Identity Is Dynamic, Not Static. Proof: Momentary.

On Tuesday we had a very revealing discussion on whether "banks and/or mobile operators should provide the identity infrastructure" at the CSFI's Sixth roundtable in the series on Identity and Financial Services.

Of course we began by discussing what identity actually is - not something that can be isolated or assumed, as was also apparent from the Fifth roundtable.

In this discussion, it was very clear that a bank or telco views identity as a static collection of data about an individual that can be stored or held, with varying degrees of subject access and control. In this entrenched view of the world, institutions - like banks and telcos - can compete for the privilege of 'holding' your identity and enabling you to prove who you are. In essence, those institutions are in control of your identity.

So what's stopping them providing an all-purpose identity infrastructure today?

The fact that identity is not a static concept. It's dynamic, contextual, and defined more by your various sets of activities or behaviours - "routes and routines", as Tony Fish put it - than by a picture, address and date of birth. That collection of behaviours and the data they generate are what makes us unique. Further, Dean Bubley made the point that we over-estimate the degree to which telcos (and banks), actually 'know' their customers in the sense of understanding their customers' end-to-end activities. And we over-estimate these institutions' technological ability to enable their customers to prove their identity at all, let alone conveniently in scenario's of their choosing.

A Finnish delegate also made the point that Finnish banks offer identity services, based on a government database, but make very little money out of them. Which suggests the services are not very useful or compelling.

In any event, static data repositories are vulnerable to attack; and the services that rely on them are apt to be 'gamed' by simply replicating the data held - as in the case of skimming card data or fabricating identity documents to gain control of a bank account. The fact that the individual consumer is ultimately compensated and therefore not 'harmed' in a direct financial sense is beside the point. We all pay for such inefficiencies in the form of higher interest rates, fees and retail prices.

So there are two key problems to be solved. As consumers, we need to be able to simply, conveniently and efficiently prove our identities in the course of any day-to-day activities.  And as a community, we need the source of that proof to be less vulnerable to being hacked or guessed, and to contain its cost.

Given those key problems, the solution cannot possibly comprise an "identity infrastructure" or 'service' that relies on a single, static set of data that is 'held' by some institution. Rather, the solution has to involve the capability to generate a unique and momentary proof of identity by reference to a broad array of data generated by our own activity, on the fly, which is then useless and can be safely discarded.


Image from Young Lee.

Old Newzbinned

I see that Lexology carries a note on the decision in Motion Picture Association v BT [2011] EWHC 1981 (Ch) in July, ordering BT to block access to a revived "Newzbin2" web site that was enabling a large scale copyright infringement in films after an earlier site had been successfully restrained. 

The problem with services that post material on a delayed basis is that time-pressured senior lawyers can get over-excited about the 'latest' case, and miss all the discussion that occurred when it first hit the traditional and social media, none of which is summarised in the note. That's especially problematic in this particular context, given the vast lobbying effort by the 'majors' to gloss over some critical issues associated with alleged mass copyright infringement.

Specifically, the injunction was granted under section 97A of the Copyright, Designs and Patents Act 1988, which enacts the Information Society Directive (2001/29/EC) giving the High Court "power to grant an injunction against a service provider, where that service provider has actual knowledge of another person using their service to infringe copyright." 

The case shows that rightsholders have long had adequate protection for mass infringement, and underscores the waste and futility involved in passing the Digital Economy Act during the infamous Parliamentary 'wash-up' of 2010. The core provisions and site-blocking generally have been found by Ofcom to be unworkable; and the Liberal Democrats have joined the calls for the DEA to be largely repealed.

More productive efforts are focused on modernising our intellectual property rights, and it would be good to see more articles on that. 

Are 'Soaring' Mortgage Arrangement Fees Excessive?

Moneyfacts July 2007 warning

In a re-run of 2007, this time amidst persistent low interest rates, MoneySavingExpert has reported huge increases in mortgage arrangement fees. In 2007, the suggestion was that the high fees masked artificial reductions in headline interest rates. This year, the suggestion is that higher arrangement fees are being used to make up for low interest income:

"Typical mortgage rates are at a record low, and while this undoubtedly means reduced costs for consumers, lenders are partly offsetting that fall with a rise in costs to secure that deal."

Of course, that may be hard for lenders to justify in relation to regulated mortgages, on the basis of treating customers fairly, disclosure obligations or under the excessive fee provisions in the FSA's Mortgage Conduct of Business sourcebook (MCOB).

In particular:

"When determining whether a charge is excessive, a firm should consider:

(1) the amount of its charges for the services or products in question compared with charges for similar products or services on the market;

(2) the degree to which the charges are an abuse of the trust that the customer has placed in the firm; and

(3) the nature and extent of the disclosure of the charges to the customer."

But I'm sure each of the lenders has prepared some kind of explanation in case the FSA or the competition authorities inquire...

Regulating P2P Finance

From a standing start in March 2005, this year peer-to-peer finance will account for more than £100 million of loans to individuals and small businesses in the UK. The timing is perfect, given that our banks are lending less and paying lower savings rates, and new capital rules will drive further need for alternative funding.

Yet, as I noted last year, while these platforms deliver very real social and economic benefits by enabling people rather than banks to share most of the margin between savings rates and funding costs, the financial regulatory and tax framework does not directly accommodate them. So, ironically, new entrants whose business models are founded on openness, fairness, transparency and individual consumer control must spend a huge amount of time and start-up capital figuring out a regulatory path through a regime that is not only designed to force recalcitrant 'traditional' financial institutions to treat customers fairly but also subsidises their marketing efforts with favourable tax allowances.

While the various P2P providers were also considering the merits of forming a self-regulatory body to act as a focal point for more helpful enabling regulation, a further catalyst was the BIS consultation on moving responsibility for consumer credit from the OFT to the Financial Conduct Authority (the FSA's replacement). Having helped frame Zopa's positive response to that consultation, I was happy to help apply the same regulatory approach we'd suggested to a set of operating principles that could form the basis of an interim self-regulatory framework. Collaboration with both Ratesetter and Funding Circle ultimately led to the formation of the "Peer to Peer Finance Association" in July, with invitations extended to others.

The intention of the P2PFA is to enable the development of platforms that facilitate open consumer and small business participation, rather than merely 'investment clubs' or networks reserved for sophisticated investors. As a result, the term “Peer to Peer Finance” is broadly defined in the Rules to mean "any funding arrangement that comprises direct, one-to-one contracts between a single recipient and multiple providers of funds, where the majority of providers and borrowers are consumers or small businesses." The desire for scalable, open or 'mass' access is underlined by the definition of “Platform” as "an electronic system that facilitates Peer to Peer Finance." Generally, funding is likely to be in the form of simple one-to-one loans, but other instruments may evolve over time.

As stated on the Association's web site:

"The Association’s Rules and Operating Principles set out the key requirements for the transparent, fair, robust and orderly operation of peer-to-peer finance platforms and cover:

1. Senior management systems and controls;
2. Minimum capital requirements;
3. Segregation of participants’ funds;
4. Clear rules governing use of the platform, consistent with these Operating Principles;
5. Marketing and customer communications that are clear, fair and not misleading;
6. Secure and reliable IT systems;
7. Fair complaints handling; and
8. The orderly administration of contracts in the event a platform ceases to operate.

The Peer-to-Peer Finance Association is run by a Management Committee, made up of one representative from each member, with one member acting as Chairman for one year on a rotating basis. Giles Andrews, CEO of Zopa, will act as the Committee’s initial Chairman. As new members join the Association, their representative will join the Management Committee.

Membership of the Peer-to-Peer Association is subject to the Rules of the Association and members must comply with the Association’s Operating Principles."

The Rules, Bye-laws and Operating Principles are set out here.

Wither the Digital Economy Act?

Well wasn't this a shoddy little piece of Parliamentary washing-up?

A year later we're still fussing over the damn thing and, surprise, surprise: site-blocking has been abandoned as unworkable and ISPs won't have to subsidise the costs of protecting outmoded entertainment industry business models.

BUT! I cannot fathom a decision to charge on individual citizens £20 for appealing "every notification letter received from their ISP, and against every instance of infringement identified" by a copyright owner. It's all very well to say that this will discourage vexatious appeals and that the individual can recover the £20 if their appeal is successful. But where is the constraint on the mistaken, vexatious or groundless issue of infringement notices? Will it cost £20 per notice to complain about that? Can they all be heard together? These things could arrive like confetti, effectively reversing the burden of proof and obliging the indivdual to underwrite a multiplicity of appeals.

My sense is that there will be not be a significant number of appeals. But, on the flip-side (as it were), rights owners who avail themselves of this process will find their material shunned altogether, for the reasons discussed in Henry Jenkins' "Convergence Culture". Rights owners who don't understand that are doomed.

I can't imagine what Kafkaesque process Ofcom is being forced to envisage in order to bring this monster to life, but I understand we'll find out "shortly".

Image from LoveMarks.

How Not To Deal With A Regulator

The 'Big Six' energy providers are actually threatening to steal the regulatory limelight from UK retail banks - which is no mean feat. Ofgem says it has levied a total of £12.5m in fines this year already. In the past few weeks alone, SSE and Scottish Power have found themselves under scrutiny from MPs. And British Gas has complained publicly that it's recent fine of £2.5m for complaints mishandling is "totally disproportionate", seeming to suggest they should've been given credit for having to spend £4m fixing the problem.

But you'd expect a little more humility from a company that is raising consumer gas and electricity prices at an average of 18% and 16% respectively, and contributed £270m of its parent's £1.3bn profit for the first half of this year. 

Ofgem explains that its complaint handling regulations include the following requirements ("the breaches Ofgem found against British Gas in this case are in bold):

• a common definition of a complaint between (sic) energy suppliers;
• a requirement for suppliers to record complaints upon receipt and follow up contact with the customer after the initial complaint;
• a requirement for suppliers to have a complaints handling procedure and be able to explain to customers how they can make a complaint;
• a requirement to signpost customers to the Energy Ombudsman if the complaint is not resolved;
• a requirement to deal with consumer complaints in an efficient and timely manner, and allocate sufficient resources to do this;
• a requirement to publish information on complaints."

Here's an explanation of Ofgem's industry governance arrangements.

And here's where to complain if you are a consumer or small business (once you've given the provider a chance to resolve the dispute).

Meanwhile, Ofgem says that it's:

"currently investigating Npower and EDF Energy for complaint handling; Scottish Power, Scottish and Southern Energy, EDF Energy and Npower for misselling; and is undertaking two investigations into Scottish Power for potentially misleading marketing and the difference between its Standard Credit and Direct Debit Tariffs."

I'm sure the suspects are bound to accept any adverse findings with good grace...

Private Sheriffs in Cyberspace and Counter-regulation

Zittrain's Rule-making quadrant

What better task for a rainy Saturday than extracting the 'blawg' posts from Pragmatist and placing a link to them on a dedicated Blawg where they belong?

Here's my response to a Zittrain lecture in May 2009, that appears to have stood the test of time.