What identity is important?

[Dave Birch] A couple of days ago I was in a discussion concerning the discrepancy between what enlightened experts (eg, me) think about identity management and what governments, civil servants and IT vendors think about identity management. One of the points I made, which I think I can defend, is that the "common sense" notion of identity, rooted in our pre-industrial social structures and pre-human cortex, is not only not very good at dealing with the properties and implications of identity in an online world but positively misleading when applied to system and service design. The fact is that virtual identity and "physical" identity are not the same thing, and they differ in ways that we are only beginning to take on board. Here's an interesting reflection on the difference between physical and virtual identity.

I used to work on campus 5 days a week, but working at home more has coincided with the advent of blogs and twitter. My professional and personal profile on campus is now much higher than it was when I attended every day, but largely sat in my office, and occasionally ventured out for coffee.

[From Establishing Our Online Identity « Ramblings of a Remote Worker]

Interesting. An online identity in a context that makes it worth more than an offline identity, because it is more connected. The Facebook economy, so to speak. Which leads me on to...

The Guildford triangle

[Dave Birch] What is it with Britain? Digital or otherwise our degraded realm is an international identity scandal. Europe's no.1 exporters of payment card fraud, we are apparently now the world's worst for identity theft overall.

INTERNET users in Britain are more likely to fall victim to identity theft than their peers elsewhere in Europe and North America. In a recent survey of 6,000 online shoppers in six countries by PayPal and Ipsos Research, 14% of respondents in Britain said that they have had their identities stolen online, compared with only 3% in Germany.

[From Where your identity is more likely to be stolen | Online fraud | The Economist]

There may be a correlation here between "identity theft" and "card-not-present fraud" (Germans rarely use credit cards, least of all on the interweb), but we'll return to that in a future discussion. Now, these statistics don't, I think, mean the Brits are more criminally inclined. After all, fraud is an international business.

The criminals stored much of their data on computer servers in Latvia and Ukraine, and purchased blank debit and credit cards from confederates in China, which they imprinted with some of the stolen numbers for use in cash machines, investigators say.

[From Global Trail of an Online Crime Ring - NYTimes.com]

It's more likely that Britain is a soft touch: high card penetration and use, lots of internet shopping and other factors that lead to identity theft on an industrial scale. But where does this tidal wave of fraud actually originate? I read in The Telegraph that the top 10 identity theft hotspots in the UK are all in south east England. There's an area of white collar fraud between London, Reading and that well-known criminal outpost, Guildford. Odd. In the top 10, only St. Albans falls outside of this theft triangle. Yet the government is going to test ID cards in Manchester... Well, as well all know, ID cards won't have the slightest impact on identity theft for at least the next decade.

ID cards have been touted as the solution to a number of real problems - terrorism, crime and so on - though none of their supporters can ever explain how having an ID card stops a mugger or suicide bomber. But they began as the answer to a classic fake problem, still routinely cited by ministers, the need to "secure our identities" against "identity theft".

[From The ID card is on its last legs - just let it die with dignity | News]

Now, I wouldn't call identity theft a "fake problem". On the contrary, it's a very real problem. But what is generally meant by identity theft, certainly in the Guildford triangle, is largely to do with payment card fraud (which is rampant in the UK) and account takeover. These are specific problems, not general identity problems. Until retailers demand that you present an ID card when you buy anything, or somehow allow them to read your identity card over the interweb, nothing much will change. Fortunately, someone is thinking this through: the UK ID card scheme may well use chip and PIN technology so that it can be accepted at retail POS. Lots of newspapers reported this, so I'll choose to point to the report in that august journal of record from my home town, Swindon (or, "Swindon, city of the future", as have generally called since 4th July 1995):

ID cards could be fitted with chip and pin technology to help combat identity fraud. The head of the Government agency tasked with producing the cards said there were no "technical obstacles" to adding chips to the cards and handing out pin numbers.

[From ID cards 'could use chip and pin' (From Swindon Advertiser)]

I rather imagined that the cards already had chips on them, but putting that to one side, the idea of making ID cards work in chip and PIN terminals isn't totally infeasible, although I'm not completely clear as why you would want to do this. I suppose the thinking is that the shops already have the terminals. But if you are asked to put your ID card into a terminal and punch in your PIN, wouldn't you then get annoyed at having to take it back out again, then put your chip and PIN card in and then punch in another PIN? Why not just link your bank account to your ID card?

Government interface

[Dave Birch] For e-government to take off, it is transparently obvious that population scale identification and authentication infrastructure (beyond e-mail address and alphanumeric passwords) will have to be in place. If not, the pain associated with every single online interaction with the public sector will grow far beyond the point where the bulk of the population will want to get involved and there will be a hard limit on the efficiency of the delivery of public services. No-one, surely, can be against that. Yet we don't seem to making much progress towards this. Even in cases (in the UK) where online service delivery works very well indeed (eg, vehicle tax), it does so in silos.

Now, many people will (quite rightly) point out that there is a fundamental danger to the idea of using a single identity across all services. There's a particular danger to using to the same identity across public and private sector services.

In yet another security breach, the US State Department said 400 passport applicants, and maybe more, have had information stolen. Passport applications containing personal information, including Social Security numbers, were accessed and used to open fraudulent credit card accounts. A fraud ring bought information from a government employee. The information was used to apply for cards. Cards were intercepted by another insider in the post office before they were delivered. The passport applicants had no idea their identity had been stolen.

[From National ACH: Government Employees Selling Identities]

Now, that's the kind of fraud that imagine was dismissed out of hand by the government's management consultants when they were procuring the system. "Insiders in the Post Office connecting to insiders in the State Department? Oh, come on! That's like a Tom Clancy novel, it will never happen."

It this sort of thing -- and it seems to happen all the time -- that means that many people react against the very idea of a government identity or a government identity management system, although I draw a different conclusion: we need a better (privacy-enhancing) design for a government identity management system, perhaps building on the schemes used in countries such a Germany and Austria where identities are cyptographically-partitioned between service providers.

(Obviously, I trust the Government even less. I'd much rather have O2 manage my ID than the Home Secretary. SIMs are more secure, cheaper and better-managed than the UK's ridiculous Stalinist ID card system).

[From Dean Bubley's Disruptive Wireless: Thoughts on managed identity services by mobile operators]

What we want, surely, is the best of both worlds. I want my SIM to hold a number of identities, including government ones, that I can choose to use on a per-transaction basis. And I don't think it's far-fetched to expect this kind of modern infrastructure.

The long and short of it

[Dave Birch] I was at the European Patent Forum in Prague talking about biometrics in an enjoyable seminar on Privacy and Identity Theft, along with Ivo Teutloff from EPO and Max Snijder from the European Biometrics Group. The reason that the session was so enjoyable is that we'd each chosen to focus on different aspects of the topic. By coincidence, when I woke up and was sitting in my hotel room looking through my slides with BBC Breakfast TV in the background, the first item on the BBC news was the rise in card fraud, again. And this is in hand-in-hand with another massive increase in identity-related fraud in general.

A 40% increase in the number of people being impersonated indicates that the flat trend seen in 2008 (where identity fraud increased by only 0.06% from 2007) was exceptional. While last year's figures were a surprise, the sudden and significant increase in the first quarter of 2009 heralds an unwelcome return of identity fraud as the fraudsters' method of choice; as fraudsters assume creditworthy identities in order to swindle individuals and companies alike: stealing funds, goods and services at someone else's expense... During this quarter, a staggering 75% increase in facility takeover (also known as account takeover) frauds - where the fraudster gains access to, and plunders the legitimately obtained accounts of innocent victims - continued the steep upward trend seen throughout 2008.

[From Fraud trends and recession go hand in hand - CIFAS Online]

If biometrics could make a dent in that, you would think that banks would be rushing to implement them. After all, as CIFAS notes, the account takeover fraud explosion has been going on for some time. Plenty of time to plan and develop a biometric countermeasure, you might think.

UK account takeover fraud grows 207% year-on-year in 2008 - study [From UK account takeover fraud grows 207% year-on-year in 2008 - study]

Yet nothing much is happening. Identity theft is growing and, in the UK at least, the government's identity card scheme won't do anything to help. But why? Max made a very interesting point, which goes back to my current obsession, the "narrative". In his presentation, he pointed out that because the biometric sector had its origins in the identification problem, that is how they see the world. So they would see the retail payments problem as an identification problem, which leads to PayByTouch. On the other hand, other people (eg, me) see the retail payments problem as an authentication problem: so we need progress in what he called "anonymous" biometrics to get down to solving that particular problem. And he made a very positive suggestion that I had not considered before.

Time for a National Privacy Card scheme

[Dave Birch] There was a bit of media attention around the recent report on government databases from the Joseph Rowntree Foundation (the authors include Forum friends William Heath and Angela Sasse) but I'm not sure that the government was listening. The report was quite strong on the extent of the problem within government:

A quarter of all government databases are illegal and should be scrapped or redesigned, according to a report.

[From BBC NEWS | UK | Call to scrap 'illegal databases']

The way to protect personal data most effectively, particularly in large organisations such as the government, is not to store it in the first place. This may seem unworldly. After all, I want Tesco to provide me with a good service, so why shouldn't I give up some of my personal data in order to get it? Setting aside the issue of whether what I bought in Tesco yesterday is "my" data or not, I am perfectly happy to have, and wield, my Tesco Clubcard. After all, it's not in my real name and Tesco never ask me for data I don't want to give them, so I'm more than happy for them to record what I buy. And, to their credit, I can say with hand on heart that I have never once received junk mail, spam or unsolicited phone calls for the imaginary alter-ego who shares my home, from which I deduce that Tesco have kept to their side of the bargain and not disclosed "my" data to a third party. So why am I concerned about the government having big databases of stuff about me?

Government interface

[Dave Birch] Government identity is so important that the vigilance of the "issuers" must be unwavering. Thus, the rest of the identity management value network can function. It's so important that one might even go so far as to say that a key role of government should be to test it's own vigilance in an open and transparent way. In other words, shouldn't parts of the government be checking up on other parts of the government and telling us what happened. This would be a really interesting experiment to try here in the UK, now that the government has started issuing identity cards. It would be great to have some reassurance that the process is indeed protecting us from international terrorists, dole scroungers and health tourists. The National Audit Office (NAO) could try and obtain bogus identity documents from the Identity and Passport Service (IPS) and see what happens. Just like the recent experiment in the US.

To do so, GAO designed four test scenarios that simulated the actions of a malicious individual who had access to an American citizen’s personal identity information. GAO created counterfeit documents for four fictitious or deceased individuals using off-the-shelf, commercially available hardware, software, and materials. An undercover GAO investigator then applied for passports at three United States Postal Service (USPS) locations and a State-run passport office.

[From Security Document World]

And the results? Did the ever-vigilant staff, the best IT that money can buy and the process designed by top management consultants come together to defeat these almost trivial attempts to deceive?

In its four tests simulating this approach it was successful in obtaining a genuine U.S. passport in each case.

[From Security Document World]

Uh oh.

A good solution, but only if you don't understand the problem

[Dave Birch] It's all for the kiddies. There's a terrible problem out there on the interweb: there are people who aren't children who are pretending to be children and there are children who are pretending to be not children. Therefore, something must be done.

MySpace is now encouraging users to post their real names to their profiles. This is quite a shift - like many sites, MySpace used to refer to a ’screen name’ rather than ‘real name’.

[From Privacy Value Networks » Blog Archive » The danger of ‘real names’?]

Well, it might be considered an inconvenience that your children's identities should be disclosed to the entire world online, but it's for the greater good, right? And if we know who the children are online, then we can protect them, and help retailers to avoid accidentally selling knives to teenagers, and that's a good thing too.

Child-safety activists charge that some of the age-verification firms want to help Internet companies tailor ads for children. They say these firms are substituting one exaggerated threat — the menace of online sex predators — with a far more pervasive danger from online marketers like junk food and toy companies that will rush to advertise to children if they are told revealing details about the users.

[From Ping - Online Age Verification for Children Brings Privacy Worries - NYTimes.com]

Perhaps this whole anonymity vs. absonymity argument around online identities is actually important, and perhaps we should be doing some thinking about it instead of leaving it to people (eg, Ministers) who don't really understand the problem or the solution.

It's always, always the same

[Dave Birch] One of the reasons why a digital identity infrastructure ought to be more than just building a big database of everyone and then letting everyone have access to it is that the infrastructure will inevitably be abused by those on the inside, no matter how much effort goes into keeping out the bad guys on the outside.

Missouri Citibank employee Brandon Wyatt... accused of tapping Citibank's computers for customer information, then using it to set up checking accounts online with competing banks, including Bank of America, Washington Mutual and AmTrust. Wyatt allegedly wire transferred customer funds from Citibank to the new accounts, then cashed them out with additional transfers, checks, debit card purchases and ATM withdrawals. His take, according to federal prosecutors in St. Louis, was at least $380,000.

[From Fed Blotter: Citibank Worker Allegedly Plunders Customer Accounts | Threat Level from Wired.com]

It's hard to see how you can stop this from happening completely in an economic way, but what you can do is make sure that there is an audit trail so that someone how decides to have a go at this kind of fraud has a reasonable expectation of being caught. Although I have to say that armed bank robbers have a reasonable expectation of being caught (and a reasonable expectation of a long sentence if they are caught) but they still do it. Anyway, my point is that if you take people personal data and put it in a honeypot, there is only one outcome. A database is not an infrastructure.

Gambling on ID security

[Dave Birch] It's been a landmark week for those of us fascinated by the UK's national identity card scheme. The first cards have now actually been issued, so even as we speak identity fraud in the UK will be going... up. Why? Well, the government has met its own artificial target for the issuing of cards, but as you may have observed when you try to use one of the other smart cards in your possession (eg, your debit card), the cards are not the system.

Britain's first ID cards cannot be read by any official body because the government has not issued a single scanner. Ministers promised to roll out hundreds of electronic readers of biometric details. However, a spokesman for the Home Office admitted last week that no employers, police forces, hospitals or colleges have been given the machine - and there are as yet no plans to issue them.

[From No scanners to read ID cards | Politics | The Observer]

So, in other words, as long as you can make something that looks like a plausible ID card, no problem. If you want to make it plausible, you need to go to the IPS web site to find out what physical features might be required to pass manual inspection. This will direct you to a helpful section on the UK Border Agency web site that describes those features in detail. it also explains how to verify a card that is presented to you...

Sponsors are expected to look at the card carefully. It will show the person's entitlement to work, study or access public funds. The Guidance on identity cards for foreign nationals shows how you can check a card to ensure it is valid. This will help you to become familiar with its design and recognise the card when you are shown one. It also gives information on the card's security features, to help you make your checks.

Although you are not legally required to check documents, we recommend that you do so for everyone you wish to employ.

[From UK Border Agency | Checking identity cards for foreign nationals]

The accompanying Guidance explains what a valid card should look like, but also includes some additional helpful steps for employers. These include

Physical checks can also be performed on the card. As it is made entirely from polycarbonate, it will have a distinctive sound when flicked, and the holder’s image will always be in grey-scale. The card should not be bent or folded, as this is likely to cause it to break. Contact with water should be avoided to prevent damage to the contact chip.

[From UK Border Agency | Checking identity cards for foreign nationals]

As far as I can see, life just got easier for illegal workers, since all they now have to do is to produce a valid-looking card and they are sorted. If you think that this is a hypothetical problem because no-one in the UK actually accepts these cards as proof of anything, think again.

UK casino operators can accept the Government's new compulsory identity cards for foreign nationals as proof of ID - provided they meet money laundering regulation requirements, according to the Gambling Commission.

[From Identity Cards Now Welcome At UK Casinos | GamblingCompliance.com]

I'm sure the chance of an illegal immigrant using a forged card to launder money in a casino is so small as to be infestiminal, but nevertheless it does seem slightly odd to not even have plans to issue readers.

Children and identity theft

[Dave Birch] OK, so we know that overall identity theft is falling, but that doesn't mean it is vanishing and nor does it mean that it is falling for all segments of the population. A recent U.S. study about the theft of children's identities illustrates how the subject area is evolving. The issue of identity theft so far as children are concerned is an interesting one.

Rarely do parents or guardians consider the possibility that their child may have a credit history, and thus few will check to see whether their child has a credit report under their name. This can make children easy targets for identity thieves,

[From Debix - Research]

The headline results of this study are as follows:

• The study discovered 5% of the children had one or more credit reports using their social security number
• 3% were found to be actual victims of child identity theft, while 2% were victims of file/credit contamination.
• Among the 5%, the children had on average $12,779 in fraudulent or wrongly assigned debt.
• While the study found that children were more likely to find problems in their credit histories as they aged, an astonishing 12% of those with problems were age 5 and under.
• A handful of cases stand out as especially severe: one child had seven identities listed under his SSN, with several thousand dollars in medical bills, apartment rentals, and credit accounts in collections; another child’s SSN was associated with over $325,000 in debt.
• One in four victims in the study had bills or lines of credit in collections or foreclosure, while almost twothirds of these children had fake or wrong names listed under their SSN.
• 42% of those children with erroneous credit reports only had credit files at one credit bureau, meaning their fraud could have gone unnoticed without checking all three bureaus.

You can see why criminals are going for this mode of attack, because using the SSNs of children must have (on average) a longer time available for abuse before anyone detects fraudulent activity. And remember, behind each of these statistics is a real person left with the mess of cleaning up identity theft.

Police say identity theft is the reason the Internal Revenue Service recently warned a seven-year-old boy from the northwestern Chicago suburb of Carpentersville that he owed back taxes on $60,000. Officers said Friday the second-grader's identity has been in use by someone else since 2001 -- not long after his birth. Detectives accused 29-year-old Cirilo Centeno of Streamwood of using the boy's personal information to obtain a truck, three separate jobs, gas and electrical service for his home, a credit card, unemployment benefits and more than $60,000 in pay and services.

[From IRS tells 7-year-old boy he owes back taxes on $60,000 -- chicagotribune.com]

A credit card? Unemployment benefits? I don't understand how stealing a seven year-old's identity helps you to obtain either of these, but clearly the government and the banks have some pretty lax "know your customer" procedures if a date of birth in 2001 can get you welfare and a line of credit.