends,
  130. and some of the people
    that are in the chatroom
  131. might be perverts and teachers
    and vicars."
  132. (Laughter)
  133. I mean, they generally are,
    when you look in the paper, right?
  134. So I want to know who
    all the people in the chatroom are.
  135. So okay, you can go in the chatroom,
  136. but only if everybody in the chatroom
    is using their real names,
  137. and they submit full copies
    of their police report.
  138. But of course, if anybody in the chatroom
    asked for his real name, I'd say no.
  139. You can't give them your real name.
  140. Because what happens
    if they turn out to be perverts,
  141. and teachers and whatever.
  142. So you have this odd sort of paradox
  143. where I'm happy for him
    to go into this space
  144. if I know who everybody else is,
  145. but I don't want anybody else
    to know who he is.
  146. And so you get this sort of logjam
    around identity
  147. where you want full disclosure
    from everybody else,
  148. but not from yourself.
  149. And there's no progress, we get stuck.
  150. And so the chatroom thing
    doesn't work properly,
  151. and it's a very bad way
    of thinking about identity.
  152. So on my RSS feed,
    I saw this thing about -
  153. I just said something bad
    about my RSS feed, didn't I?
  154. I should stop saying it like that.
  155. For some random reason,
    I can't imagine,
  156. something about cheerleaders
    turned up in my inbox.
  157. I read this story about cheerleaders,
    and it's a fascinating story.
  158. This happened a couple of years ago
    in the U.S.
  159. There were some cheerleaders
    in a team at a high school
  160. in the U.S., and they said mean things
  161. about their cheerleading coach,
  162. as I'm sure kids do
    about all of their teachers
  163. all of the time,
  164. and somehow the cheerleading coach
    found out about this.
  165. She was very upset.
  166. And so she went to one of the girls,
    and said,
  167. "you have to give me
    your Facebook password."
  168. I read this all the time,
    where even at some universities
  169. and places of education,
  170. kids are forced to hand over
    their Facebook passwords.
  171. You've got to give them
    your Facebook password.
  172. She was a kid!
  173. What she should have said is,
    "my lawyer will be calling you
  174. first thing in the morning.
  175. It's an outrageous imposition
    on my 4th Amendment right to privacy,
  176. and you're going to be sued
    for all the money you've got."
  177. She should have said that.
  178. But she's a kid,
    so she hands over the password.
  179. The teacher can't log into Facebook,
  180. because the school
    has blocked access to Facebook.
  181. So the teacher can't log into Facebook
    until she gets home.
  182. So the girl tells her friends,
    guess what happened?
  183. The teacher logged in, she knows.
  184. So the girls just all logged into Facebook
    on their phones,
  185. and deleted their profiles.
  186. So when the teacher logged in,
    there was nothing there.
  187. My point is, those identities,
    they don't think about them the same way.
  188. Identity is, especially
    when you're a teenager, a fluid thing.
  189. You have lots of identities.
  190. And you can have an identity,
    you don't like it,
  191. because it's subverted in some way,
    or it's insecure, or it's inappropriate,
  192. you just delete it and get another one.
  193. The idea that you have an identity
    that's given to you by someone,
  194. the government or whatever,
  195. and you have to stick with that identity
    and use it in all places,
  196. that's absolutely wrong.
  197. Why would you want to really know
    who someone was on Facebook,
  198. unless you wanted to abuse them
    and harass them in some way?
  199. And it just doesn't work properly.
  200. And my fourth example
    is there are some cases
  201. where you really want to be -
  202. In case you're wondering,
    that's me at the G20 protest.
  203. I wasn't actually at the G20 protest,
    but I had a meeting at a bank
  204. on the day of the G20 protest,
    and I got an email from the bank
  205. saying please don't wear a suit,
    because it'll inflame the protestors.
  206. I look pretty good in a suit, frankly,
  207. so you can see why it would drive them
    into an anti-capitalist frenzy. (Laughter)
  208. So I thought, well, look.
  209. If I don't want to inflame the protestors,
  210. the obvious thing to do
    is go dressed as a protestor.
  211. So I went dressed completely in black,
  212. you know, with a black balaclava,
    I had black gloves on,
  213. but I've taken them off
    to sign the visitor's book.
  214. I'm wearing black trousers, black boots,
  215. I'm dressed completely in black.
  216. I go into the bank at 10 o'clock,
    go, "Hi, I'm Dave Birch,
  217. I've got a 3 o'clock
    with so and so there."
  218. Sure. They sign me in.
    There's my visitor's badge.
  219. (Laughter)
  220. So this nonsense
  221. about you've got to have real names
    on Facebook and whatever,
  222. that gets you that kind of security.
  223. That gets you security theater,
    where there's no actual security,
  224. but people are sort of playing parts
    in a play about security.
  225. And as long as everybody learns
    their lines,
  226. everyone's happy.
  227. But it's not real security.
  228. Especially because I hate banks
    more than the G20 protestors do,
  229. because I work for them.
  230. I know that things are actually worse
    than these guys think.
  231. (Laughter)
  232. But suppose I worked
    next to somebody in a bank
  233. who was doing something.
  234. Those people
    who take the money from banks...
  235. traders - that's who I was thinking of.
  236. Suppose I was sitting
    next to a rogue trader,
  237. and I want to report it
    to the boss of the bank.
  238. So I log on
    to do a little bit of whistleblowing.
  239. I send a message,
    this guy's a rogue trader.
  240. That message is meaningless
  241. if you don't know
    that I'm a trader at the bank.
  242. If that message just comes from anybody,
  243. it has zero information value.
  244. There's no point in sending that message.
  245. But if I have to prove who I am,
  246. I'll never send that message.
  247. It's just like the nurse in the hospital
    reporting the drunk surgeon.
  248. That message will only happen
    if I'm anonymous.
  249. So the system has to have ways
    of providing anonymity there,
  250. otherwise we don't get
    where we want to get to.
  251. So four issues.
    So what are we going to do about it?
  252. Well, what we tend to do about it
  253. is we think about Orwell space.
  254. And we try to make electronic versions
  255. of the identity card
    that we got rid of in 1953.
  256. So we think if we had a card,
  257. call it a Facebook login,
  258. which proves who you are,
  259. and I make you carry it all the time,
    that solves the problem.
  260. And of course, for all those reasons
    I've just outlined,
  261. it doesn't, and it might, actually,
    make some problems worse.
  262. The more times you're forced
    to use your real identity,
  263. certainly in transactional terms,
  264. the more likely that identity
    is to get stolen and subverted.
  265. The goal is to stop people
    from using identity
  266. in transactions which don't need identity,
  267. which is actually almost all transactions.
  268. Almost all of the transactions you do
  269. are not, who are you?
  270. They're, are you allowed to drive the car,
  271. are you allowed in the building,
    are you over 18, etcetera, etcetera.
  272. So my suggestion - I, like James,
  273. think that there should be
    a resurgence of interest in R & D.
  274. I think this is a solvable problem.
  275. It's something we can do about.
  276. Naturally, in these circumstances,
    I turn to Doctor Who.
  277. Because in this,
  278. as in so many other walks of life,
  279. Doctor Who has already shown us
    the answer.
  280. So I should say,
  281. for some of our foreign visitors,
  282. Doctor Who is the greatest
    living scientist in England,
  283. (Laughter)
  284. and a beacon of truth and enlightenment
    to all of us.
  285. And this is Doctor Who
    with his psychic paper.
  286. Come on, you guys must have seen
    Doctor Who's psychic paper.
  287. You're not nerds if you say yes.
  288. Who's seen Doctor Who's psychic paper?
  289. Oh right, you were in the library
    the whole time studying I guess.
  290. Is that what you're going to tell us?
  291. Doctor Who's psychic paper
  292. is when you hold up the psychic paper,
  293. the person, in their brain,
  294. sees the thing that they need to see.
  295. So I want to show you a British passport,
  296. I hold up the psychic paper,
    you see a British passport.
  297. I want to get into a party,
  298. I hold up the psychic paper,
  299. I show you a party invitation.
  300. You see what you want to see.
  301. So what I'm saying is we need
    to make an electronic version of that,
  302. but with one tiny, tiny change,
  303. which is that it'll only show you
    the British passport
  304. if I've actually got one.
  305. It'll only show you the party invitation
    if I actually have one.
  306. It will only show you that I'm over 18
    if I actually am.
  307. But nothing else.
  308. So you're the bouncer at the pub,
    you need to know that I'm over 18,
  309. instead of showing you my driving license,
  310. which shows you I know how to drive,
  311. what my name is, my address,
    all these kind of things,
  312. I show you my psychic paper,
  313. and all it tells you
    is am I over 18 or not.
  314. Right.
  315. Is that just a pipe dream?
  316. Of course not, otherwise
    I wouldn't be here talking to you.
  317. So in order to build that
    and make it work,
  318. I'm only going to name these things,
    I'll not go into them,
  319. we need a plan,
  320. which is we're going to build this
  321. as an infrastructure for everybody to use,
  322. to solve all of these problems.
  323. We're going to make a utility,
  324. the utility has to be universal,
  325. you can use it everywhere,
  326. I'm just giving you little flashes
    of the technology as we go along.
  327. That's a Japanese ATM,
  328. the fingerprint template
    is stored inside the mobile phone.
  329. So when you want to draw money out,
  330. you put the mobile phone on the ATM,
    and touch your finger,
  331. your fingerprint goes through
    to the phone,
  332. the phone says yes, that's whoever,
  333. and the ATM then gives you some money.
  334. It has to be a utility
    that you can use everywhere.
  335. It has to be absolutely convenient,
  336. that's me going into the pub.
  337. All the device on the door of the pub
    is allowed is,
  338. is this person over 18
    and not barred from the pub?
  339. And so the idea is,
    you touch your ID card to the door,
  340. and if I am allowed in,
    it shows my picture,
  341. if I'm not allowed in,
    it shows a red cross.
  342. It doesn't disclose any other information.
  343. It has to have no special gadgets.
    That can only mean one thing,
  344. following on from Ross's statement,
    which I agree with completely.
  345. If it means no special gadgets,
    it has to run on a mobile phone.
  346. That's the only choice we have,
    we have to make it work on mobile phones.
  347. There are 6.6 billion
    mobile phone subscriptions.
  348. My favorite statistic of all time,
    only 4 billion toothbrushes in the world.
  349. That means something,
  350. I don't know what.
  351. I rely on our futurologists to tell me.
  352. It has to be a utility
    which is extensible.
  353. So it has to be something
    that anybody could build on.
  354. Anybody should be able
    to use this infrastructure,
  355. you don't need permissions,
    licenses, whatever,
  356. anyone should be able
    to write some code to do this.
  357. You know what symmetry is,
  358. so you don't need a picture of it.
  359. This is how we're going to do it.
  360. We're going to do it using phones,
    using mobile proximity.
  361. I'm going to suggest to you
    the technology to implement
  362. Doctor Who's psychic paper
    is already here,
  363. and if any of you have got one of the new
    Barclay's debit cards
  364. with the contactless interface on it,
  365. you've already got that technology.
  366. If you've ever been up to the big city,
  367. and used an Oyster card at all,
  368. does that ring any bells to anybody?
  369. The technology already exists.
  370. The first phones
    that have the technology built in,
  371. the Google Nexus, the S2,
    the Samsung Wifi 7.9,
  372. the first phones that have
    the technology built into them
  373. are already in the shops.
  374. So the idea that the gas man
  375. can turn up at my mom's door
  376. and he can show my mom his phone,
  377. and she can tap it with her phone,
  378. and it will come up with green
    if he really is from British Gas
  379. and allowed in,
  380. and it'll come up with red if he isn't.
  381. We have the technology to do that.
  382. And what's more,
  383. although some of those things
    sounded a bit counter-intuitive,
  384. like proving I'm over 18
    without proving who I am,
  385. the cryptography to do that
    not only exists,
  386. it's extremely well-known
    and well-understood.
  387. Digital signatures, the blinding
    of public key certificates,
  388. these technologies have been around
    for a while,
  389. we've just had no way
    of packaging them up.
  390. So the technology already exists.
  391. We know it works.
  392. There are a few examples
    of the technology being used
  393. in experimental places.
  394. That's London Fashion Week,
  395. where we built a system with O2,
  396. that's for the Wireless Festival
    in Hyde Park,
  397. you can see the persons
  398. walking in with their VIP band,
    it's just being checked
  399. by the Nokia phone
    that's reading the band.
  400. I'm only putting those up to show you
    these things are prosaic,
  401. this stuff works in these environments.
  402. They don't need to be special.
  403. So finally, I know that you can do this,
  404. because if you saw
    the episode of Doctor Who,
  405. the Easter special of Doctor Who,
  406. where he went to Mars in a bus,
  407. I should say again
    for our foreign students,
  408. that doesn't happen every episode.
  409. This was a very special case.
  410. So in the episode where he goes
    to Mars in a London bus,
  411. I can't show you the clip,
  412. due to the outrageous restrictions
    of Queen Anne-style copyright
  413. by the BBC,
  414. but in the episode where he goes
    to Mars in a London bus,
  415. Doctor Who is clearly shown
    getting on to the bus
  416. with the Oyster card reader
  417. using his psychic paper.
  418. Which proves that psychic paper
  419. has an MSE interface.
  420. Thank you very much.