We Were Expecting You, Mr. Bond.
We follow you on Twitter.
Dateline Las Vegas, 19th March 2023.
Like a good many other people it seems, I am hooked on Apple TV’s spy drama “Slow Horses”. It is based on a series of novels by the author Mick Herron and follows the story of a team of disgraced British intelligence officers who are sent to an unglamorous department where they are tasked with investigating low-level cases. The plots are interesting and the acting is absolutely first class, with heavyweights Gary Oldman and Kristin Scott-Thomas anchoring a terrific ensemble cast. Amy B. Zener, the author of "Spies, Lies, and Algorithms: The History and Future of American Intelligence” calls this kind of drama “spytainment”, which I love, but of course I always find myself questioning how much of it is real.
Shaken, Not Stirred
It seems to me that much the world of the spy is rather mundane surveillance, rather than jumping out of airplanes or racing around on motorbikes, and much of the work is about joining up the dots rather than uncovering secrets. Think about the Russian invasion of Ukraine: Never mind CIA spy satellites, the position of troops and tanks could be found on social media! We are now in the era of what is called “open source intelligence”.
As Alan Brown explains, OSINT is the gathering of open data sources to support understanding and guide decision making. While the use of public information has long been important in military and security activities, the wider availability of digital data sources means that the opportunities to exploit OSINT have significantly increased. Whether examining satellite images to understand troop movements or analysing social media posts to review sentiment about government actions, a wide variety of digital sources are being used as important inputs to many kinds of strategic decision making. General Sir Jim Hockenhull, the U.K.’s Chief of Defence Intelligence, says this has proved to be a “force multiplier”. He says that the intelligence services need to shift to an operational model where they obtain most of their situational and contextual understanding through open source and combine this with our secret intelligence to support decision making. Given all that, the spy movies of the future might be a little dull. It must have been much more exciting back in James Bond’s heyday.
Bond’s creator Ian Fleming, by the way, actually served in the intelligence services in World War II and was rather famously involved in Operation Mincemeat, the British military operation that involved the planting of a corpse carrying false documents in order to deceive the Axis powers about the Allies' plans for the invasion of Sicily, which featured in a recent movie with Colin Firth, which was OK, but I strongly recommend the original book by Ben Macintyre instead. The essence of the operation was that a body, dressed as a British military officer and accompanied by a briefcase containing false documents that suggested the Allies were planning to attack Sardinia and Greece instead of Sicily, was dropped into the sea off the coast of Spain. The deception was successful and the Axis powers were misled into diverting troops away from Sicily.
Imagine being able to fool the enemy with a fake ID card and a couple of receipts from London restaurants! Those were the days. A few years ago, Alex Younger (a former Chief of the Secret Intelligence Service, known by the codename “C”), made precisely this point: It is really hard to be a spy now. Gone are the days when an agent could just grab a fake New Zealand passport from the cupboard, shove it in her backpack and head off to the airport. Now, biometric identification, social media and smartphones make it far more difficult to adopt a realistic alter ego and slip unnoticed into the crowd. Establishing a fake identity is the easy bit. The problem comes because a fake identity needs a real reputation.
Reputation, unlike identity, is hard to forge. It has a time component. It takes years to build up a reputation that will stand up to scrutiny! If you wanted to pretend to be someone now, you would have to have started building the fake LinkedIn profile a decade ago.
Things are definitely changing in the world of spies then. It’s not Operation Mincemeat or Goldfinger anymore. For one thing, three out of the four directors-general of the British secret intelligence services, each of whom reports to the current “C”, are women and they include the head of technology (known as “Q”, after James Bond’s gadget man). One of them told the Financial Times that it had been an exciting career during "the days before biometrics", when she was making her way unnoticed from one country to another, often on foot, and changing disguises en route.
Ah, the days before biometrics.
@007
Think how hard it is for spies these days, even after they have spent ages setting up a bogus LinkedIn profile and nurturing it for years while creating a convincing Facebook profile that shows them to be unremarkable, complaining about the trains on Twitter and posting stuff about some dreary hobbies in Instagram.
with kind permission of Helen Holmes (CC-BY-ND 4.0)
Biometrics ruins the game for them. Imagine James Bond dons a suit and grabs a fake passport in the name of Dave Birch, heads off to a casino for an evening of intelligence gathering with suspicious oligarchs and arms dealers. He heads through the main entrance, where his face is scanned and fed into the age verification system that is connected to the open banking “safe to spend” service and the police criminal records information system and the casino loyalty scheme before a screen flashes up “Welcome Back Mr. Bond, only another half a million to lose and your gold membership will be extended for another year”.
We’re not quite there yet. Facial recognition is far from perfect. The technology is especially inaccurate when identifying people of colour and women. While intelligent law enforcement recognises that the technology is there to provide leads for investigators and should not be relied on as a sole source of truth, a misplaced faith in its efficacy is all too common. The technology has led to wrongful arrests, and using facial recognition as the only justification for arrests is a "troubling and growing trend” according to Clare Garvie from the US National Association of Criminal Defense Lawyers.)
Biometric identification seems convenient, but biometric authentication is a much better way forward and this should be our “default” way of thinking about security. James Bond heads into the casino and waves his smartphone over a scanner. The smartphone (or watch, hat, bracelet, pendant etc.) gives up a Verifiable Credential (VC) that is a casino loyalty card in the name of Dave Birch. This is immediately checked in the casino’s back end system to see that Dave Birch has not been barred from the premises and presents a picture of James’ face to the doorman (since James would have registered with his face but a fake passport in the name of Dave Birch). This is why the Anglosphere should converge not on National Identity Schemes, but National Entitlement Schemes that keep identity out of transactions that do not need it (i.e., almost all transactions).
Digital Camo
That’s only part of the solution of course. How is James going to pretend to be me all evening? Everyone else sitting around the Baccarat table has LinkedIn on their phones and because they are rich they will probably have access to some AI-powered face recognition service to check up on their table companions for reasons of natural prudence.
If that sounds distant, it is far from it. I recall a heartwarming tale of parental love and guidance that illustrates this rather well. It concerned a Tuesday evening some time ago when a billionaire was having dinner at a restaurant in Manhattan and his daughter walked in with her date, a young man unknown to the protective father. The billionaire did what any parent would do in the same situation, which was to ask the waiter to go and take a photograph of her beau, which he then uploaded to the Clearview facial recognition application. He was immediately presented with collection of photos of the man and was able to determine who his daughter's escort was, at which point he sent his daughter the full biography of her companion by text.
Similarly, the bar will be full of revellers taking pictures of each other for their Snapgram and Instatok feeds. By the time he’s finished his first martini, James Bond will be in a few hundred social media feeds and his location will already have been triangulated by Russian bots scampering around the web for precisely this purpose. Hence my prediction for the next most important gadget for Q to develop and surely the next big fashion trend: adversarial clothing, makeup and accessories to defeat face recognitions algorithms.
I am behind the curve, of course, because entrepreneurs are already on the case. Take a look at the start-up firm Cap-able, which describes its Manifesto Collection (including a £252 T-shirt, £370 sweater and £245 jogging bottoms) as ‘a wearable algorithm to protect our identity’ because the knitted fabric is woven with ‘adversarial patches’ which protect biometric face data and confuse AI computers into wrongly categorising the wearer as a dog, zebra or giraffe.
(Russian computer scientist Albert Efimov predicts the widespread use of “digital veils”, a phrase that I rather like, and says that by 2040 facial recognition will become meaningless because of AI, augmented reality and presumably hacking as well.)
As for make up to defeat facial recognition systems, this already exists. A study from Ben-Gurion University of the Negev found that software-generated makeup patterns can be used to consistently bypass state-of-the-art facial recognition software, with digitally and physically-applied makeup fooling some systems with a success rate as high as 98%. The makeup looks pretty strange, but then I suppose tattoos and metal studs used to look strange. We need the next James Bond to wear this kind of makeup in the next movie to make it cool. I will e-mail his people right away.
Are you looking for:
A speaker/moderator for your online or in person event?
Written content or contribution for your publication?
A trusted advisor for your company’s board?
Some comment on the latest digital financial services news/media?