Podleaders Interview for those new to the Laws

Tom Raftery at http://www.podeladers.com/ interviewed me recently for his PodLeaders show (42 mins 15 secs).  Here is his description of what we talked about:

My guest on the show this week is Kim Cameron. Kim is Microsoft’s Identity Chief and as such is responsible for developing CardSpace – Microsoft’s successor to the much reviled Passport. Kim elucidated the Seven Laws of Identity and is developing CardSpace to conform to those laws. If he manages this, he will have changed fundamentally how Microsoft deals with people.

Kim is also responsible for Microsoft recently releasing 35 pieces of IP and promising to never charge for them.

Here are the questions I asked Kim and the times I asked them:

Kim, I introduced you as Microsoft’s Identity Chief, what is your official title in Microsoft? – 0:35

What does the Chief Architect of Identity do in Microsoft? – 01:02

Why is it necessary to have identity products in software? – 01:29

How do I know who I am dealing with on the internet? How is that problem being solved? – 03:56

And you as Microsoft’s Identity Architect are coming up with a way to resolve this called CardSpace… – 07:08

You were saying CardSpace is to be platform independent, I run a Mac, will it run on the Mac? – 15:26

You mentioned a couple of companies, are the offerings from these companies going to interoperate or are we going to have another version of the VHS/BetaMax wars? – 17:45

Audience questions
Rob Burke

Perhaps more than any of the other Vista-era technologies, in order to really catch on, CardSpace requires broad cross-platform adoption. Kim personally is doing a lot to showcase the use of CardSpace’s open standards. What does the broader effort to engage with other platforms and communities look like, and how is CardSpace being received? – 21:10

CardSpace uses an intuitive wallet-and-credit-card metaphor. One of the features of a wallet is that it’s portable – I several pieces of identity with me at all times. I tend to move between computers a lot. What provisions are there in CardSpace for helping me keep mobile (in a secure way)? – 25:07

What happens if your laptop containing your InfoCards gets lost and/or stolen? – 28:00

Dennis Howlett

What’s cooking on the identity managemnt front at MSFT? We’ve been hearing about this on and off for a while – we need progress if we’re not to be weighed down byt having to remember so many usernames and passwords for the servics we consume. – 30:35

My questions again:

Will there be a lot of re-engineering of web apps required to roll out these technologies? – 34:03

And finally you mentioned that this is the first version what can we expect in the next versions and when will they be released? – 39:58

Download the entire interview here
(19.3mb mp3)
Let me make one thing clear about Microsoft's Open Specification Promise: many people were involved, and Microsoft's legal people, along with their colleagues representing open source thinkers aned companies, deserve all the credit. 

Check out the other interviews on the site (I think I'm number 48).  Doug Kaye was number 47, and there are lots of good things to listen to while on the treadmill (physical or metaphorical).


Proposed Eighth Law of Identity

Here is a compelling multi-media proposal by the legal department of Ontario's Privacy Commissioner for an Eighth Law of Identity:

Illustration of the eighth law of identity

Download full-size deposition here.

The “technology” version of the law appears on the left, and the policy-oriented version on the right.

Today's Internet is a Gourd's Paradise. It is only through user-centric pumpkin-to-machine authentication that we will be able to leverage the true weight of the gourd.

Today's Internet is a Gourd's Paradise. It is only through user-centric pumpkin-to-machine authentication that we will be able to leverage the true weight of the gourd. The synergistic combination of omnidirectional identifiers and correlation handles on a per-vegetable basis could be the sustainable architecture behind the meta-zucchini infrastructure.

Any metasystem needs to realize that pumpkins may vary in physical appearance, but their basic architecture is the same: stem, seeds and pulp represent the core of our constituent squash identity system.

We hope our commentary will stimulate oral interfacing across the vegosphere and among the “gourderati”.

That all lawyers could be so gainfully employed!

Second Law of Identity

Here is the Second Law of Identity as expressed by Anne Cavoukian, Privacy Commissioner of Ontario. The “technology” law is on the left; the “privacy-embedded” form is on the right:


The identity metasystem must disclose the least identifying information possible, as this is the most stable, long-term solution. 


The identity metasystem must disclose the least identifying information possible, as this is the most stable long-term solution. It is also the most privacy protective solution.     

The concept of placing limitations on the collection, use and disclosure of personal information is at the heart of privacy protection. To achieve these objectives, one must first specify the purpose of the collection and then limit one's use of the information to that purpose,avoiding disclosure for secondary uses. The concept of data minimization bears directly on these issues, namely, minimizing the collection of personal information in the first instance, thus avoiding the possibility of subsequent misuse through unauthorized secondary uses.


Dr. Cavoukian's restatement of the First Law is here.  I can't overstate the importance of her collaboration with the identity community.  Nothing is more important to getting identity right than getting privacy right.  And there's no better way to get privacy right than by working side by side with those who, like Dr. Cavourkian, have been studing, writing about and protecting privacy for many years.

Download the Privacy-Embedded laws as a brochure or a whitepaper.

Privacy characteristics of the Identity Metasystem

Microsoft has just completed a whitepaper that looks systematically at how the proposal for an Identity Metasystem advances privacy.  

The document offers a useful general overview of how the Metasystem is intended to work – in a form I think will be accessible to those concentrating on policy.  It also contains an instructive analysis of how the Metasystem embodies the principles articulated in the European Uniion data protection directives. 

I will run some exerpts that I think will be of general interest.  But I suspect all those interested in policy and identity technology will want to download the document, so I've added it to the roster of Identityblog white papers. 

  1. Privacy & MetasystemIntroduction
  2. Existing ID Card Schemes
  3. Anonymity, Privacy, and Security
  4. The Identity Metasystem
  5. The Seven Laws of Identity
  6. Roles
  7. Microsoft’s InformationCard Technology: Windows CardSpace
  8. Scenario One: Basic Protocol Flow
  9. Scenario Two: Protocol Flow with Relying Party STS
  10. User Experience
  11. Creating an Information Card
  12. Logging In with an Information Card
  13. Submitting an Information Card
  14. Example of InformationCard Interaction
  15. Privacy Benefits of Windows CardSpace and the Information Card Model
  16. Protection of Users Against Identity Attacks
  17. Information Card Technology and EU Data Privacy
  18. Overview of EU Data Privacy Law
  19. Data Controllers and Their Legal Obligations
  20. EU Data Privacy Laws and Information Cards
  21. Legitimate Processing
  22. Proportionate Processing
  23. Security
  24. Limits on Secondary Use
  25. Conclusion
  26. Acknowledgments 

From the Executive Summary:

Just as individual identity is fundamental to our face-to-face interactions, digital identity is fundamental to our interactions in the online world. Unfortunately, many of the challenges associated with the Internet stem from the lack of widely deployed, easily understood, and secure identity solutions. This should come as no surprise. After all, the Internet was designed for sharing information, not for securely identifying users and protecting personal data. However, the rapid proliferation of online theft and deception and the widespread misuse of personal information are threatening to erode public trust in the Internet and thus limit its growth and potential.      

Microsoft believes that no single identity management system will emerge and that efforts should instead be directed toward developing an overarching framework that connects different identity systems and sets out standards and protocols for ensuring the privacy and security of online interactions. Microsoft calls this concept the Identity Metasystem. The Identity Metasystem is not a specific product or solution, but rather an interoperable architecture that allows Internet users to use context-specific identities in their various online interactions.

This paper describes the Identity Metasystem and shows how it can meaningfully advance Internet user privacy. In particular, it will show how Microsoft’s contribution to the engineering of the Identity Metasystem—the Information Card technology—promotes privacy in three primary ways:

  • First, it helps users stay safe and in control of their online identity interactions by allowing them to select among a portfolio of digital identities and use them at Internet services of their choice. These digital identities may range from those containing no or very little personal information (perhaps nothing more than proof of an attribute such as age or gender) to those with highly sensitive personal information needed for interacting with financial, health institutions, or obtaining government benefits. The key point is that a web site or service only receives the information it needs rather than all of the personal information an individual possesses.
  • Second, it helps empower users to make informed and reasonable decisions about disclosing their identity information by enabling the use of a consistent, comprehensive, and easily understood user interface. Moreover, this technology implements a number of advanced security features that help safeguard users against identity theft by reliably authenticating sites to users and users to sites.
  • Third, and more generally, Information Card technology is hardwired to comply with data privacy laws and conforms to key requirements in the European Union’s privacy regime, including legitimate and proportionate processing, security, and restraints on secondary use.

In short, this new framework and new technology offer a cutting-edge solution to the digital identity debacle that is stifling the growth of online services and systems.

I want to congratulate Ira Rubinstein, Internet Policy Counsel for Microsoft, and Tom Daemen, a senior attorney in his group, for writing this analysis.  Other contributors include our Chief Privacy Stragegist, Peter Cullen, and Caspar Bowden, Chief Security and Privacy Officer for Europe.  Not to mention the inimitable Mike Jones, well known for his contribution to Identity Metasystem thinking.

Although the document uses the Cardspace implementation in illustrating its points, it's my hope that everyone working on the Identity Metasystem across the industry benefits from this work, since the notions apply to all of us.

First Law of Identity

Here is the First Law of Identity as expressed by Anne Cavoukian, Privacy Commissioner of Ontario. The “technology” law is on the left; the “privacy-embedded” form is on the right:

AND CONSENT  Technical identity systems must only reveal information identifying a user with the user's consent.

Technical identity systems must only reveal information identifying a user with the user's consent. Personal control is fundamental to privacy, as is freedom of choice. Consent is pivotal to both.>Consent must be invoked in the collection, use and disclosure of one's personal information. Consent must be informed and uncoerced, and may be revoked at a later date.   


 I'll be publishing Dr. Cavoukian's version of all the laws over the next little while.  Readers new to this discussion might want to take a look at the Laws of Identity, a technology paper which I think rings increasingly true and provides context about the intersection between identity and virtual reality.  Amongst other things, it posits a model in which the user is an active and central participant. 

In the brochure published by the commissioner, my original statement of each law appears on the left page, while the “privacy embedded” version appears on the right.  It is kind of Talmudic (or should I say McLuhanesque?), and demonstrates the intersection of the purely technical with a policy-oriented view.  I'm very excited by this work, which clearly takes the Laws of Identity forward.

The full title of the brochure is, “7 Laws of Identity – The Case for Privacy-Embedded Laws of Identity in the DIgital Age” (the illustration above is taken from that publication). 

The Privacy Commissioner's Whitepaper is an equally important document that drills into the notion of an Identity Metasystem and is intended to bring about collaboration between the privacy community and identity technologists as we build it.  

The paper version of the brochure is really a beautiful production.  It can be ordered by calling 1-416-326-3333 / 1-800-387-0073 or by writing to publicat@ipc.on.ca. Beyond that, here is the press statement issued to announce Anne's work, along with the powerpoint of her presentation to the IAPP.

What a powerhouse she is.  She is the thing history is made of.

Privacy czar pushing for better ID protection

Anne Cavoukian's remarkable speech to the International Association of Privacy Professionals is available here  in MP3 (total time: 23 minutes) .  

It's a ground-breaking speech.  It defines a new intersection between the privacy community and those of us who've been working in the blogosphere to understand and advance identity. 

It represents a substantial widening of the discussion we've been having in these pages. 

Dr. Cavoukian and her team have come up with a version of the Laws of Identity that teases out the privacy implications and articulates them with reference to the privacy discourse that has emerged over the last decade. 

I'll be publishing Anne's version so everyone can ponder the implications.

Here's how the CTV national televison network described Anne's initiative:

Ontario's information and privacy commissioner says she supports a new global online identity system to protect consumers.

Dr. Anne Cavoukian said there are currently few ways for online consumers to tell the good guys from the bad guys.

“The existing identity infrastructure of the Internet is no longer sustainable,” she said. “Something must be done now before consumer confidence and trust in online activities are so diminished as to lead to its demise.”

The solution lies in the global online identity system based on seven “privacy-embedded” laws, she said.

“The Internet was built without a way to know who and what individuals are connecting to. This limits what people can do and exposes computer users to potential fraud,” said the release.

As a result, people are subject to new crimes like “phishing,” in which people are fooled into sending key information to what they think is a trustworthy business, but is actually an identity theft criminal.

The seven laws would create an “identity layer” for the Internet that would guard against such acts.

The “laws,” or principles, are:

  1. Personal control and consent
  2. Minimal disclosure for limited use: data minimization
  3. Justifiable parties: “need to know” access
  4. Directed identity: Protection and accountability
  5. Pluralism of operators and technologies: minimize surveillance
  6. The human face: Understanding is key
  7. Consistent experience across contexts: Enhanced user empowerment and control

The benefit of law 1 would be that an Internet user would store their identity credentials rather than in a centralized online database.

Law 2 would help by minimizing the amount of information given out for a given transaction — and that only the right information be given.

“In the privacy world, a cardinal rule is that the identification provided should be proportional to the sensitivity of the transaction and its purpose. Why should a credit card number ever be used to verify one's age?” Cavoukian said.

These laws grew out of a global, blog-based dialogue amongst security and privacy experts, she said.

With the next generation of Web-based services (“Web 2.0”) emerging, more identity credentials and more trust will be required to make it work, she said.

Microsoft — proprietor of the Windows operating system, the fundamental software that allows a computer to run — is obviously a major player in personal computing security.

Cavoukian said Microsoft's next-generation operating system, called Vista, has some features that will help protect identity.

Vista, which is set for release in January, will introduce a technology called Cardspace. The system will use “infocards,” which will allow websites to verify a customer's identity without receiving or keeping personal or financial information.

Banks could function as middlemen in online purchases, sending payment confirmation to a retailer without sending the person's credit card number.

There would also be different infocards for different applications, much as people have different cards in real life for different purposes.

At a news conference on Wednesday, Kim Cameron, Microsoft's chief identity architect, said Cardspace is a start. He also said it can't just be a Microsoft thing.

“It has to work across Microsoft, Linux, Apple, every possible permutation and combination. It has to work on computers, it has to work on cellphones so it's really a very all embracing thing.”

Some companies have agreed to start accepting infocards, but Cameron wouldn't name the firms.

Both Cameron and Peter Cullen, Microsoft's chief privacy strategist, said another advantage of this coming system is it will allow users to avoid “password fatigue.”

Currently, people need to pick a user name and password when they register at an Internet website.

Because it's difficult to remember a large number of passwords, some use the same password for all websites, which creates a security risk.


ARCAST adds transcripts

I got a note recently from Ron Jacobs, host of Channel 9’s ARCast, telling me that they have added transcripts to their “more popular” ARCasts.  Somehow that included a very early one on the Laws of Identity. Ron is great fun, and has a cave of a studio that really makes you feel like you're “on the air” – though being digital, he is of course post-air…

Let me be the one to say it:  Reading the transcripts I wish a) I were more articulate, and the transcriber a bit more tuned into my perhaps overly informal style; and b) everything published on the internet wasn't going to be around forever.  But I'm not, and it will, and so we all soldier on.


Hi this is Ron Jacobs and welcome to our talk today. I’m joined by Kim Cameron who is an architect in Windows Identity and access management area. I guess I’d say how’s it going Kim?


Kim Cameron

It’s just great.



And and so, that’s really interesting. I didn’t realize that we had a whole group that is focused around identity and access management in Windows.



Oh sure, because we have things like Active directory, you know meta directory integration services and all that sort of stuff. So different ways of being able to find out who you are dealing with inside windows environment. So when you for example login to windows, you know, somebody is got to write that stuff



Yeah oh yeah, I’m glad you are because you know



It’s not me though



OK well (laughs)



It’s our, it’s our group



Your group… yes, but you are the architect. You’re the guy that like in Matrix who wheels around and says I’m the Architect



Yeah, Yeah, I’m responsible for what's wrong and what's bad about it,



Okay… Now you’ve come up with this real interesting thing that we are going to talk about today called the Laws of Identity. And I love; I love these kind of things. There are seven laws of Identity that you’ve written down on your, on your wonderful blog which I’ve to plug it’s www.identityblog.com



I love you…



Well you can return the favor and plug this show later



I’ll I’ll



I love concise list like this because it kind of formalize a lot of random thinking that goes on. How did you come up with this list



Well you know I was … Have you been ever to one conference too many?



I have … yeah



So you know I was there and I just was listening to the way the discussion was going and it occurred to me that we don’t really have a framework that allows us to restart the discussion about identity anywhere except from the beginning each time we have it. Sort of like back to the beginning, rewind, and we start again. And all the words mean different things to different people and basically there is… so as a result everybody ends up discussing little technical nits instead of the real concepts that are behind these things. So I figured … is there some way that I can actually reset the conversation or or… well the same time I was just starting to blog and I didn’t really know anything about it … which was a good thing… and I didn’t have anything to write about so I was going … you know… I wondered what would happen if I started this discussion in about. How we get a real … you know… a set of concepts that we can reuse so we don’t always have to go back to square one. And do that with the web… so… it was kind of … it was just a … sort of… experimental, trying to figure it out kind of thing.



Yeah and I guess a few people have noticed this now and so started showing up in various conferences and slide decks and that sort of a thing right?



Yeah it’s really bizarre because first of all I was thinking that I’ll start a blog and then maybe a year from now or something people will start to read it.

Lots more where this came from…

What I really like about this is that podcasts become searchable within text engines.  So thanks, Ron.

Hans gets more specific about Yahoo BBAuth

Several readers have asked me to comment on the recent post by Verisign's Hans Granqvist about “security problems in BBAuth”.  He writes:

I have had concerns about Yahoo!’s choice of security of BBAuth. Jeremy Zawodny responds to my posting to ydn-auth list:

“While I can’t comment on the choice of algorithm, I can say that some of the technology used in BBAuth was not developed solely for use with BBAuth.

Okay, fair enough.

But then he continues:

“In other words, we’re reusing some existing stuff that’s been tested in the field and proven to work well for our needs.”

Now, this doesn’t sound right. Not at all.

MD5 has been broken for a few years now. According to Ferguson’s and Schneier’s Practical Cryptography it’s possible to find MD5 collisions in 2**64 evaluations (using the birthday paradox). This was too easy 2003, and it sure is not more difficult now.

Be that as it may. Perhaps these collisions are purely academic.

What’s worse is the lack of a proper HMAC. In Yahoo!’s BBAuth, the MAC is created by hash(text + key) where ‘+’ denotes string concatenation.

This simplistic way of building a pseudo HMAC scheme is not secure. Readers of Practical Cryptography may want to turn to section 7.5 for more information. In short, tacking the key on to the end leads to key recovery attacks that are much easier to execute than they should be.

What scares me is that this broken scheme apparently is used in plenty of other Yahoo! products. I would not be surprised if there are attackers trying to exploit this weakness at this very moment.

My advice to Yahoo! is to change this to a proper HMAC right now. Other identity protocols, like OpenID manages to require HMAC-SHA1 or HMAC-SHA256. There are OpenID libraries for all major programming languages available, so it’s definitely not too hard to implement.

My thinking?

I believe that when it comes to security, it's better to use an algorithm that has been widely vetted (like HMAC-SHA256), and to avoid creating new ones unless you really need to – or have a long runway to test them on.  I also think protocols should use algorithm identifiers.  With security, it may become necessary to migrate to new algorithms when we least want to, without blowing all the downlevel clients out of the water. 

But despite my “high-minded principles”, if you look at the actual content of what Hans calls “text” in the BBAuth protocol, it looks to me like it is full of entropy (a good thing): although it contains some fixed information, it also contains a token, which is variable and not calculable by an evesdropper; a timestamp, which makes long-running attacks impossible; and a shared secret, which makes multi-site catalog attacks impossible.  So this is not toy cryptography given Yahoo's purposes.  That isn't to say Hans doesn't make some good points.

My concerns really originate with the user interface issues.  And OpenID has the same problems to the extent that people end up with multiple identity providers (which they will).

I'm talking about the fact that users are redirected from one context to another quite different one.  We have found that systems that work this way introduce a lot of “noise” – let's call it ambiguity – into the channel between the system and the user. 

The user can be confused – by accident or, worse, on purpose. 

It's the “I'm-buying-a movie-from-someone-but-now-I'm-at-Yahoo-and-now-I'm-not” problem.  In the midst of the redirections, the user can potentially be redirected to a wolf-in-sheep's-clothing, who can relieve her of her secrets and employ them for other purposes. 

Suppose that Google and MSN and AOL and eBay all do the same thing as Yahoo.  Then things would get really confusing for the user, wouldn't they?  As she visits different sites she would find herself redirected to a bunch of different home pages…  MSN here, AOL there, and who knows what else.  This kind of redirection is just not good from the point of view of users being certain about what's happening.  It's similar to getting a URL in an email.  This is one of the main reasons I think that a strong, consistent visual experience like InfoCards is key to building something safe, and why I want to see all of this converge.  But of course, everyone knows I'm like a broken record on this.

Some of my concerns may not matter much when it comes to controlling access to your photos.  But if this type of SSO were to become a massive success, that success would bring about its downfall.  For it would then be worth attacking and very vulnerable at the same time.  That's why I think it is best to combine it with the type of experiential system I've been talking about before any of these problems arise.



A blog on application-centric IdM

Nishant Kaushik is Architect For Identity Management Products at Oracle.  I meant to write about him when I read his interesting discussion of my piece on Enterprise and Individual Identity.  Somehow I got distracted, but recently he's been talking about Appication-Centric IdM, certainly an interesting way to frame the problems, particularly because he doesn't position this against user-centricity.

“One of the most common questions I encountered at the Catalyst conference this year was “what is application-centric IdM”. The second most common question (did not lose by a lot) was “how does this compete with user-centric identity”. It has taken a while, but I wanted to make an attempt at answering those questions in a broader forum. 

What is “application-centric identity management”?

“Application-Centric IdM is one of 3 pillars around which we are building our IdM offerings. It is an offshoot of the broader application-centric security concept being woven into everything coming out of our middleware group. The application-centric philosophy is about understanding the needs of applications and application developers. A lot of the problems we face today in identity management stem from the fact that when it comes to identity, each application is on its own. Every time an application is being developed or deployed, the ones responsible for it – the architects, the developers, the project managers and the administrators – are forced to tackle the same old issues over and over again. How do I deal with authentication? Where do I get the user's identity information from? What identity information do I need based on the problems I have to solve? How do I make sure it is correct? The answer to these questions is often so hard, that the development teams deal with it in the way they know best – they build their own identity infrastructure. They create user tables, login screens and processes, permission and authorization modules, account registration procedures, and profile management tools. And they do it again and again. The result is what we see today – multiple identity silos in the organization that require complex management software, tools and processes as add-on layers to try and give the enterprise some semblance (illusion maybe?) of control; poor application security with no real mechanism for consistent, centralized enforcement of enterprise-wide policies like SoD and RBAC; and users having to deal with multiple passwords, multiple authentication schemes, multiple profiles to manage…the list goes on and on. 

“Enterprise IdM solved this somewhat by adding an additional layer of abstraction on top that solves some of these issues. Centralized profile and password management, SSO tools and Audit & Compliance solutions took away some of these issues. But this added additional challenges into the mix in the form of complex integration problems, and the need for complex tooling and processes. 

“As long as IdM follows the bolt-on systems management approach, these challenges will only be mildly alleviated, and never truly cured. This is where application-centric IdM tries to provide a new way of solving this age-old problem. The idea is that instead of each application having to build these infrastructures as part of their functionality, they can just avail of them as ready made, standards-based services. Application-centric IdM moves away from the traditional system management style of IdM, focusing instead on the creation of an IdM infrastructure that customers deploy to expose these services for their applications to plug into their own business processes. It makes identity (and security) an integral, yet abstracted part of the development process. This separation is critical, because often the people defining the security policies are not the same as those defining application behavior – similar to how the role of deployers and developers is separated in J2EE. At the end of it all, users get a consistent experience, the enterprise gets better control of security, audit and policy enforcement, the IT department avoids massive data and process management problems, and developers can better focus on the business functionality of their applications.

“How does this compete with user-centric identity?

“The simple answer is that it doesn't! Application-centric IdM is completely compatible with user-centric identity. In fact, it can help with the introduction of user-centric identity into the IdM equation. As user-centric identity gets incorporated into the operational environment, applications that have plugged into an application-centric IdM framework will be able to immediately take advantage of it, because it will become available as an underlying service in the infrastructure. The same identity retrieval service that the application was using to retrieve identity data from the corporate directory can also retrieve identity data from the identity tokens that the user provided during their session initiation. Without having to change anything, the application can now consume user-centric identity tokens. The basic value proposition is that applications no longer worry about how they retrieve the identity data they need. They have a common service to get it from, which allows it to plug into the wider identity world underneath in a transparent manner.”

White papers and the like are available here.

Giving identity thieves the finger

Jerry Fishenden has been posting about biometrics recently, and I'll comment on the issues over the next little while. But before we get there, just to put everything in perspective, here's a piece from the BBC, quoted by Jerry, that I missed when it first came out.

Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.

The car, a Mercedes S-class, was protected by a fingerprint recognition system.

Accountant K Kumaran's ordeal began when he was run down by four men in a small car as he was about to get into his Mercedes in a Kuala Lumpur suburb.

The gang, armed with long machetes, demanded the keys to his car. It is worth around $75,000 second-hand on the local market, where prices are high because of import duties.

Stripped naked

The attackers forced Mr Kumaran to put his finger on the security panel to start the vehicle, bundled him into the back seat and drove off.

But having stripped the car, the thieves became frustrated when they wanted to restart it. They found they again could not bypass the immobiliser, which needs the owner's fingerprint to disarm it.

They stripped Mr Kumaran naked and left him by the side of the road – but not before cutting off the end of his index finger with a machete.

Police believe the gang is responsible for a series of thefts in the area.

Note to self:  don't purchase technology based on retinal scans.

Future discussion:  not only “things you are” but “things you know” can ultimately expose you to harm.

P.S.  Who would ever buy an S-Class?