Digital ID Ahoy
Piracy, Private Keys and Provenance.
Dateline: Newcastle NSW, 20th August 2023.
Why do people like dressing up like pirates? Why do people like movies about pirates? Why do people like theme park rides about pirates? I mean… WTF? Pirates were horrible.
Me dressed up as a pirate in the 1970s.
What we think of as the “Golden Age” of piracy with dashing cutlass-wielding rebels leaping from magnificent galleons down to sun-kissed golden beaches was actually rather short, running from around 1690 until around 1730, when the Royal Navy turned up to put an end to murder, rape, torture and plunder around the Caribbean Islands and the east coast of North America.
Unlike brave adventurers like Sir Francis Drake and Sir Walter Raleigh, who were licensed by the Crown to raid enemy ships and share the booty, the pirates of the golden age were in it for themselves. They were simply criminals, although exceptionally violent ones, on boats.
How these murderous thugs slipped into popular legend is easy to trace. Just as the Golden Age was coming to an end, the pseudonymous Captain Charles Johnson published a famous compendium of the biographies of these desperados, called “A General History of the Robberies and Murders of the Most Notorious Pyrates” (1724). It was full of bloodthirsty detail, breathlessly narrated, and secured the legends of Edward Teach (“Blackbeard”) , Black Bart, Sir Henry Morgan and a host of others.
(Blackbeard was very much of the Elon Musk school of management and he maintained his legendary status with random acts of violence, including occasionally shooting his own men because, he is reported to have said, “if he did not now and then kill one of them, they would forget who he was”.)
I hope you are getting the picture. Handsome and daring as they appear in the movies, they were not nice people. For example: Sir Henry Morgan in an attack on the Spanish port of San Geronimo took women, old men, friars and nuns dragged from the church as human shields for his advancing men.
It’s a long story, but this was my flag. For about 10 minutes.
There’s probably a cheery sea shanty about that. Anyway it’s interesting to note that back then, pirates had some support from landlubbers. Riots to free pirates from captivity were common throughout the British Empire during the late seventeenth century. Local leaders openly protected the perpetrators of piracy against powers nominally at peace with England! It was in their commercial interest to harbour the criminals because of the trade in stolen goods and contraband, a topic we will return to.
Flagships
We are all familiar with the term “false flag”. It describes how pirates flew the flag of a friendly nation to deceive merchant ships into allowing them to draw near.
(The use of false colours by public vessels in war is now prohibited under international convention.)
It would be a mistake to think of this form of island-hopping ship-based identity fraud as something confined to that golden age though. It is already clear that while we tend to think about identity fraud as something involving human beings, as “The Internet of Things” (or "IoT”) expands and embraces more and more of the world, identity fraud will increasingly affect stuff as much as people. In fact, when it comes to ships it already does.
Current events serve to illustrate the problem. Ships use the Automatic Identification System (AIS), which is an automatic tracking system used by vessel traffic services (VTS).
Now, there has been GPS spoofing near Russia and Russian-occupied areas of the Black Sea coastline going on for a while and it periodically affects shipping. Since a ship's AIS transponder broadcasts the location it receives from the ship's GPS unit, GPS spoofing shifts the location that the ship reports.
In 2017, more than 20 ships reported that their GPS positions had been erroneously relocated many miles inland to the airport in Novorossiysk. Others at anchor appeared "clustered" in areas where there were no radar returns for ships. Indeed, over the course of 2017-19, non-profit analytics group C4ADS catalogued about 10,000 similar incidents affecting 1,300 vessels, most in or around areas of Russian influence.
(The report also drew a correlation between the movements of Russian President Vladimir Putin and the mass spoofing events.)
Shipmates
Ships engaging in identity fraud by hiding or disguising their identity is not a new problem, but it has grown significantly in recent times. Ships broadcast false identities by using transmitters taken from scrapped vessels (there is a black market for these) and using made-up identities..
There are still pirates around today, of course.
Now, it happens that a significant fraction of the ships flaunting bogus identities are from one category: oil tankers. There are tanker-loads of looted and expropriated oil, the primary contraband afloat today, pottering along the sea-lanes of the world masquerading as quinquiremes of Nineveh, illegal fishing boats masquerading as stately Spanish galleons and hulls laden with sanctions-busting weaponry masquerading as dirty British coasters. You really do learn something every day.
AIS, like driving licences, was never designed to be a secure identity infrastructure. It was put in place in the 1990s for safety reasons, to avoid collisions by giving ships information on nearby vessels. Yet there was almost immediately manipulation of IMO numbers (ship identity numbers, which are supposed to be constant over a vessels lifetime). Within a few years, more than 1% of the AIS-transmitting ships were reporting false identification data.
(I have no idea how an AIS transceiver works, but I would be surprised if it includes tamper-resistant hardware that can digitally-sign identification data.)
It’s not only about piracy, of course. Here’s another example of cloned AIS identities in a more dangerous mode. The Royal Navy’s HMS Defender and the Royal Netherlands Navy’s HNLMS Evertsen pulled into Odessa in Ukraine in 2021 after exercising in the Black Sea. According to AIS data, they then sailed directly to Sevastopol, the headquarters of Russia’s Black Sea fleet. Yet live webcam feeds showed them still moored in Odessa.
IDIoTs
As far as I can tell, everywhere that IoT pops up — from health to transport to home control to in-car to battleships — it pops up with no security infrastructure (and, by the way, a password isn’t security). It has long been a muddle of emerging technologies with unnerving social, legal and moral implications, set in motion as the Internet became pervasive and the cost of sensor chips fell.
There are no standards, no authentication, no audit, no identity infrastructure at all. I remember a few years ago calling IoT a Chernobyl that would one day blow up and leave a cloud of contaminated personal data drifting across the internet (you can actually see this talk on Youtube if so minded).
(It's one thing to joke about smart fridges, and who can resist it, but it's not about fridges, it's about everything.)
In the mass market, IoT deployment will, of course, have to be something that co-opts consumers to police it. When it’s something like wine labels, you can see why people will co-operate to make it work. After all, who wants to be embarrassed serving a fake wine at dinner and, aside from that, who doesn’t want to learn more about a wine that they try and like?
But how can they trust it? How do you know if the ID of your wine is real or fake? What if you don’t want your guests to know which wine they are being served? Putting IDs into things, whether ships or bottles of wine or blood pressure monitors is not, by itself, the solution. We are missing a whole layer that needs to sit on top of the “things”.
How do we turn tags on and off? How do we grant and revoke privileges? How do we allow or deny requests for product or provenance?
We are missing the provenance layer.
As I have long maintained, the way forward is to trust the provenance rather than the product. The ID of the wine bottle is only useful to me if I can go online and see whether that ID is real, where the bottle was bought from, where it was bottled and so on and so forth. When it comes to consumer products, in security terms this means only one thing.
The counterfeiters will inevitably shift their attention to attacking the database.
Despite my scepticism about the broad sweep of blockchain killer use cases that we keep hearing about, this is one area where an immutable database resistant to subversion by bad actors might be for the greater good, hence my interest in the relationship between shared ledgers and IoT, because we need a means to ensure that virtual representations of things in the mundane cannot be duplicated in the virtual.
Of course, for this to become a useful infrastructure, it needs standardisation. As it happens, The European Commission is currently discussing the details of a Digital Product Passport (DPP), which aims to increase transparency around the provenance of certain things, including car batteries and luxury and electronic goods.
They envisage an identifier for products encoded in a chip or as a QR code of whatever so that the supply chain can share information across the entire value chain, including data on raw materials and recycling. I think that if you envisage the identifier as a public key in a smart chip bonded to the product (so it cannot be removed without being destroyed) you could fix a lot of identity problems in one go.
The combination of tamper-resistant hardware to maintain the security of the product and shared ledgers to maintain the security of provenance recorded in a standard format is the way forward for ships as well as Samsungs, corvettes as well as Chanels. No more false flags, no more virtual warships in enemy ports and no more oil tankers pretending to be pedalos.
Set a course for digital identity infrastructure! All ahead!
Many thanks to John Ryan from PayEd for arranging the first ever fintech cruise from Newcastle (NSW) and inviting me along to give a talk to the passengers and crew aboard The William The Fourth.
Are you looking for:
A speaker/moderator for your online or in person event?
Written content or contribution for your publication?
A trusted advisor for your company’s board?
Some comment on the latest digital financial services news/media?