SIM cards and identity in Telco 2.0

The Telco 2.0 team came across this news item on SIM cards today from MEX. It describes how SIM card providers are incorporating more memory, processing power and secure storage into SIM cards. They are also providing the back-office tools to distribute data to those cards and manage their content.

Dean Bubley recently wrote an incisive analysis on The Tyranny of the SIM card. Whilst not quite time to call a priest and perform last rites, he notes that it has many deficiencies in a converged world.

So what is the Telco 2.0 approach to subscriber identity?

Stripping the SIM value proposition back to its basics, it does authentication. Bolting on storage, DRM and other functions are piggy-backing on the distribution system, and those things only make sense if they have overlapping distribution/lifecycle patterns and user behaviours. Often, they do not. For example, people also want to transport data between devices using memory cards, which have sprung-loaded pop-out mechanisms. A SIM card generally requires dismantling the back of the phone and breaking a nail trying to extract it.

The core authentication function itself boils down to a combination of two things: something you have, or something you know. The "something you know" (such as a password) leads to operational complexity and human frailty. When your correspondent was working at Sprint, the launch of the faster CDMA 1xRTT network ("2.75G") was originally due to be accompanied by a new identity infrastructure. Users would be able to log on to any Sprint handset and use its features, with all activity billed back to the appropriate account. However, once the project got beyond the network division to the wider business, it was abandoned. The back-office complexity of provisioning, billing and support was too complex and costly. Front-office issues such as training retail salespeople in the new system were also underestimated.

Thus "something you have" continues to be the primary mode of authentication for mobile services. It is a strategic imperative for operators to make phone numbers the dominant identifier for users across all services and devices. The SIM is a natural anchor of such a system for as long as building a common multi-device/multi-user/multi-service authentication system remains a technical and economic challenge. On mobile devices, the SIM plus phone number is a natural extension of existing use patterns. For the PC and other "converged" devices like handheld game players, the field is wide open.

We believe the way forward for subscriber identity is to enable the SIM functions to become more accessible to a wider audience of partners and developers. As always, a Telco 2.0 sees the opportunities as more "horizontal" than "vertical".

The first way of doing this is to extend the SIM itself to be more accessible to third party applications. If the functions are locked up in the air interface provisioning, and are invisible to applications, they carry little use to new services. Only exposing the functions to operator applications perpetuates the failing vertical integration model. There could be many ways of performing this technically. For example, there are existing standards for passing the mobile station ID in HTTP headers from WAP/web gateways, which could be extended to include additional data authenticating the session using the SIM. The SIM can also be used as a secure store for handset-based application such as mobile banking.

Complementing this functionality must be an extension of the reach of the operator identity capabilities. One way might be to use Bluetooth, and create an authentication profile. Give every subscriber a USB bluetooth key to put in the back of their PC. (I bought one recently for well under $10 retail.) Create platforms and distribution agreements that make it simple for online applications like IM clients to accept identity and payments via the mobile through the wireless link.

This is a very different vision of "convergence" than that often pushed, where the telco vertically integrated model blankets an ever-wider set of applications. Instead, we follow more the PC/Internet model of each player in the market focusing on the things they do well, with well-defined interfaces between them. Converged/FMC operators will soon find themselves competing against the Trusted Computing initiatives from those same PC makers for user/subscriber identity. SIM cards and the mobile OS have been secure from being so closed, but that advantage is about to become a liability.

The first step we would take is organisational. You recognise that what you know about the customer, and your relationship with that customer, is what makes the network asset have value. "Identified, authenticated, private, secure and validated bits" are worth more than their converse. The back-office mess in terms of digital identity at most carriers retards forward motion in services and platforms. Data quality issues ooze from every business process. The customer data is the business asset, not the network. Networks are replaceable, customers less so. We would make a business function out of customer identity management, just as today you have revenue protection and market segmentation teams as core enablers.

Secondly, we'd aim for simplicity. Loading more and more functions into the SIM card probably makes the business more complex rather than less so. A memory card slot may be boring, but it's effective. Convergence for its own sake isn't worth doing.

Lastly, "distribution always wins". It's the equivalent of "network coverage", but a dropped identity is less visible than a dropped call. You're probably reading this article on a PC right now, and I bet you have a mobile phone within reach. The question is why these two aren't talking to each other. Anything that extends the telco identity assets is definitely Telco 2.0 approved.