IT’S getting hard to be anonymous. To do just about anything in this world
you have to prove who you are. Want to buy something or draw some cash? There’s
a wodge of credit cards to lug around, and a plethora of four-digit PINs to
remember. Even before stepping out of the front door you’ve got to find your
driver’s licence or rail pass, perhaps even your passport.
In a few years, this plastic and paper baggage could be history. A single
chip hidden in your cellphone will be all you need—a little treasure that
holds your complete identity. But beware. Lose your phone, and your identity and
your money go with it. The big question is whether people will be willing to
trust so much to a sliver of silicon.
Inside every digital mobile phone is a SIM card. SIM stands for subscriber
information module, and the chip embedded in the SIM card is what makes the
mobile yours. For now, the SIM just identifies you to the phone system, and
maybe holds details of your favourite phone numbers. In future it could identify
you to everyone who needs to know who you are.
Advertisement
To pay for a meal, say, you will use the phone to transfer money—or the
promise of it—through the phone network to a restaurant’s computer. There
will be no payment slip to sign because your SIM will do it for you. Likewise,
when you board a plane you won’t have to wait in line for a boarding pass and
seat number. Next year, the Finnish telecoms company Sonera will be setting up a
WAP site that will let travellers do both before they even reach the airport.
Unless they have luggage, there’ll be no more queueing at check-ins.
Mobile misgivings
The Finnish government is looking at using SIMs in place of a national
identity card—and eventually a passport. Under this plan, the SIM will
become a person’s legal proof of identity. And there’s no reason why it couldn’t
unlock your health records, social security details and other personal
information. One click and a hospital would know exactly who it’s dealing
with.
But for these dreams to become reality, there’ll have to be a revolution in
public attitudes. People will have to let go of their apprehensions about
e-commerce and learn to trust their mobiles. “Cultivating that trust is a very
difficult thing to do and takes a lot of time,” says Ian Pearson, resident
futurologist at British Telecom.
People can lose or mislay their phones: about 9000 a year are left on the
London Underground alone. That’s nearly as many lost mobiles as lost umbrellas.
And they are a tempting target for thieves, who can easily dispose of them on
the black market. That’s bad enough when there’s only a large phone bill at
stake. When your phone becomes the key to your identity, secrets and cash,
you’ll want to make sure it stays safely locked up, even if the gadget itself
falls into the wrong hands.
“Having something that contains all this information would be extremely
rash,” says Roger Needham, managing director of Microsoft’s British research
laboratory in Cambridge. “People will simply find it unacceptable.”
The solution, according to Needham and other experts, is to store precious
information on secure servers accessible via a WAP connection or the Web. The
SIM would only store a personal identifier—a long string of digits that
would unlock the servers and give access to the information they hold. To use
the identifier, the phone’s owner would have to punch in a PIN.
The beauty of this system is that the identifier would act as one half of
what’s called a public key encryption system. The identifier, kept safe inside
the phone, acts as a key, known to no one else. To read a message locked with
this private key requires a second, public key, which can be freely
distributed.
You might use this set-up to send a request to a bank using its public key to
see the details of your account, which it would decrypt using its private key.
The bank would then send you the requested information encrypted with your
public key, which only your private key could decrypt. Thus both messages would
be secure (see “For your eyes only”).
An increasing number of countries are passing laws to give private keys the
same legal force as signatures. This has unleashed a flood of encryption
systems, and the problem now is to get governments and companies to agree on a
standard. “It needs to be simple, secure and transparent,” says Mika Nieminen,
head of mobile commerce company More Magic Software in Helsinki. “We have the
maths to show that it is secure. The only problem now is making it global.”
The Finnish government has taken the initiative with a national standard that
companies can use free of charge, says Vesa Vatka of the Finnish Population
Register Centre in Helsinki. At the moment, this system—called
FINEID—uses a smart card and a card reader attached to a computer, but the
plan is to migrate to a SIM, says Vatka.
The private key is protected by a PIN, and the card will shut itself off if
wrong numbers are keyed in three times. To switch it back on, the owner must
take it to a police station with another form of ID. If a card is stolen, the
police will cancel it permanently. Either way, information on the card stays
safe.
Even in its embryonic form, FINEID gives people a secure way to access
sensitive information, says Vatka. “And when you get it in a mobile phone you’re
not even tied to a terminal,” he says.
Needham believes that identity theft will be inevitable no matter how careful
the safeguards are. “But then it already takes place now,” he says. He reckons
the system is more secure than what we have now, and that this will encourage
businesses to adopt it.
Pearson thinks consumers, too, will learn to trust a chip with their
identity, not least because it will make life so much easier. A private key will
do away with hard-to-remember logins and passwords for websites, as well as all
those credit cards and PINs. “People already give up their privacy quite happily
just to get access to a website,” he says. “As long as they get something out of
it.” People don’t really value their personal information, it’s the control of
it they care about. Your SIM will give you that control.
YOU want to send a message to George Smiley using public key encryption. To
get his public key, you contact the key holder, an organisation called a trusted
third party. You can then use Smiley’s public key to encrypt the message,
knowing that only Smiley can open it with his private key
(see top of diagram).
If Smiley wants to reply in secure fashion, he would reverse these
actions—encrypting his response with your public key.
But, say Smiley needs to give you signed orders. He would then “lock” his
reply with his private key (see bottom of diagram).
When you decrypt the message with his
public key you know that only one person—Smiley—could have sent it.
Smiley’s public key only works on messages locked by his private key.FIG-mg22614501.JPG
So between them, the two keys give you privacy and authentication.