I blame David Weinberger. It was him. He made me do it. He made me follow his tweet and watch this video. Joe Cocker, with subtitles for people who find his accent and delivery style hard to comprehend. Be careful. Be very careful. I hurt.
Category: humour
What does bad look like? And related questions
I was in conversation with an old colleague, Sean Park, a few days ago; with a little bit of luck, we’ll be able to spend a little time together next week in San Francisco, at Supernova. During the conversation, this post by Chris Skinner came up.
First, a few disclaimers.
One, I am not against cyberlibertarians. I count many cyberlibertarians as my friends. In fact I’d even let my daughter marry one. Some people think I am a cyberlibertarian. And I don’t argue with them.
Two, despite all that, I signed up with the UK Border Agency IRIS scheme as soon as I could, use it regularly, and will probably sign up with its equivalent for the US and Europe as soon as I can. So I am not against the technology.
Three, I like what Bruce Schneier has to say about many things, and particularly about things to do with security. This liking predates (by a long way) and is completely unconnected with, our becoming colleagues much later. [Incidentally, we have never met, either as colleagues or before then, although we’ve been in the same room quite a few times. Maybe this will change, we’re both at Supernova.]
Having said all that.
There’s identity and there’s identity. “Identity” covers things I assert about myself, things that only I can assert about myself. It covers things that others assert about me, things that only others can assert about me. It also covers things that I assert, but where my assertion is weak unless it is backed up by someone or something else.
When I say that I like Grateful Dead or Traffic or Crosby Stills Nash and Young or John Mayall or Jim Croce, I am asserting something about myself. A last.fm audioscrobbler attached to iTunes can see whether my listening habits match my stated likes, but it cannot say what I like. That is for me to say. When a bank says that I have a credit rating of X, they are asserting something about me that I cannot assert about myself. When a government gives me a token to help me assert who I am (such as a passport or a driving licence), the government is doing something I couldn’t do as well.
So there’s identity and there’s identity. It’s all the rage, it’s the happening thing, there are now more people working in the identity space than in call centres worldwide. [Doesn’t it feel like that to you?].
And, as Chris Skinner says, it looks like biometrics will become more important, more dominant, more pervasive. Shivers down spine. Collywobbles. Paroxysms of sweat. I begin to get a teensy weensy bit concerned.
Why? Not because I think someone’s going to gouge my eye out and re-use it. Not because I think that someone’s going to chop my finger off. [Yes, there are times and there are places where this can and probably will happen, but in this conversation I consider the Chopping Off argument to be a Red Herring.]
I’ve been concerned about the use of biometrics in everyday life for a few decades now. Nearly 30 years ago, when I worked for Burroughs Corporation, we had a division that manufactured ATMs. And I remember seeing a presentation where people queued up to a hole in the wall to draw money, presented their eyeballs to an even smaller hole in the wall, had their retinas scanned before the hole vomited out cash. And I thought to myself, who designs these things? Who imagines that someone would actually do this? Did they talk to anyone, any would-be customers?
If you want to understand the pros and cons of biometrics, you must read this article in ACM by Bruce. So what if it’s almost a decade old, the points he makes still hold true. It’s an expansion and improvement on an another note by him, written a year earlier in his Crypto-Gram newsletter.
Here are some excerpts:
- [B]iometrics work well only if the verifier can verify two things: one, that the biometric came from the person at the time of verification, and two, that the biometric matches the master biometric on file. If the system can’t do that, it can’t work
- Biometrics are unique identifiers, but they are not secrets. You leave your fingerprints on everything you touch, and your iris patterns can be observed anywhere you look.
- Once someone steals your biometric, it remains stolen for life; there’s no getting back to a secure situation.
- Biometrics are powerful and useful, but they are not keys. They are not useful when you need the characteristics of a key: secrecy, randomness, the ability to update or destroy.
- [B]iometrics are necessarily common across different functions. Just as you should never use the same password on two different systems, the same encryption key should not be used for two different applications. If my fingerprint is used to start my car, unlock my medical records, and read my electronic mail, then it’s not hard to imagine some very unsecure situations arising.
As a frequent traveller, I am happy to use biometrics-based processes when it mean my immigration and security queues are shortened significantly. IRIS has been a boon for me.
But if my bank asked me to start using iris recognition based schemes, I would probably change bank.
Why?
Now you must be used to people tritely asking you “So what does good look like to you?” [What an appalling question. Why can’t they ask you what you want? I’m old and patient now, so I forgo the temptation to “throw them under that question”, a la that other appalling phrase “throw them under the bus”. Who thinks this unadulterated crap up anyway?]
So humour me for a second and allow me to use the phrase “What does bad look like?” When I use IRIS, “bad” means that someone has managed (a) to get a copy of my iris as stored in some humongous central database somewhere (b) convinced some hardware and software in a booth that he/she is me returning to the UK. Depending on my actual travelling status, that may throw up some conflicts and errors, and the worst that could happen is that I spend some time sorting out the mess when I next pass through. But the facts will be on my side, and I don’t live in a police state. People may be appalled by CCTV Britain, by Guantanamo Bay, by 42 day detentions, but none of that is as scary as The Emergency was to me in 1975-77. Not even close.
It’s not as if someone can leave my iris behind at a crime scene. If someone finds my eyeball rolling around alongside a corpse, the chances are the corpse is me. if someone leaves a photograph of my iris behind as a calling card, not even the Keystone Cops will assume that I’m the likely perpetrator.
So bad doesn’t look too bad in many of these cases.
When it comes to banking, it’s a different story. Bad can look bad. If you’d like a humorous way of finding out why, listen to this clip by Mitchell and Webb. [Oh the humanity. Worth listening to for that line alone.]
We already use biometrics for banking, the common-or-garden signature is a biometric, particularly if you start analysing pressure and time and emphasis and all that jazz. People have tried to forge signatures, and if electronic signatures become more common, then I am sure that people will try even harder to forge signatures.
I try and adapt to changes in the environment around me. For example I think about where I want to use my credit or debit cards so as to minimise the risk of cloning, and avoid the places where I think the risk is high. If my bank said I could use iris recognition in order to withdraw cash, I wouldn’t sign up. I would use other ways. if they said that it was the only way, I would use other banks. Simple as that.
It doesn’t mean that I am against the use of biometrics. Rather, I am against the use of biometrics in environments where the weaknesses of biometrics overwhelm the strengths. As stated before, I use biometrics to enter the UK. And I would be happy to use biometric locks in my front door, as Xeni Jardin refers to here.
As Bruce says in that article, if someone wanted access to my house, they can make a surreptitous copy of my key or throw a rock through my window. They don’t have to cut my finger off.
Biometrics aren’t bad. Biometric banking is already here, as in the use of signatures. But we need to think hard about allowing increased use of biometrics in banking. Because bad could then look very bad.
Musing about lazy Saturdays and unGoogleable things
I grew up in a family where we were intense, almost obsessive, about many strange things. During my mid-to-late teens, I don’t think a day passed without there being a “session” at home. What do I mean by “session”? A gathering of people, numbering greater than 10, all focused on some activity or the other. What activities? They varied, in mini-seasons lasting a week or two, and included:
- Carroms (played in fours lying at odd angles on the floor)
- Table-tennis (on the dining table, using books to form the net
- Card games aplenty (from “56” to Memorial Power, finding pairs, to Canasta, to TwoToTheLeft)
- Chess (not as many takers though
- Categories (which we called NamePlaceAnimalThing and played with real gusto).
- Scrabble (played with an incredible intensity)
- Board games in general, particularly Cluedo, but including Ludo, Chinese Checkers and Snakes & Ladders
That’s when it was too hot to play outside. Participant ages ranged from 6 to 60 (really) and everything was played with ferocious yet humorous spirit. Wonderful times. Usually half the people present were friends of one family member or the other, the rest were family or neighbours.
Sure we fought. It wasn’t always all sweetness and light. But in the main we played, played as close family and close friends, and we’ve stayed close ever since.
What I described above was a daytime and weekend and holiday thing for the most part. Weekday evenings were all about hanging around together and listening to music; when it got late the scene shifted to playing duplicate bridge. And we read. We read by the shelf-load, by the truck-load. Draped in strange positions all over the place, usually munching on the food that would materialise by magic.
And one more thing. We were trivia freaks, but we didn’t call it trivia. We called it quizzing. It was perfectly normal for any one person to pull a dictionary, a book of quotations or a volume of an encyclopaedia off a shelf and then start asking passers-by questions. Calcutta had a brilliant quiz scene in those days, probably still has.
[Strangely enough, I don’t remember seeing anyone study. Or do homework. I can’t imagine where they could have, every room was packed with other, ultimately distracting, activity].
Anyway. As I was saying. We loved trivia. And we didn’t treat trivia so much as a test of knowledge but as a test of recall. More importantly, quizzing was a team sport and individual machismo was of no value. Sure, “golden” answers were appreciated and respected, where you knew something that no one else on the team knew. But the important thing was the team.
These values made their way into the DNA of the quiz scene in Calcutta, particularly the “recall not knowledge” principle. Any fool could come up with a question that no one could answer. The challenge was to come up with a question that every team could answer, but not necessarily within 30 seconds while under competitive pressure.
It became a fine art, setting questions that danced teasingly on the tips of tongues. Those were the days Before Google. Nowadays it is actually quite hard to set a question that’s unGoogleable, and as a result the “recall versus knowledge” principle must be under severe attack. Particularly in today’s age of ubiquitous communication. I lost interest in the UK quiz scene once mobile phones with Web browsers and Shazam entered the scene; too many people resorted to, shall we say, alternate and assisted modes of recall.
Since then, just for fun, I’ve been quietly compiling lists of questions that can’t be Googled. Which means I look at many things with an unusual perspective. Take today for example. I was “watching” the cricket in Dhaka, and when I ran down the names of the Indian team, I noticed something:
The average surname-length of the team was below 6 letters, just 63 letters across the eleven people. Very unusual. [Incidentally, I also noticed that I have children older than half the team, a sure sign of my age].
So. Cricket fiends amongst you. What’s the shortest team you can come up with, the one that would trouble the scorers the least to put up. 63 is the target to beat. Sehwag Gambhir Sharma Singh Pathan Dhoni Raina Pathan Chawla Kumar Sharma. [I remember some Leicestershire and Northamptonshire teams in the early 1980s that had quite a few short-named players, must check].
Incidentally, the full name letter count could also be a record. 68 plus 63 makes 131. That’s low. That is very low … for a country that has had a President named Sarvapalli Radhakrishnan, a singer called Madurai “MS” Subbulakshmi, a composer named Laxmikant Kudalkar; and cricketers named Srinivasa Venkataraghavan and Bhagwat Chandrashekhar. [My own name and surname take up 21 letters].
Of keyboard waffles and Tetris ice cubes ….
Some of you may have done your time on the “Sharper Image meets I Want One of Those” circuit. I know I have, but largely vicariously so far. I’ve tended to look but not buy, for the most part. There have been exceptions, though: the most recent was a Bauhaus birdhouse I just had to have, obtained from The French House.
But nothing prepared me for these contraptions:
Keyboard waffles. Tetris ice cubes. Pixelated sofas. Loo paper notepads. Toast printers. What can I say? Should you be so inclined, you can find out more here.
How to tell if you’re Generation M
Well, not really. But probably not too far from the truth.
Try this eye test with a difference (thanks to Chris Messina for bringing it to my attention). You can buy the T-shirt via OffWorld Designs
The difference is, it’s not enough to read the chart. You have to know what it means. And when you finish, with everything correct, if you say things like w00t or meh then you’re probably from Generation M.
Or you’re Paul Downey!