Scott Dueweke is a 25 year veteran of government, financial services, internet ecommerce, and identity management. This career has included an appointment by President Reagan to the State Department, creating a humanitarian organization, which rescued Cuban rafters in the Florida Straits and assisted the humanitarian response to the genocide in Rwanda. He was a pioneer of internet ecommerce presenting “Credit Cards and the Internet” at the first Internet World conference in 1994. This work was global, taking him to over 24 countries with IBM and other companies. Scott Dueweke since has helped financial services industry, security industry and government solve the challenges of identity. Having joined Booz Allen Hamilton in 2007 to lead the Identity and Access Management team. Scott Dueweke currently, leads efforts at Booz Allen focused on Virtual Identity. This role builds upon his decades of experience in the financial services industry, the internet, and government, to examine identity holistically.
How entities can build an understanding of the threats and opportunities associated with living and doing business in cyberspace and its intersections with existing business models
Virtual identity, social media, and ubiquitous connectivity are reshaping the world. Doubts were erased after the Arab Spring and the UK riots that a new paradigm has been created around perceived anonymity. This model is extending itself to threaten the world’s existing financial systems through the creation of alternative, often anonymous, payment systems and a so-called ‘shadow internet’. ID People spoke to Scott Dueweke. Senior Assoicate with Booz Allen Hamilton to find out what these threats entail.
The explosion of new Internet services, including social media, is creating a virtual world of connectivity that has to be taken seriously. What are some of the critical models and their implications?
The critical models of Web 2.0 and Web 3.0 are enabled by identity, or its perceived absence, anonymity. Whether we are talking about the Arab Spring, hactivists like Anonymous or Wikileaks, or the next phase of e-commerce focused on ubiquitous mobile payments, identity is key. Attribution, authentication, and authorization are key components to any successful identity-based system. The balance between privacy and utility is currently being defined. Does privacy equal anonymity? Not if society wants secure transactions, accountability, and a curbing of online abuses.
The term ‘Shadow Internet’ is described as a mesh network to avoid mass disruption, such as caused by the Egyptian government’s Internet shutdown last year. Is this merely an answer to technological issues or does it pose another threat to security, without proper control?
The Shadow Internet is a term I coined to describe the ‘Internet within the Internet’ that exists within the TOR Network. TOR, which stands for The Onion Router, is an anonymization network which is free to access and use, and has proved very useful to dissidents and activists in countries where the Internet is closely monitored and controlled. However, within TOR, there is an area called TOR Hidden Services where there exists websites which you will never find through Google and are more sinister in nature.
These sites are built upon a bedrock of anonymity which allows them to sell drugs, guns, assassination services, and who knows what else.
In the realm of financial services, an anonymous internet economy is emerging as people pay for goods, transfer money and transact on-line on a daily basis. How is this built in terms of mechanisms and how are they complemented by on-line networks?
A majority of the Internet economy’s payment transactions are not made anonymously, but rely upon the existing global credit card infrastructure. Alternative online payment systems such as PayPal provide a relatively secure Internet channel to use traditional payment systems.
The rise in popularity of anonymous payment systems, which began in the mid-1990s with Digicash and E-Gold, is due to rising libertarian concerns around tracking and privacy, as well as meeting a need to purchase illegal goods and services. The supremely distributed and global nature of the Internet, which allows people and machines to hide in the seams between legal authorities, has and will continue to enable this underground economy.
What is required to manage this in terms of authentication?
A successful identity management system will acknowledge multiple levels of identity and authentication structured upon the need for identity proofing and authorization. An anonymous identity may be acceptable for playing games or posting your blog, you would be unacceptable for online banking, accessing government services, or for other commercial services (such as online dating) where a verified and valid identity is required. Such a trust model would require broad acceptance, and so far none have.
Where does identity fit in this scenario of virtual financial mechanisms, which often enable virtual identity to be anonymous?
Establishing identity is typically a key component in any traditional business transaction. Non-repudiation and trust are at the core of the banking system, with the use of credit cards and services such as PayPal incorporating them. These systems also incorporated the concept of chargebacks into their operating model (the ability to be refunded in case a product or service is unsatisfactory and the merchant refuses to refund). With anonymous payment systems, there is no such guarantee and indeed one uses these systems in “buyer beware” mode. Anonymity can shield one’s identity reducing some risks, while increasing others.
As a decentralized system, how secure is a mechanism such as Bitcoin and what are its advantages?
The decentralization of the crypto-currency system called Bitcoin is at the core of its genius, enabling Bitcoins to be generated by anyone willing to invest in a high-end graphics card and computer. With no entity controlling the system it is veritably impossible to shut it down. These Bitcoins also can only be used in a serial fashion, ensuring that they cannot be copied or counterfeited. The advantage therefore, is that there is a relatively anonymous global payment system not dependent on any single entity, bank, or even currency. Bitcoins only have value because people perceive them to.
What are some of the problems associated with this system and is it vulnerable to criminal elements to use for illegal gain? If so, are there examples?
There are three primary problems with Bitcoins. First, their relative anonymity acts as an enabler for those who wish to use Bitcoins to buy or sell illegal goods and services. This certainly is not to say that Bitcoin users are all criminals. They are not, and there is certainly a valid libertarian privacy concern regarding the use of transactional data to track and target individuals for advertising, criminal, and government abuses. The second major problem is its volatility. During the past 12 months Bitcoin’s have traded between $2 and $30 for single Bitcoin. That instability is unhealthy for any currency. Finally, the nature of Bitcoins make them vulnerable to theft. The crash in the value of Bitcoins last May occurred after two individuals were rumored to have had $500k worth of Bitcoins stolen from their computers. Core to any successful currency is trust, and that certainly greatly eroded its trust model.
In this regard, does so-called ‘Webmoney’ have the potential to become a new form of financial trading with implications for money laundering and facilitating financial flows for organized crime?
Any alternative payment system which does not rely on the existing financial payment system backbone, and does not have regulatory oversight of its activities by government agencies, has a greater potential to be used for money laundering and by organized crime than a more traditional system. A system such as Webmoney must show that it is authenticating identities of those individuals applying to use their system to make purchases and transfer funds. Based upon our research at Booz Allen Hamilton we do not believe that Webmoney meets that requirement.
What is the prognosis for all these new ecosystems? Will they become secure enough to establish themselves as the way forward for financial transactions with limited vulnerability and low potential for abuse?
These new financial payment systems will continue to grow, and grow rapidly. PayPal’s meteoric growth and strong security model shows that it can be done responsibly. People globally are living more of their lives online, increasingly through mobile devices, and are demanding payment choices that match their lifestyles. Fundamentally new payment systems have emerged over the past 10 years and are increasingly being adopted. Webmoney, Bitcoin, CashU, virtual gold systems such as the now-defunct E-Gold (shuttered because they supported the circumvention of financial sanctions against Iran), and mobile payment systems such as mPesa are filling this need for the banked and un-banked alike.
Does the same logic in terms of managing identity, apply to the mobile devices (smartphones) that proliferate today as the gateways to these ecosystems?
Mobile devices, even cell phones without Internet activity, represent fundamentally new business models being used in novel new ways to reach new markets. With over half the world’s population currently being un-banked, telecoms have stepped in offering financial services to the un-banked and banked alike. In Kenya, mPesa is a system run by Safaricom which currently serves over 14 million people, most of them having previously had no bank account. All you need is a phone. That type of dynamic is fundamentally enabling in nature, while at the same time being destabilizing and disruptive. These new ecosystems interface with the existing financial ecosystems.
The seams between these systems will be exploited for criminal gain until a strong identity vetting and management system is put in place.