Filed Under: People, Social Media and Organisations

Who’s calling?

Leave a Comment

[Dave Birch] An interesting e-mail arrived today (the contents and counterparties are not relevant to this post) but it made me think about “real names” again. I have to get together a talk for developers at the Microsoft Digital Wallet Foundry, and I thought this might be a good topic. So I went back to my notes to see if I could find a fun “case study” to focus thinking around convenience and security in ID. I came across this.

As Sheryl Sandberg said this week, when caller ID first came out, it was declared a violation of privacy.

[From Fear For Your Safety, Not Your Privacy | TechCrunch]

That’s because caller ID is a violation of privacy. Which is why you can turn it off. If I’m phoning British Gas customer service, I can leave caller ID on and benefit from the efficiency that having my Calling Line Identifier (CLI) connect to their CRM brings. But if I’m phoning the council to complain about the crack house next door, then I might decide to remain anonymous and turn it off. If I want to avoid the near-contininous stream of calls from ambulance-chasing lawyers about PPI, I might want to screen incoming calls by CLI (although this is a useless strategy against spammers because they use international “out of area” codes). Bear in mind, too, that spoofing caller ID is trivial, so it doesn’t deliver any actual security. If it wasn’t trivial to spoof it, there would be no need for legislation such as

The Truth in Caller ID Act of 2009, which was signed into law Dec. 22, 2010, prohibits caller ID spoofing for the purposes of defrauding or otherwise causing harm.

[From Caller ID and Spoofing | FCC.gov]

Thanks goodness there’s a law against such spoofing, because it means that no-one does it. No, wait… that’s not really true. No one does it except for criminals who are, for example, spoofing bank numbers to make phishing attacks or in more sinister enterprises such as getting people raided by SWAT teams by making bogus emergency calls that appear to come from the victim’s address (“SWATting”). So I call the police using your home phone number in the caller ID and tell them that someone has gone postal in the house, at which point heavily armed law enforcement officials storm your house and (hopefully, from my point of view, shoot you). This just happened to the well-know blogger Brian Krebs.

His office phone rang while he was vacuuming, but he ignored it. That, it turns out, was an unfortunate choice, given that the call came from law enforcement who were trying to verify what would turn out to be a spoofed emergency call showing Krebs’s number on caller ID.

[From Hackers launch DDoS attack on security blogger’s site, send SWAT team to his home | Naked SecurityNaked Security]

In other words, CLI is about convenience. It doesn’t deliver security. Worse still, it delivers “anti-security” because people believe it delivers security when it doesn’t. CLI did develop an acceptable privacy settlement – since you can turn it off – and people started to use it despite the lack of security. I can’t be bothered to look, but I’m sure page 697 of my phone company terms and conditions says that I’m not allowed to spoof CLI.

“The name you use should be your real name as it would be listed on your credit card,” Facebook says.

[From Facebook’s fake-name fight grows as users skirt the rules | The Verge]

Why? It’s of no help to anyone: anyone except marketers who are being sold the data, that is. My friends know that Leadbelly Gutbucket is me, and so they friend me and we use and enjoy Facebook together (as I do, in fact). But the corporations don’t know that this is me, unless I choose to tell them. I don’t believe that any name I see on Facebook is real. How would Facebook know? They didn’t do an Experian check on me when I created my account.

“Pretending to be anything or anyone is not allowed.”

[From Facebook’s fake-name fight grows as users skirt the rules | The Verge]

This is a completely different point. And Facebook are completely right about this: you shouldn’t be able pretend to be anyone else. Personation is obviously wrong. For example, did you see the Italian “Catch me if you can” story? It is a super tale of fake identity updated for the modern age.

A man who posed as an airline pilot and traveled in the cockpit of at least one plane was arrested in Turin Airport using forged identity cards and wearing a pilot’s uniform… The 32-year-old, whose real name was not released, allegedly created a fake identity as a Lufthansa pilot named “Andrea Sirlo,” complete with a Facebook page that included fake flight attendant friends… The national military police tracked down the suspect from photos on his Facebook profile, in which he is shown posing in uniform and sunglasses in front of airplanes.

[From Fake Italian pilot traveled in cockpit, police say | Reuters]

But if I create a Facebook account in the name of David Beckham and then IM a transfer request demanding a move to Swindon Town, is that really impersonation or just a joke? One more point. The real names fuss is not a Facebook phenomenon and I don’t mean to suggest it is. If you want a non-Facebook example you need look no further than our own legislature.

an embarrassing photograph emerged which showed him wearing the name-tag ‘Michael Green’ – an alter ego used by the MP when posing as a self-help guru – at an internet conference in the US in 2004.

[From Maybe it’s because I’m a Watforder: ‘Double life’ Tory chief can’t decide if he was born in London or Herts | Mail Online]

I’m not sure I’m against alter egos. What is the problem with having a “pen name” for the novel that you are writing? And how you can you “pose” as a self-help guru. Surely he was just practicing what he preaches. If I say that I’m a self-help guru, then I am. Now, you may want to see some credentials or learn about my reputation as a self-help guru, but in a world where you do not need my name as an (imperfect) proxy to those details, what does the name matter?

There are many points to be made from these stories, but the main ones I want to make are that the whole identity thing is more complicated than it seems and it needs new thinking and a new narrative and that reputations are more important than names and finding a way to securely manage credentials and reputation is the way forward for the new economy. To my mind, these are critical components of the new digital wallet, because virtual none of your day-to-day transactions depend on your name.

In the end, I decided it would be too boring to tread too much of the same pseudonymity ground as I did my last TEDx talk (which now has almost 173,000 views, I’m rather excited to report!) so I’ve gone for a more sweeping topic: “Identity is the New Money”. Look forward to seeing you at the Modern Jago in May!.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

2 thoughts on “Who’s calling?”

  1. markking@broadsail.org.uk' Mark King says:

    My memory says that CLI used to be good in the UK, at least, not least because it was quite difficult to arrange for a presentational CLI, i.e where a company wants to identify itself consistently but happens to have a number of lines it calls out on. The CLI value, like the old telex numbers, comes because it is asserted by the service provider, not the caller, but can be blocked from showing to the recipient by sender or, as a later addition to the standards, by the recipient. (To make sure they never had it so can be no question of use/abuse.) Where/when service providers are less regulated then maybe there is a problem.

Leave a Reply

Your email address will not be published. Required fields are marked *