As anyone in the identity industry knows, more lies between America and Europe that just an ocean. In fact, when it comes to privacy and data protection, a wide gulf separates the old and new worlds.

Germany in particular is often perceived as hidebound, not to say paranoid, when it comes to companies collecting personal data about their customers. People are signing up by the thousands to have their houses deleted from Google StreetView, with the mass-circulation “Bild Zeitung” running panic-inducing headlines like “StreetView snoops private data” and warning their readers about“Google’s next attack: Now they’re using bikes to film us!” The German minister of consumer affairs, Ilse Aigner, has publicly urged her fellow citizens to follow her example and cancel their Facebook accounts.

Most Americans I know simply shake their heads and grumble about “unhinged eurocrats run amok”. But unfortunately, it isn’t that simple. For better or worse, American companies need to realize that these are genuine concerns by genuine people. And no matter how lackadaisical US consumers may be when it comes to handing out personal information, the reality is that Europeans are not.

“But isn’t that what Safe Harbor is all about?”, one American identity expert (who shall remain nameless) exclaimed recently when I asked him how he thinks the problem should be addressed. True – but apparently, safe harbors in the US are anything but. That at least is what the so-called “Duesseldorf Circle”, a group of data privacy officials from all German states, stated in a report released last April. They accuse US companies of cheating on the agreement which was reached way back in 2000 between the United States and the EU. Read the rest of this entry »

One of the best-held secrets in the German credit card industry was inadvertently revealed last night at an informal press dinner hosted by Bayern Card Services, an acquirer jointly operated by Bayerische Landesbank and the Bavarian community-owned savings and loan banks (“Sparkassen”). Asked just how much money banks were losing from credit card fraud, Monika Kummer, head of risk management for BCS, blurted out a figure of between 0.2 and 0.3 percent of total card turnover. When pushed for further details, she clamed up, but the genie was already out of the bottle.

After that, the math was simple. BCS handles the card business for about 70 percent of the 438 Sparkassen in Germany and reported total revenues of 16 billion Euros last year, so its member banks pocketed roughly 36 million Euros in fees.

Yeah, that’s peanuts for a banking group that does more than a trillion Euros turnover.
But wait! Most of those 36 million goes to the retailers, who pay anywhere from 3 to 6 percent to the issuing bank. Take off the various fees charged by middlemen such as BCS, and only about 1.2 percent actually remain as bank revenue. So 0.2 percent of the total turns out to be about one-fifth of the money banks earn from their credit card business. Peanuts indeed!

And things could get even worse for the banks if the European Union follow through on its threats to impose strict controls of the so-called interchange fees that banks charge whenever a cardholder purchases something in a foreign country. In Europe, where the next border is never more than an hour’s drive away, people can run up substantial interchange fees, and banks rely on them to boost the gross.

In December 2007, the EU forced Mastercard to submit a new pricing model for its interchange business. In March 2008, it was Visa’s turn when the European Commission opened anti-trust proceedings which could carry a hefty fine.

Finally, in April 2009, Mastercard agreed to temporarily reduce its interchange fees by a significant margin pending a final decision by the European High Court. In return, the Commission promised not to open further proceedings. Whatever the outcome of these legal maneuverings, banks must brace themselves for painfull losses. But just how big will they be? Shall we say one percent? If so, then most banks will soon be bleeding money from their credit card business.

In Germany, where most people carry Maestro debit cards around with them, credit cards are still a rarity. In fact, only about 14 percent of all consumers actually own one. That averages out to about 0.6 cards per bank customer, about one-sixteenth of the U.S.
On the other hand, the banking industry strongly believes that the number of credit cards in German wallets will grow enormously in the next few years, so the potential losses will increase, too. Unless, that is, someone comes up with a way to reduce identity theft.

And BCS appears to have a few cards (pardon the pun!) up its sleeves. Monika Kummer reported that BCS is currently testing a system that will automatically send a text message to the cardholder’s mobile phone every time he or she makes a purchase exceeding a stipulated amount. In theory, the cardholder could then immediately ring up their bank and report a fraudulent transaction.

Another neat idea BCS is working on involved allowing customers to block payments from certain countries. If you never plan to travel to Kazakhstan anyway, anyone using your card there would have to be Borat or one of his henchmen, wouldn’t they?

Well, now that we know the dirty little secret about credit cards it becomes clear why banks are so eager to increase consumer awareness on the issue of identity theft. As long as only few Germans actually own and use a credit card, their level of concern will remain low. But if the banks are right and credit cards are on their way to the mass market, things will change. And the sooner the better, I say.

How many terrorists work for your company? Dunno? Well, see you in jail, pal!

I just came back from a meeting of the German chapter of IAPP, the International Association of Privacy Professionals, and the words of the chairman, Dr. Jyn Schultze-Melling, a lawyer with the firm Nörr, Stiefenhofer & Lutz, still ring in my ears: “We are sacrificing employee privacy on the altar of anti-terrorism.”

It turns out that firms are required by law to check their employees names against lists of terrorism suspects published by the United Nations and the European Union. In Germany, §34 of AWG, the Foreign Trade Law, forbids companies aiding or abetting persons or organizations that endanger national security or the “peaceful coexistence of peoples” in any way – like for instance paying them a salary. Failure to comply with this law carries heavy fines; up to 5 years in jail for the CEO, for instance.

On the other hand, European data privacy laws prohibit routine scanning of personal data without due cause. So if nobody has done anything suspicious lately, running their names past the UN or EU lists is probably illegal in many countries.

Of course, tell that to the families after some nut explodes a vest of dynamite in your company canteen and slaughters a few of your employees.

So yes, companies have to screen their own people, but when exactly? On hiring? What if the employee has a change of heart two or three years later and signs up for the Muslim Brotherhood? Does that mean you have to scan periodically, maybe once or twice a year? And if you live in a country like Germany where the works committee has a big say in these matters, how do you ever hope to convince them?

According to Schultze-Melling, there are loads of even more mundane problems to consider. For instance, Osama Bin Laden would hardly use his real name when joining your company, and probably not even one of the score or so aka’s he is also listed under in the UN list, but would chose an entirely new name instead. How about different spellings? After all, for an Arab speaker, Ahmed Gamdi, Ahmad Al Gamdi, Ahmet Gamdi, and Ahmed Al-gamdi could very well be one and the same guy. There are more than 32 spelling for Lybia’s Colonel Gaddafi (or Qadhafi, Kadafi, Gadhafi, Qaddafi, etc.). Are you legally required to check them all?

As ist that wasn’t bad enough, you can try telling it the cops who come to arrest your boss because one of your employees gave to the local chapter of the Holy Land Foundation which funds Hamas or the National Development Front in India that finances Al-Qaeda. The UN and the EU, not to mention the US Department, publish lists of organizations they consider to be affiliates or fund raisers for international terrorists. Unfortunately, hardly any new employee mentions this in his hiring questionnaire, so what should you do? Periodically ask all your people whether they have joined a terrorist organization lately? Maybe hand them the list and ask them to make appropriate check marks. And what if they refuse — do you fire them? Anyway, answering in the affirmative could constitute an act of self-incrimination, so requiring it would itself be illegal in most civilized countries.

Until now, most HR departments have dealt with these questions in the handiest possible way – by ignoring them. Out of about 20 companies represented at the IAPP meeting, among them a few on the Fortune 100 list, only two raised their hands when I asked who has ever conducted a scan for terrorist suspects within their organizations.

My feeling is that this illustrates the legislative confusion surrounding identity and privacy on the governmental level, but it also points out some tough questions that need to be answered by identity pros before we can hope to achieve anything like a balanced approach to the legitimate concerns of citizens, employees and consumers about how authorities and employers handle their personal data on the one hand, and the requirements of businesses, bureaucracies and, yes, terrorism fighters on the other.

Somehow the Hofbraeukeller in Munich, one of my favorite city’s nicest beer garden restaurants, seems to lend itself particularly well to long, meandering discussions of identity management. It’s the place the U.S. participants at the European Identity Conference regularly gather for their pre-conference pigs’ feet feast, and since it’s conveniently located around the corner from where I live, I often use it as a meeting place for visitors from all over the world. I mean, if you’re in Bavaria, by all means go to a Bavarian place for lunch instead of one of the ubiquitous sushi stalls.

I thought my latest guest, Tom Stewart, CFO of MultiFactor Authentication out of Irvine, CA, would be thrilled, but it turns out he spent two years working for Intel in Munich, so he’s been there and done that. Which is okay, because it gave us more time to get down to basics about his company’s strategy and products.

Tom is in the business of making security tokens obsolete. I know you’re going to hate this if you just gave a pile to RSA or Verisign, but MultiFactor believes that hardware-based strong authentication is poised to go the way of the dodo.

Of course, software tokens have been around for quite awhile, but they are often considered to be weaker than hardware tokens, or else they require some fancy PKI architecture to make them safe enough for serious corporate use.

Well, think again, Tom says. His “SecureAuth” system sits inside the firewall and handles full bidirectional X.509 authentication for apps and other systems without any tokens or PKI infrastructure and, more importantly, at a fraction of the cost. The system used to connect the client with your company network is proprietary, but it uses SAML or any other system you want to use to connect to outside applications or SaaS providers. Just how they do it and whether it really works the way they say it does is beside the point here, but readers are invited to visit their website at www.multifa.com for a free online demo and as much nerdy prose as you can stomach. (Tom is a marketing guy, but he is apparently surrounded by a team of true, dyed-in-the-wool techies.)

Personally, my attention perked up when Tom began to describe the way SecureAuth acts as a kind of gatekeeper for Active Directory (in 90 percent of cases, he says) or any other directory service you happen to be running.

This seems especially exciting to me when you consider it in terms of Cloud Computing, where we are seeing a rash of new cloud-based identity services. Bob Blakley of Burton described what he calls the “ability to build a virtual identity provider using a multitude of different services”. At the Catalyst Conference in San Diego a few weeks ago, he expressed his surprise that, unlike what everyone was expecting, providing identity services for the Cloud wasn’t turning out to be “this big monolithic thing”. Instead, the market is building a set of small specialty firms that handle identity tasks and offer discrete billable units that companies can put together. Ping, for instance, integrates PingConnect with Google Apps so a user’s Google ID can be used for single sign-on across some 60 online services.

Sourcing your identity management may appear to make good business sense, but does it really? After all, companies are sourcing just about everything else related to their IT. But Tom believes, and I agree, that identity management is the last thing you want to see going out the door. “As long as you control the directory, you control everything”, he maintains. Letting external service providers make changes or allowing them to make copies of your directory, which some do, is simply asking for big trouble.

My feeling, and it’s nothing more than that, is that companies will be very cautious in moving towards the cloud, choosing a step-by-step approach rather than taking the sudden plunge. As much as small and medium-sized enterprises would love to say goodbye to their IT and concentrate on their core business, they should draw the line at their directory, be it active or otherwise.

In fact, you could probably make a case for keeping only your directory and sourcing everything else, but then what is the poor CIO to do? Anyway, directory services might actually prove to be the Last Man Standing as corporate IT gradually disappears into Cloud-cuckoo-land.

Recently, at a press briefing by German IBM boss Stefan Jetter who waxed enthusiastic about Cloud Computing, an elderly journalist rose and asked him a show-stopper: “Where are my data when they’re out there in the Cloud?” Jetter did a double take, but my colleague pressed on: “I mean, physically, where are they?”

Of course, the answer is: On some nameless server somewhere, anywhere in a grid farm in Ohio or Dublin or… In fact, the usual answer is : Who cares?

Well, for one the German privacy protection agencies. Passing data across national boundaries can be a federal offense not only here. The EU Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) mandates that personal data may only be transferred to third countries if that country provides an adequate level of protection – something the U.S., just to name one, does not, at least not according to European standards, especially since foreigners do not benefit from the US Privacy Act of 1974.

Read the rest of this entry »

Since “Minority Report”, where Tom Cruise toted a squishy bag full of spare eyeballs around to hold up in front of iris scanners, thus fooling the access systems, biometrics has been a buzzword, if only a minor one, but it has failed to catch on in a meaningful way. A few years back I speculated that this is because every existing biometric method has serious drawbacks. Fingerprints fade as you grow older, and some people don’t have any because they are afflicted with a rare disease  called “Naegeli syndrome” or dermatopathia pigmentosa reticularis (DPR) that can cause vexing social problems. Recently, two identical twins were indicted for robbing the department store KdW in Berlin, but had to be released when the authorities found that it was impossible to determine which of them had been actually done the heist since they share the same DNA. And many people instinctively refuse to put their eye to an iris scanner because they worry that they may be blinded by a flash of light from a malfunctioning machine.

Read the rest of this entry »

Germans became the best-protected users of computers and the Internet today when the Federal Constitutional Court set out strict rules for government agencies anxious to spy on their hard disks. The decision was widely viewed as a slap in the face for Wolfgang Schaeuble, the hard-liner Interior Minster who has been proposing that law enforcement agencies be given broad powers to monitor the computers and e-mails of suspects on their own authority. No, the court said, you have to ask a judge first. And if during the course of an authorized surveillance the police also happen to stumble across highly personal data, then it is their obligation to erase it “immediately”.

Surprisingly, German turns out to be a rather imprecise language. Forget their perfectionist image: “unverzueglich”, the word used in the court decision, can also mean “promptly”, “unhesitatingly” or even “instantaneously”, depending on context. So that leaves the cops quite a bit of leeway and doesn’t exactly please the digital rights crowd, either. Still, better than nothing, supporters say. Especially since the court also severely limited the use of one of Schaeuble’s favourite high-tech toys, the so-called “Bundes-Trojaner”, or “federal Trojan”; a piece of software allegedly under development at the BND, the German equivalent of the FBI, and designed to sniff out suspicious correspondence between terrorists. Never mind that nobody seems to have figured out how to sneak the state-sponsored malware past a simple virus detector, much less how to get the bad guys to click on the self-extracting application. And never mind that nobody in the Berlin government seems to have heard of PGP or other easily available encryption tools.

The historical dimension, if there is one, lies in the high court’s recognition of the individual’s basic right to being able to use a computer without fear of being observed. Collecting data stored or exchanged on a personal computer “directly encroaches on a citizen’s rights”, the judges decreed, given that fear of state-sponsored snooping could prevent “unselfconscious personal communication” which they deem a human right.

While lawmakers will be able to pass legislation on computer spying as planned, the court has laid down strict ground rules that are intended to limit the number of cases in which it will in fact happen. The greatest hurdle is the requirement of judicial approval in each and every case, with the burden of proof of “clear evidence of a concrete threat to a prominent object of legal protection” (e.g. life, liberty, or property) clearly lying with the authorities.

Unfortunately, the federal judges did not answer a number of basic questions, such as whether hacking personal data stored on another computer is to be considered a crime. This is especially interesting in view of recent German legislation that compels Internet Service Providers to keep records of all e-mail transactions for at least six months in case the police decide they want to see what a delinquent was doing. And while the judges do recognize the danger stemming from cache storage by programs like web browsers on an individual’s machine, it does not discuss caching by providers or search engine operators. Neither is their any mention of personalized portable devices like PDAs or Smartphones, leaving some confusion as to whether these are also covered by the definition “personal computer”. In fact, the brief specifically singles out PCs “such as those in many homes”, so conceivably it’s okay for the bulls to spy on your Blackberry once you leave the house.

Foreigners have long struggled with the concepts behind German privacy law which many, especially Americans, find exaggerated and contra productive. If so, they will have to make an extra effort to get their head around the idea that hard disks, like homes, can be castles. But of course, anyone who has ever taken a boat ride down the Rhine is familiar with the German penchant for castle-building, so maybe it shouldn’t really come as a surprise.

Tom Noonan of IBM ISS talks a mean speech. Yet somehow I came away slightly unconvinced from a press and analyst briefing he gave on Monday at ISS headquarters in Atlanta.

Maybe one reason was that he hardly used the term “identity” as he described in some detail how he perceives the world of IT security and threat management. Instead he has a lot to say about security becoming a utility, about disconnected parts and the need for a “security ecosystem” where the products of each and every vendor can work together to provide seamless and coherent protection of both data (the “new currency”, he call it) and applications.

I was very excited about this vision of a kind of “security open platform” which would bring together the currently deeply fractured worlds of logical IT security and Identity Management (along with physical security, just to round things off; after all, the surveillance cameras all speak IP nowadays, so why not integrate them as well?)

A sentence like “Security will be the control system that creates policies across all applications” sounds great, but where’s the beef, Tom?

In fact, as his VP Tim McCormick later explained to me during an interview I did with him (see “In Our Ecosystem, Anyone Can Play”), the only one’s who will really be able to participate are those that IBM and ISS (still two very different animals, even after a full year of integration) already have existing relationships. Okay, that’s a lot of partners, over 200 at last count. But it is a far step from an industry standard, which is what Tom obviously believes is necessary.

I do too, by the way, so I’m rather concerned that Tom and Tim are not taking the ball as far as they could. Why not assemble an industry-wide gathering of competitors from both IT Sec and IAM, maybe under the auspices of Oasis or some other stands body, and put your chips on the table. Everybody stands to profit from cooperation – because customers will not stand much longer for being forced to deal with a whole host of vendors, each offering some important part of the puzzle, but not the whole picture.

On paper, IBM looks like a pretty likely candidate to lead the way. After all, with the ISS acquisition they are now the market leader in managed security, which is the way to go. And with Tivoli busily buying up companies like Console, Watchfire and the likes, they can play a pretty mean game of business process protection as well as becoming a force to reckon with in the identity & access management space.

Just bringing all that together within the folds of IBM remains a daunting challenge. Taking the concept to its logical end, a security and identity ecosystem that will revolve around the customer and his needs – something where this industry, as Tom Noonan freely admits, has hitherto not really done a very good job – is a different kettle of fish.

Let’s see if, in the end, Tom can do more than just talk the talk.