Highlights of a few random articles that caught my eye this week …
Apple and ID
As expected, Apple’s letting drivers store their driving licences and state IDs in Apple Wallet. It’s a significant improvement over current paper and plastic documents, providing users with more choice and control over what information they release. For example, a user can share proof of their entitlement to drive, or prove they’re over 21, without handing over any other personal data.
It’s part of the growing adoption of international standards for the acquisition, storage and secure exchange of identity-related information and attributes. As the tech industry adopts these standards, they’ll provide a more consistent and interoperable approach, displacing the bespoke solutions that the UK government and others have been pursuing since the late 1990s (PDF).
End of passwords (what, again?)
Reports of the death of passwords have been greatly exaggerated for the past 15 years or more. But will the latest announcement finally make a difference?
The FIDO Alliance — which works on standards for stronger authentication — has published a paper that aims to provide
“secure authentication technology [that] will for the first time be able to replace passwords as the dominant form of authentication on the Internet”.
It’s an interesting aspiration, particularly since password managers have long since simplified the management of multiple passwords, whilst also strengthening the passwords used.
I worry that a dependence on so-called “strong biometric authentication” on a smartphone, using fingerprints for example, often overlooks the reality that multiple users may have enrolled their fingerprints on a single device — particularly, for example, shared tablets used in a household, or where a dominant partner exerts control over another’s smartphone. The idea biometrics uniquely identify who’s currently using a device is misguided: strong authentication needs multifactor authentication, not just a biometric.
EU interoperability — or the end of security?
The European Union (EU) has announced proposals to better regulate the big technology players through its new Digital Markets Act (DMA). Better regulation is overdue — governments have long been behind the curve in preventing market dominance and abuse by the large technology giants.
One aspect of the DMA is the imposition of interoperability requirements on the tech titans. The aim is to ensure competition and innovation, and guard against dominant player network effects. In some areas, this will be a positive step — such as opening up social media platforms to ensure they work with each other, and for new entrants to compete effectively. It’s a bit like taking what the CMA has achieved with Open Banking and extending it more widely across the tech industry.
But one area where interoperability is proposed concerns me: messaging.
Imposing interoperability between different messaging systems — such as WhatsApp, Messenger, iMessage — will break the end-to-end encryption currently provided by each messaging service. A simplistic approach to achieve interoperability, such as creating “messaging gateways” — where end-to-end encryption in one messaging system ends before the message is re-encrypted and sent on to the next messaging system — will introduce significant vulnerabilities: the messages of all users will be accessible during the transfer from one service to the next. What could possibly go wrong!?
Breaking security and privacy is not in the interests of consumers and businesses. We need more protection, not less. If I were being cynical (as if!), I’d wonder if this is less about interoperability and more about letting governments access and monitor all our messages. Well, fancy that — after all, it’s what the UK government has been trying to do for years. The DMA’s proposals provide a perfect excuse to break into all our communications, smuggling the capability through under the air cover of interoperability and better regulation.
So how will this interoperability happen without weakening consumer protection? The EU should have released the technical proposals alongside the legislation. If it’s not a man-in-the-middle style system the EU has in mind to achieve end-to-end messaging between different encrypted messaging systems, how will it work?
Western-style liberal governments need to strengthen privacy and security, embedding democratic values into our technology, not set an example for authoritarian regimes to follow. I await more details with interest.
Deep Learning is hitting a wall
“Few fields have been more filled with hype than artificial intelligence”
This quote comes from an interesting piece about the limits of AI and deep learning, much of which reminds me of my own experiences developing AI systems back in the 1980s.
I’m exploring “HypeTech” in the book I’m currently writing — including “magic” solutions that politicians often fall prey to when they listen to the snake oil salespeople of the tech industry — everything from blockchain to NFTs and cryptocurrencies.
Of which more soon :-).