Know Me, Know Me Not


A featureless airport departures hall.

Behind the check-in desk, a large warrior stands, strip-lighting lending a pale lilac wash to his magnificent plumed helmet.

Half-way along the queue is a rather dishevelled Tortoise, surrounded by heavy bags.


Achilles (for he’s back again): Oi, Tortoise!

Tortoise [po-faced and unresponsive]


Tortoise: WTF? How do you know my number? Thought that was just between me and the hatchery?

Achilles: See this print-out of your markings? [holds up said print-out] Got this off of Google; on CheloniansOfNote.com it was. That’s you, isn’t it? Blotch, blotch, stripe, worn patch, shape that looks a bit like David Willetts’ head? Yes? Got a few other bits of info here too, to help me recognise you and the better to meet your every need.

T: Um, so I see. But how dare you…

A: Hang on, my horny-carapaced friend. Shuffle up to the front here. Let’s have a quiet word about this. [Tortoise makes the painfully slow journey to the head of the queue, nudging his bags one by one with his nose.] This is what you wanted, see?


A: You told us. You did. Well, not you individually, Tortoise NP150…


A: Ok, ok. Well, collectively, our customers said things like “Hey Trojan Air, time to wake up to the new world and start treating us like people. We’re not just lumps of flesh with wallets. We want you to throw away all that stiff, corporate formality. Get to know us. Empower yourselves. Adapt. Use a bit of bloody initiative. See us for who we are.” So we have.

T: Yeah, but you can’t just go gathering information like that about me, without my permission. It’s like me shell’s been invaded. Horrible. Oi moi!

A: Don’t go getting classical on me: these characterisations are only pixel-deep. Now, look over there, now, at the SleazyJet desk. See that queue? Hundreds of them. Hot and knackered, they are. And going nowhere for a couple of hours yet. Now, I know, and the SleazyStaff know, that there’s a nice little waiting room round the back. With just one very comfy seat in it. And air-con. They can’t tell everyone, it’d get rammed. But see that woman just there? With the huge bump? Could drop any minute. You think it’s ok for the staff to, you know, use their bloody EYES to spot her, and offer her that seat? Or are you going to go all “no, no, they must know nothing, they must treat us all-equal-and-anonymous like”?

T: Well, I suppose that’s a bit different.

A: So it’s ok to use my bloody EYES to infer stuff about my customers, so’s I can make their service better, but it has to stop when I use, what? A computer? A phone? A database?

T: Now you come to mention it…

A: Because isn’t that where mechanical process (oh so twentieth century) stops, and service begins? When we start inferring? When we use one of the very few gifts that mankind seems to be blessed with – pattern recognition – to judge that if someone is cross-legged and hopping from foot to foot, it might be politic to proactively remind them where the loo is? To check on our systems so that their seventeen letters of complaint that they keep getting woken for meals when they’d rather sleep haven’t been an utter waste of time? To infer, beyond this, that similar awakenings for important matters of Shop-In-The-Sky sales might also receive an unfavourable response even though they haven’t actually WRITTEN TO US ABOUT THIS NOR GIVEN US EXPLICIT PERMISSION TO EVEN GUESS IT MIGHT MATTER TO THEM?

T: Steady on, old boy.

A: Sorry. Emotive stuff, this. Which is why this post is written as a dialogue – less confrontational that way. Where were we? Oh yes – look over there! PoshAir have got one of their regulars arriving. He’s a FTSE-100 Chairman, he is. Yeah, I know. Miserable and anonymous, grey and crumpled, to you and me. But to him? The Grand Kahoona. The Large Cheese. He wants to be recognised. And look again: by the sort of chance that only occurs in allegorical blog posts, he happens to be featured on the cover of this month’s Kahoona magazine over there on that newsstand. Now, shall we ask their staff to shield their eyes so that there is no prospect of them contaminating their green-field minds with this inarguably public-domain factuality of who the fuck he is?

T: Yeah, but it’s invasive. He might not want to be recognised.

A: Isn’t that a matter for their judgement? They are, remember, humans. Providing a service. Let’s at least hope they have some basic lightness of touch. They do not have to march up and shout “Mr Cheese great to have you back it has been 34 days and 2 hours since you flew with us shame about the collapse of the zinc deal in Bolivia your usual gin and valium then?” A mere “Mr Cheese, good to see you again. Let us know if you need anything” isn’t invasive. Invasive is ferreting through information that’s not public. Invasive is phoning people up or emailing them out of the blue, forcibly taking their time away. This stuff here is just observation, inference and discretion.

T: Ah, but it’s where it could all lead, innit. That dossier on me that you’ve got behind the desk…

A: Dossier? Ooooh how very Le Carré! You got that out of that article, didn’t you? One of many using lurid language to play on everyone’s fears about “where it could all lead”.

T: Call it what you will. You are reprocessing data and creating databases and riding a chariot and horses through the provisions of the Data Protection Act (1998). And you know it.

A: I am, and that’s a very fair challenge. I am struggling to justify it – hey, hang on, pass me your phone for a minute.

T: No bloody chance. You know enough about me already.

A: I just wanted a quick peep at your contacts book.

T: That’s none of your business.

A: And yet you download all these apps to your phone and give them permission to access what must be hundreds, maybe even more, personal records and upload them to Morin Towers and gods knows where else, and remind me at what point did you register yourself with the Information Commissioner let alone do any of that “seeking consent” hoo-ha?

T: Yeah, well, that’s for organisations. I’m just Tortoise.

A: Tortoise With A Talent, Ltd, according to my, erm, “dossier”. You still think the boundary between individual and organisation is that clear, and in any case serves as any sort of robust moral framework for this sort of issue about data responsibility? You still content that the DPA (1998) is in any way fit for purpose for the world we now live in? A world of massive volunteered personal information? A world where even if you don’t put your own pics up somebody is going to tag your face and you will be able to do jack all about it and will just have to get over this unassailable fact?

T: I suppose. That’s all going to need clearing up when they refresh the Data Protection Act, innit?

A: Just. A. Bit. But in one final attempt to justify my creepy snooping, can I at least appeal to your libertarian side? It’s one thing to berate the state for acting like this, for gathering information and building megadatabases about individuals. Its civic hygiene may one day become suspect, its motivation potentially questionable, and it’s pretty hard to avoid. But this is a freaking airline. You don’t like what we do, if you think we’re creepy, then you’ll stop using us, and we’ll change the way we work to get you back again. Less of this Big Brother Watch angst; save that for those who really deserve it. Frankly Tortoise, there’s some cognitive dissonance going on here. I know (coz it says so in your dossier) that you hate all this state intervention stuff. You really want businesses to be able to do a good job with the very lightest hand of regulation ‘pon them. Now you’re making no sense with all this paranoid guff.

T: Ok, ok. The jig’s up. I guess what’s really going on is that a general, non-specific feeling of impending doom about personal data in the cloud (and in our hands/claws) is creating a toxic environment where any story that even touches on search, or social networks, or biometrics leads us to throw all common sense out of the window. I guess.

A&T: Oi moi! Ta’las! Tlê’môn!

The Nature of the Relationship, part 1

This is where the going gets tougher. The previous post here was about the different things we use to bodge our way around the minor inconvenience that you can’t actually prove anything about identity with absolute certainty (and it’s all even harder on the Internet). Accepting that we’re all just a collection of risks and uncertainties to be managed, and that we’ve got quite a few tricks (good and bad) at our disposal for doing so, we move towards an even knottier problem.

But to help us do this, let’s bring back Tortoise. Who is on a bit of a mission.

Tortoise: Achilles, Achilles—I’ve been reading all this waffly crap about online identity and I just want to get on with things.

Achilles: How so?

Tortoise: Screw it, fella. I just want my unique identifier now, please. I’ve got nothing to hide. I’m volunteering for you to strap everything you like on to me. Tie it to my old shell, big boy.

Achilles: You sure? Well, if it’s to make a bloody good point about what happens if you do—for the purposes of illustration—I’m game. You want it public or private?

Tortoise: How do you mean?

A: Do you want your identifier to be kept a secret that only you know about, or do you want it splashed everywhere in public?

T: Well, secret, I guess? Is it really a straight choice like that?

A: I’m afraid so. What type of things were you hoping to use it for?

T: Well, to log on to my local council services, naturally. And to see my health record. And to book a driving test. And to pay my taxes. And, and, and…

A: And you reckon that using this fiddly little string of numbers in what already adds up to hundreds of systems from that little list you’ve just given me means that number can be kept…secret? [raises a well-groomed Grecian eyebrow]

T: Fair point. So at some point I have to be ok with the fact that an abandoned hard disk…but surely encryption and good local security management policy will take care of that?…oh, wait, yeah, I see…I have to be ok with the fact that a big list of unique identifiers is going to wind up on Wikileaks or something like that eventually?

A: You do.

T: OK. I accept. I’m ok with that. After all, it’s just a string of fiddly little numbers. It’s not about me, the actual Tortoise that is me. Oh, or is it?

A: What do you think?

T: Well, I don’t really know. It could be. Or it might not be. If it isn’t, then is it really that much use? And if it is, I have this creeping feeling you’re about to show me cracking ice and swooping vultures. Hell’s bells, this has gone and got difficult already, hasn’t it? Why does this always happen? What’s the right answer, Achilles?

A: I guess it depends on whether you want to be identified as you, the real Tortoise, in all these transactions. And you do, don’t you? You have nothing to hide, remember?

T: Sure. But doesn’t that mean…oh I see what you’ve done, you clever bugger. You’ve let me neatly draw out the conclusion that the actual identifier is no great shakes, it’s what it’s attached to that really matters.

A: Quite. And as you’ve said that you’ve got nothing to hide, let’s take your Tortoise Insurance Number (TINO) and from henceforth make it the only identifier about you to be used anywhere in government. After all, lots of people keep banging on about how that must be the long-overdue common-sense solution to all this identity uncertainty. £1,500 please.

T: What? You’re going to charge me for giving me a number you’ve already given me?

A: No, don’t be absurd. This is just a one-off charge for all the migration work.

T: Migration?

A: Changing every single existing government system so they all sing and dance and recognise you off of this here TINO.

T: [Gulps] Is that strictly necessary?

A: Well, perhaps not. We could build some elaborate middleware and interfaces and yada yada yada. Might be a bit shonky and fall over from time to time. Or scramble your records with someone else’s. But you’re ok with that aren’t you. £1,500, remember?

T: It just all seems so expensive.

A: That’s because this is the real world, old son. I know when you were just out of the shell, you used to line up all the other tortoises and make up your own Little Tortoise Club stuff, giving everyone a secret name and a password?

T: Bloody hell – so I did. How did you know?

A: We all did. And it worked, didn’t it? You kept pretty strict records of, oh, a whole 10 individuals. Nothing leaked, nothing got mixed up, and it was all beautifully administered. And you used that as a mental model in your horny wee head of how identities and secrets and all that might work in the big world. But you know what, dear little chap? You were utterly wrong. This is a world of baddies, of fraudsters, of the incompetent and the helpless, of the excluded and the disabled. It’s a world of error, of approximation, of faults and mistakes. Lots of gritty reality that, if I’m honest, tends to bugger up enterprise-scale secrecyidentitysecurity systems faster than we can actually squeeze benefits out of them.

T: Lawks! Have you finished?

A: Yeah. But then I start again, and spend another £100m repeating all the mistakes I made last time. Just using a different firm of consultants. Boom boom!

T: So, to recap, I’ll be able to use my TINO wherever I like, accepting that at some point the relationship between it and me will come into the open somewhere, and that it provides a handy hook for anyone, anywhere, with or without me knowing, to hang whatever facts, associations or other metadata they like on me—which may be used against my interests to sell me stuff, compromise me or do loads of other bad things? And that I’ll be reliant on a panoply of passwords and other tokens to associate with my TINO to unlock the various doors that need unlocking in such a way that losing one of them doesn’t give the bad guys control of my entire life, but at the same time, a panoply that I will find easily manageable? I don’t see how that’s possible.

A: S’ok, my shelled friend. You have nothing to hide, remember?

T: I’m really not liking this much at all now. Is there an alternative to my ill-thought-through quick and dirty answer?

A: Why yes, there is. But we’ve just gone over 1,000 words, and according to the rules, that means waiting for the next post.

T: Oh, cloacas.

Petitions and democracy

Tortoise: Y’know Achilles, when we were last talking about this identity business we got into all sorts of hot water very quickly in trying to find ways to use a definitive identity to do governmenty things on the Internet. But I’ve found a brilliant use for one this morning!

Achilles: Really? What’s that then?

Tortoise: Well – this new idea to transform our democratic participation by cutting a swathe through centuries of saggy old unsexy representative democracy and allowing us, through the power of the Interwebs, to have our say directly about what does and doesn’t get gamed into the Parliamentary timetable.

Achilles: Gamed?

Tortoise: I mean, debated. Sorry. We haven’t got to that bit yet, have we?

Achilles: And it’s also a great excuse for some cheap headlines about the X-factor, isn’t it?

T: Naturally.

A: So what have you read?

T: That this new petitiony thing is coming in and it will let you band together in a free and open way and get really popular people’s choices some proper Parliamentary time.

A: And will this change anything?

T: Dunno. But giving the important stuff some proper Parliamentary time has got to be a good thing in itself, hasn’t it? Especially stuff which is bound to be based on issues that get people to join their voices together, really quickly, using the Internet? Oh…

A: Indeed. But you mentioned something about identity?

T: Yeah. But aren’t you meant to be the personification of the State in these dialogues?

A: I am. Sorry. That’s what happens when you start to mess around with the model of who really holds the power, hey? Just my little joke. Sorry.

T: Accepted.

A: So. Tortoise. I have realised that with this direct democracy business it’s pretty important that we only hear from those from whom we should hear. If you get my drift. So, if you’re not on the electoral roll, I’m sorry, your voice has no place here.

T: Couldn’t agree more.

A: So, are you on the electoral roll then?

T: Is that it? Is that the test – you ask me, and I say I am, and then my voice gets heard? Is that all?

A: It’s what happens when you vote in a polling station, pretty much. There’s nothing by way of a very rigorous identity check, is there? Got a little piece of card, you vote. Not got one, you say your name, my guys check it’s on a big paper list, you vote. What’s the difference?

T: Have you heard of channel friction, Achilles?

A: Yes, I had a touch of that when Agamemnon stuck his javelin… What do you mean, Tortoise?

T: Well, it’s a bit weak to say that just because something works one way in the physical world then its online analogue must be just the same. There’s a certain amount of bother involved in diddling votes down the polling station. You have to queue up, you might see someone who knows you and says “Hi Tortoise!” just as you’re squeaking “I’m Mr Mouse” to the teller, and you can only get away with it once in the same place or you’re really asking for trouble. That all takes time and effort. Think of it as a kind of ‘friction’ associated with the physical voting approach that sort of acts as a check on all the other bad things that might happen. It’s not perfect, but it’s worked just about well enough for quite a while now.

A: Whereas the Internet is very much a frictionless channel, isn’t it? Hmm. It would seem, Tortoise, that those who want to create mischief or subvert the democratic process can do so easily, at great speed, in great fictitious numbers and all without having to leave their bedroom and feign an honest face to the bobby looming at the school doorway. Yes, I see your point.

T: You’re getting there…

A: We’d better stiffen it up then. I need, Tortoise, for you to prove, online, that you are the same Tortoise who is on my electoral roll. Otherwise this whole petitiony thing is quickly going to descend into discredited chaos. (If I’m not to quietly drop the bit about electoral roll verification, that is, hem hem.)

T: And how are you going to do that then?

A: Well, I tell you what – I’ll build this massive database which has a unique identifier associated with every person who appears on the electoral roll, and then I will, having verified through the physical examination of something like your passport, securely give you that identifier and some associated credentials…oh bollocks. We’re here again, aren’t we?

T: I’m afraid so.

A: And we haven’t even got to the bit where any attempt at online democratic participation is going to be holed below the waterline morally, and possibly legally, when so much of our population doesn’t have decent Internet access anyway?

T: I’m glad you got there before Cyberdoyle did.

A: Quite. One for a future conversation?

T: With pleasure.

Achilles and the Tortoise do Identity Management

Achilles: I’ll make things cheaper and simpler for you, you’ll see. Then you’ll be happy. And richer. And so will I.

Tortoise: What?

Achilles: I’m going to give you a new unique identifier so you can have a better relationship, and do business, with me–your personification of government!

Tortoise: I don’t want one.

Achilles: Psst. *whispers* For the purpose of this dialogue, you do. OK? Now play along.

Tortoise: Fair enough. Where’s my identifier then?

Achilles: I can’t just give it to you. How do I know you’re you?

T: I’m Tortoise. Can’t you see?

A: But you could be any tortoise. Where’s your passport?

T: I haven’t got one. I’ve lost it, I mean.

A: For the purpose of this dialogue…

T: OK OK, here…

A: Thank you. Here’s your identifier.

T: What happens if I lose it? Can anyone else use it? And pretend to be me? And do all these things in my name?

A: Um, no. Of course not. This is secure.

T: Right… So how did I get my passport in the first place?

A: You sent in a birth certificate, and had someone else who’s got a passport to vouch for you. Don’t go there.

T: And assuming we weren’t face-to-face here, right now, in this dialogue–how would you send me the identifier?

A: In an envelope to your house.

T: What if somebody else got hold of it en route? Then they could pretend to be me online, no? Like really, really easily? That wouldn’t be good.

A: I’ll give it some thought (I probably won’t). For now, I’m just giving it to you.

T: OK, so I have this universal identifier (assuming I want one, and have a passport, and I haven’t fraudulently obtained it, and ignoring lots of other things that we can just regard as edge cases). So, what’s the universal identifier going to allow me to do?

A: Well, it means you can quite simply log in and find lots of information that’s been personalised about you–so instead of having to look at all the information available on bin collections, you can just see when your bin will be collected.

T: So, how will the online system know where I live?

A: Oh, simple, there’s this big database which holds everyone’s address along with their name…

T: But doesn’t that sort of mega-database tend not to work? I mean, who’s going to keep it updated? Surely people’s addresses change quite a lot? Having the right one there is going to be pretty important, no, if this is to be the One True Record?

A: OK, scrap that idea. Well, you can put in your own address if you like.

T: But what if I don’t put in the right address–if this is some kind of Master Record of me, Tortoise, isn’t that going to cause a bit of bother when you try to send me a tax demand–I mean, I might “accidentally” put in a gibberish address to stop you getting hold of me?

A: Ah. Good point. OK, forget all that–we won’t hold the address any more.

T: It’s still the Master Record about Tortoise, though? This is getting more complicated than I was expecting.

A: That’s because we’re stepping through a dialogue to show that it’s more complicated than everyone thinks it is. But nobody really likes to engage with the detail.

T: Ah, yes, of course. Carry on.

A: So with your universal identifier you have a simple way of getting in to your various accounts with government, all in one place, so that you can do things more easily.

T: I don’t really have ‘accounts’ as such–well, income tax, I suppose, and council tax, but that’s about it.

A: Yes, but you buy things sometimes, don’t you? Driving licences, and passports? And you pay parking fines sometimes, no?

T: Sure, but… oh, ok, I have these accounts, and because I can get into them all with the same identifier, which shows I’m definitely me (subject to all the reservations earlier), then things are easier and cheaper. Hang on a minute–if you put all my data in one basket doesn’t that mean that you’ve created a sort of super-record about me? You, as the personification of an initially benevolent but ultimately potentially totalitarian government, might want to keep all sorts of other information on that single record. I might not even be aware of half of it.

A: Ah, but if you’re got nothing to hide…

T: Don’t go there. How big’s your “Gentleman’s javelin” again?

A: Right.

T: Right. And if someone gets access to my account, that’s an awful lot of personal data they’re going to be able to get hold of in one place. Is that wise?

A: We can put in all sorts of detailed access controls and permissions to make sure any one of the 12 million people with access to these systems only gets to see exactly what they’re supposed to.

T: Right you are. Hasn’t that sort of minor, niggling detail been one of the main reasons that such projects have consistently fallen on their arse over the last 20 years?

A: Possibly so–I tell you what–we’ll give YOU the ability to partition your data and decide who’s allowed to see what. This simple 59-screen control panel will allow you to do exactly that.

T: Hang on a minute–I have to go to enormous amounts of bother to administer something I might use once a year to check whether a council tax payment’s gone in? No thank you! I have enough trouble with my Facebook settings. Look, do we really have to have all this personal data stuff in there? It’s so risky–sod the convenience bit; there’s some things I really don’t mind logging in separately for.

A: OK, you’re right. It was worth a try. Tell you what–your account can just be one where you don’t keep any personal data–just things you choose to keep there. That takes a lot of the risk away, and you can use it to remember what sort of screen colours you like, who your local council is, that sort of thing. But…

T: But?

A: But you’ll have to get over the constant disappointment when you’re using it that we’ll never be able to take any of the data you put in there at face value, without checking it some other way, I mean.

T: Why not?

A: Because your account is either about the “real Tortoise” or it’s not. There’s no half-way house. We either do the sort of hard authentication you’d do with your bank so that you can move money around online, or we do the sort of self-asserted stuff you do when you buy, say, a bag of teabags online. We don’t really care who you are, as long as you pay us, and give us an address to send the tea to.

T: But that sort of “hard identity” stuff makes sense for things involving money–especially where someone might steal some from me (or steal details that would help them pretend to be me and get money diverted that should come to me). It just seems like complete overkill for finding out when my bins will be emptied.

A: Quite possibly–but you wanted all your government business in one place, didn’t you?

T: Did I?

A: I thought you did. Somebody did. All I hear about is “make government more like Amazon”, “make it all simply accessible in one place” blah blah blah. You mean that might not be the requirement?

T: So far, Achilles, we’ve piddled around changing the requirement through a massive spectrum of parameters including data richness, hardness of trust, ease of use, and personalisation. I’m beginning to suspect that people blithely use this concept of “easy access in one place” without actually thinking through what sort of requirement that implies in practice. Furthermore, this sort of woolly guff is likely to get lots of people spending years dicking about running pilots that won’t really go anywhere, testing technologies that are completely inappropriate, and listening to quite a lot of baloney from vendors who stand to make a great deal of money as long as such requirements are never actually bottomed out. What say you, Achilles?

A: Fuck. Rumbled.

(with apologies to Lewis Carroll, and especially Douglas Hofstadter)

You can read more whimsy from these two here.