jim.shamlin.com

Protecting Identity without Comprising Privacy

This chapter addresses the conflict between the need to accommodate the need to be demand (of government and commerce) to identify an individual and the desire of individuals to act privately (to be anonymous, or unmonitored) in the electronic medium.

INTRODUCTION

The protection of identity is considered essential to the electronic medium, primarily because of the issue of identity theft: the ability to impersonate an individual, generally for reasons of committing fraud, is harmful to commerce and the individual alike.

"Identity Theft" is defined as the act of impersonating another person in order to obtain a financial benefit. In the most common instances, it leverages existing financial accounts (bank accounts, credit cards) or may involve the establishment of new accounts (same kinds plus obtaining loans)

Part of the problem is that, even though the medium is faceless, there is an increasing availability of personal information that is publicly available, and a fraudster can leverage this aggregated information to pass themselves as another person. The desire of individuals to safeguard their information, beyond the desire to preserve privacy and anonymity, also has value as a practical defense against identity theft.

In addition to the public information, there is also a large quantity of private information - but the degree of 'privacy" is called into question when those who possess it use it for their own purposes (aggregating or reselling customer data) or who fail to adequately safeguard it against others.

Finally, the fraudster may use deception to obtain the information directly from the intended victim (phishing, pharming, social engineering)

Given the increasing incidence of fraud, the author asserts that a 'new approach to identity policy" is required to effectively identify and combat fraud, for the protection of individuals and commerce alike.

THE CONCEPT OF IDENTITY AND ITS THREATS

A Short Introduction to Identity

In the present context, identity is defined as the attributes of a person that distinguish them from other persons. This may include a person's name, an identification code (SSN or login ID), or a biometric attribute (fingerprint).

There is no consensus as to the precise content of identity, though it seems to be distinguished into three broad levels:

  1. Personal - Information connected with the physical person, such as name, age, location of birth, current location, health records, etc.
  2. Social - Information that is used to identify that person as part of a group, such as a nation (citizenship), family, profession, etc.
  3. Economic - Information that identifies the individual as an account holder, customer, or supplier. "Employee" is also included here (though it may arguably be considered social)

The area of greatest concern is where the identity of a person is used to authorize access to property (a financial account), though there are less immediate concerns such as reputation, authority, and accreditation.

In the online environment, identity is especially vulnerable due to the lack of physicality: it is much easier to crack a password than a driver's license number, and easier to present data as credential than to effect a physical forgery. Meanwhile, identity is just as important to the physical, social, and economic aspects of a person's interactions with others..

Identity Theft and Identity Related Crime

The concepts of identity theft and fraud seem to be interchangeable, though the author leans toward one definition that define "fraud" as the creation of a totally fictitious identity whereas theft is related to appropriating an identity that belongs to an actual person.

Though they generally work the same way, the prime difference is that fraud causes economic damage to one victim (who is defrauded of property) whereas identity theft creates a second victim (the individual whose identity was used to commit the fraud).

There is also a broader category of "identity-related crime" that criminalizes activities that are used to identify a target (such as phishing) as well as to punish those who abuse personal information that was legally obtained (spam).

The Socioeconomic Background of Identity Theft

Statistical evidence from the FTC suggests that there're were 8.3 million victims of identity theft in 2006, and the damage done by criminals exceeded $15 billion. The typical range of damage was between $100 and $500 in direct loss, though this does not nclude the number of hours spent to resolve the issues (restoring one's account balance and credit record).

There is also the difficulty of detection: there may be a lag between the time the information was acquired and used by the criminal, and it may take time for the victim to discover and report the crime (tip: low-income people take longer to report). This is especially true when fraudsters use a large number of identities to obtain small amounts from each.

The criminals tend to be mostly young males (under age 35) with no criminal records, who are working alone. Their crimes tend to be small scale: to obtain cash, merchandise on credit, or even credit itself (forged co applicants) - though the total amount per criminal tends to be moderate (around $30,000) as the result of multiple small transactions.

For those who are caught, only 20% sentenced to than 24 months, and about a third of sentences are less than one year. The author implies that this is evidence the problem is not taken seriously by law enforcement, and that the perpetrators have nothing "real" to fear.

EN: I think the author is a bit irresponsible here - my sense is that if he presented identity theft in the context of all crime, it's a very small proportion; if he contrasted it with larceny, it's a relatively small amount; and when you consider robbing someone at gunpoint has a minimum sentence of three years, the penalties above may be fitting.

LEGISLATION ON IDENTITY THEFT

Criminal Legislation Pertaining to Identity Related Crime

Most countries rely on their existing laws against forgery and fraud to apply to electronic crimes as well, though there have been a few attempts to address the electronic medium specifically:

The US Identity Theft Act was passed in 1998 to fill some of the gaps in existing laws that address fraud in other media - the law makes it a federal crime to present a means of identification of another person with the intent to commit any unlawful activity (felony), and it aggregates the total amount of theft based on the individual whose credentials were used (not the individual to whom they were presented). Taken together, these present a more serious reaction to identity theft: a credit card thief who makes 50 small purchases is not arraigned on 50 misdemeanor theft charges, but may be charged with a felony on a large scale, with stiffer penalties.

The UK Fraud Act of 2006, which addresses all media, also includes identity-related crime. The act is notable in that it also criminalizes fraud that does not have an economic impact, so crimes such as phishing (setting up a fraudulent web site to obtain personal information) can be punished, even if an economic theft is not committed.

There is also a Cybercrime Treaty in the works that is meant to address the problems of cross-jurisdictional crimes. The author doesn't provide much specific information on this, which elads me to think this is purely conceptual at this point and has not been ratified.

Protection of Identity as a Means of Protecting Privacy

The efforts to protect an individual's privacy, as a civil right, are sporadic: individual bills for individual purposes, such as the Fair Credit Reporting Act or the Children's Online Privacy Act have addressed specific problems, but there is not a comprehensive approach to protecting individual privacy.

The US Privacy Act of 1974 prescribes a few requirements for companies that collect information, and these principles have been widely accepted in other countries:

  1. Data must be collected overtly and by consent
  2. Each individual must have the ability to see their profile and be told its use
  3. The company must allow the individual to proscribe the use of their personal information for purposes other than that it was provided
  4. The person must have the ability to correct or dispute the data about them
  5. The organization that maintains the data must take precautionary measures to prevent abuse or unauthorized access

However, it's noted that this approach to privacy covers only the identity of a person, not of a legal entity such as a corporation or nonprofit organization. The author seems in favor of extending it thus, as a means to react against fraud against customers (phishing).

There is also a trend in Europe for law to proscribe observation - such as using a person's IP address to track their behavior on a site (or several sites), tracking a person's physical location (via cell phone signal), or the aggregation of otherwise non-personal information to create a profile of a person (using credit card purchases to identify shopping habits). The author seems to be in favor of protection in this regard, insofar as a person would be unlikely to consent to allow themselves to be tracked, and that the aggregated information could be used to glean or make accurate assumptions about certain private information (their religious beliefs, health condition, ethnicity, etc.)

The author specifically mentions spyware, as software that is installed without the consent or knowledge of an individual. Criminals may use this software to catch credit card information and site passwords, and companies may use it to compile a profile of users' internet behavior. There is currently no legal protection in the US, as no violation occurs unless the information is later used to commit a crime. Some states have criminalized this, but it has not yet become federal law.

PRIVACY ISSUES IN ONLINE IDENTITY MANAGEMENT

Digital Identities and Authentication

"Digital identity" consists of data used to identify an individual that does not correspond to any real-world information - such as a number used to identify a customer in a database, or the username created for a specific Web site. Such identifiers are not personal information in themselves, but are used to authenticate into a system where personal information is associated to the digital identity.

There is some benefit to digital identity, in that a person can be identified by a code that a third party cannot trace back to an individual, but also some danger, in that a person who gains access to a system can easily obtain a great deal of information about many individuals, an commit fraud o na massive scale (e.g., obtaining a database of credit card numbers)

The Expansion of Online Authentication Services

A relatively recent phenomenon is the "authentication service," which enables the user to create a single digital identity that can be used on multiple sites (rather than having separate accounts all over the Internet).

The "digital wallet" concept enabled the user to store these passwords on their computer, which addressed the issue of convenience (remembering and using an array of passwords), but this does not alleviate the burden of creating dozens of accounts, or the security risk of having the personal information resident in dozens of different systems.

A more effective solution is the creation of a single service that stores personal information on a central database, which is accessible only to certain authorized parties. The author goes to great length to describe this - but it's fundamentally a single username/password a user enters into a site, then the site operator fetches the needed information from a service. The user need create only one account, and the information is resident in one database that has (presumably) better access restrictions.

The Context of Identity Management

The Internet was designed as an open and decentralized network without a system of digital identity, which immediately became a problem for conducting business online. This is the primary reason there is no single technical implementation for managing the identity of users, and that in turn is the reason each merchant has had to come up with their own unique system, hence the systems are incompatible.

He returns to the concept of identity management as creating a common platform for commerce and a seamless experience for the user. Then talks about some of the attempts to provide this:

  1. Digital Wallet - A client-side solution that failed because it was susceptible to hackers (card numbers stored in a standard location on many individual PCs)
  2. Password Management - Not a specific solution, but a feature of Web browsers that enable users to cache passwords. The problem is that most users do not properly utilize system security (any user on the box has access).
  3. .NET Passport - A solution intended to provide a "single sign-on" to users. However, this was widely regarded as an attempt to shackle customers to Microsoft as a provider.
  4. Liberty Alliance - An independent company that strove for a more open-source solution to SSO, but did not have the funding or market presence to catch on

To date, no single solution has gained wide acceptance.

Data Protection Issues in Identity Management Systems

While the author is in for of a central identity management system, he admits that it also has a number of problems.

  1. Data is more freely interchanged among the sites that use a service, such that a user may not have the ability to choose who gets access, or what data they get, on a per-site basis
  2. The central service cannot vouch for what each sites will do with the information it retrieves from the central database, or the security of their systems.
  3. Since there is a single ID, it becomes a key that can be used by site owners to aggregate other information (e.g., consumer behavior) which they may independently share or sell
  4. An individual who hacks a single sign-on ID has access to a lot more sites and information than they would if they had to hack individual sites separately.
  5. The central organization has a great deal of power over participating sites by virtue of holding the keys to its market, and could become abusive of that power.

The author goes into excruciating detail about the contractual terms that could be written to address these problems and provide an "appropriate solution." I'm not taking notes on that - suffice to say that it's possible to create an enforceable contract to alleviate the expected issues.

Data Protection Issues in Relation to Identity Management by Means of PKI

The author likewise details the privacy and security risks of digital signatures - but I've learned my lesson from having slogged through the previous section and am not paying attention, as the core point is: there are some potential problems that require careful attention to avoid, mitigate, or control.

IDENTITY VERIFICATION USING BIOMETRICS

Biometrics is a new and promising technology that seems to be getting a lot of attention. It ahs the advantage of being new and not well understood, which makes it fodder for hype. While there may be some advantages to using biometrics to log into a physical device, there is no significant advantage to biometrics for the network or systems residing thereon. In this context, biometrics is merely another way of generating a unique ID: a retina scan or fingerprint is translated into data, which can be just as easily forged over a network than any other identification number.

There is also the potential problem of adoption. While the market has largely been accepting of being assigned identification numbers, biometric identifiers (fingerprint, retina scan, sub dermal chip) create a greater sense of a "big brother," though it stands to note that fingerprint as identification is not at all new, and has been in use for decades forensically (fingerprints, DNA, hair samples, etc. to establish identity).

An early use of biometrics, the EU regulation to include facial images and fingerprints on passports by means of RFID tags, has been controversial, in that it's contrary to individual privacy, has been technically unreliable, and is subject to abuse. A great deal of detail is provided about the EU's attempts to assuage concern: passing legislation prohibiting the misuse of passport information, providing reassurances about safety and accuracy, etc.


Contents