Archive for January, 2006

Credentials and Identity (part 2)

Tuesday, January 17th, 2006

First I will apologize to Bob, for being vague about which postings I was responding to. I’ll take more specific pot-shots next time. 😉 Next, I will thank him for taking the time to give me such a thorough response to my last blog posting. I appreciate the prodding to put more thought into this stuff. Thanks Bob!

I will apologize in advance for the lack of authoritative references in the two or three places below where I actually mention facts. Take the following for what it’s worth.

Okay, after some research on the web, I agree that the dictionary definition of “identity” that is most relevant to the task at hand is what Bob quoted: “The collection of attributes by which a person or thing is generally recognized or known.”

However, I would argue that a password (for example) is NOT a part of someone’s identity. A password is used specifically to authenticate with one specific system. It’s not a basis for being “generally recognized or known”. A password is specifically a credential.

One of the things that keeps tripping me up is whether the definition of “identity” permits a person to have multiple actual “identities”.

Let’s say I login to my online game as “beerhunter327”, and I have dozens of friends who know me only by that name. But they also know I have two kids and labrador retreiver. Is that a different “identity” than the one I use in “real life”? Is my identity at work the same as my identity at home? What if I manage to open a paypal account under the name of beerhunter327?

In one sense, my “distinguishing characteristics” are different in each different environment. They may even conflict. The color of my eyes might be different when I go out on dates from what it is when I am at home (if I use tinted contacts). If I know people who only see me in bars, do I have a different identity because they are sure that my eyes are blue instead of brown?

Biometrics, on the other hand, are harder to change arbitrarily. Of course, I would probably count a name signature as the very first biometric, and it’s not that hard to forge if work at it.

Some credentials are physical artifacts, like driver’s licenses, and some credentials are information, like a social security number or a password. Some are physical attributes, like your face. Obviously if you bundle a set of credentials together in a physical package that’s hard to split, the artifact becomes a stronger credential. (Hence putting your picture and signature on a driver’s license)

3. I might find out enough about you to open an account in your name, and have the institution which issues legitimate credentials make one with my picture on it and give me the PIN. This is IDENTITY THEFT followed by fraud.

Okay, here’s where we diverge. I agree that you describe the commonly used meaning for “identity theft”. My nit pick is that it’s an overly inflamatory term, and shifts the attention away from the institution on onto the fraudster.

First of all it’s fraud to open an account in a name that is not yours. Regardless of whether you end up being mixed up with another person or not.

It’s not fraud or a crime to know someone else’s SSN or even their bank account number. It’s only a crime to create fraudulent accounts.

Here’s how I would describe the same process that’s in Bob’s quote.

Create a fraudulent account that you know our lame-assed defective credit bureaus will equate with some other poor slob. (Okay, I suppose my description is a little more subjective sounding.)

The reason that the legal system found it necessary to create the term “identity theft” and to prosecute these criminals with greater tenacity is because they are exploiting a huge gapping hole in the computer systems that run the american credit business. And that business is BIG business. The credit business (as implemented by the big-name credit bureaus, and with the acceptance of all the largest finanacial institutions) touches almost every American’s life in a serious way.

If every savings and loan goes out of business at once, the government has to bail them out. To do otherwise would be a disaster. But after the bailout you try and fix things to make sure it doesn’t happen again. Bashing on so-called identity thieves is only thefirst step. We have to fix the root of the problem.

One improvement would be if you could order a token card from a credit bureau and tell them not to release any information unless the request includes a one-time password generated by the token card.

The credit bureaus hold a special combination of information. There is a record for me with a combination of bank accounts and loans. They claim that this collection of data represents a single warm breathing body. That collection of data represents a credential. It’s just like a drivers license that binds multiple pieces of information into one joint unit. Unfortunately it’s a credential that’s not visible to me, or controllable by me without serious hassle.

The Social Security Administration is also responsible for part of your identity, but fortunately that small piece doesn’t change. They assign it once, and then the individual is responsible for who gets the information. (Unlike credit bureaus)

Suppose someone gets a credit card with my name on it, and attached to my credit credential, but with his picture. Bob describes this as a “legitimate” credential. It’s “official” in the sense that it was created by the same physical process that creates “real” credit cards, and it the computer process used to create the account was not compromised. That doesn’t make it “legitimate” in my mind.

Of course, the practical consideration is that nobody can tell that’s it’s illegitimate from looking at the physical card. The physical card is a true representation of an illegitimate account.

The fact that this account is confused with other accounts held by someone else is the fault of the computer systems, and the weak credentials used by the financial institutions.

It could be addressed by asking for stronger credentials when opening new accounts, or it could be addressed by attaching stronger credentials to the joint credential held by the credit bureau.

there is nothing you can show the authorities which definitively proves that you are you and everyone else is not. (even DNA doesn’t do this for a small but important percentage of the population …

I’m not sure anyone needs to know what or who my physical body is. If there is a group of credit accounts associated together in the mind of a credit bureau somewhere, it only matters that all those accounts came from the same logical entity, be they human, artificial intelligence, drug lord, or mutated gorilla. The credit bureau’s job is to make sure the entity behind any of the accounts in a group will continue to act in a consistent manner. They are not the meatspace patrol.

If I want to create two online identities and establish two different credit ratings, I should be allowed to do that. (In a perfect, online world.) Of course, the FBI will claim that makes it harder for them to track down the warm-and-breathing body. I’m not claiming you have to be anonymous, I’m just saying that I don’t uniqueness has to be important to the problem of identity.

Uniqueness makes it easier to deal with fraud. (One identity per person please!). But it makes it harder to deal with data hiding. If I can easily and portably create two identities, I can use one for banking, and a completely different but official identity for casual chatting. My chatting identity can be known by thousands of people, but has no bank or finance information associated with it, so “stealing” that identity will do only minor harm.

you seem to have the theory that government is better at reducing identity risks than business. I think the opposite is true – businesses will very effectively control fraud when they are responsible for paying for it. It wasn’t the banks who decided to use Social Security Numbers for identification; it was the Federal government.

I think that when multiple business end up in a situation where they have to cooperate for the good of themselves and the consumer, they seem to be unable to do it. (On a completely different tangent, I look at the CD+/-RW and the DVD+/-RW wars as a demonstration of this). There is no way that banks and credit bureaus are going to agree on significant improvements in the credential infrastructure. There is too much infighting, and every computerized “authentication system” is being hyped by the special interests that have a financial stake in its success.

In the end I think the government ends up stepping in in these cases. I expect that once we have a few examples in the wild, of good strong credential systems, that the government will start to look at mandating one or more of them.

The credit bureaus were doing a TRAGIC job of following up on fraud, until the government required them to give more access to individual consumers.

In general I’m not a fan of government intervention, but I think large businesses can get into a “deadly embrace” of conflicting values, and sometimes need to be given a kick in the pants to get things unstuck.

Also, I think the feds created the SSN, and at the time (I heard, but I didn’t verify this) the feds said that the number would not be used as a global ID number, it would only be used for the administration of social security. Of course it was probably only two minutes before every large institution was using it as a convenient “global” ID number. The feds require banks to associate SSN’s with bank accounts (for tax purposes). The feds don’t require the banks to use this information as an authentication credential.

Hmmm….. Well if anyone got to the end of this, congratulations. I hope it wasn’t too boring.

Credential Theft

Sunday, January 15th, 2006

I’ve always been interested in on-line social mechanisms, and identity mechanisms are crucial to developing a ubiquitous on-line community. I’ve been reading blogs by some Identity Pundits, and a thought occurred to me just now. (The guys I’m talking about are: Bob Blakely and Kim Cameron) These guys take an approach that a lot of tech thinkers do. They look at technology that’s out there today, or being developed, and try to extrapolate how it will affect society, or how it should affect society. It would be better to approach things from the other way around.

Here is an example. These guys discuss things like identity theft and the Laws of Identity. They often wax philosophical about how society and hence software should deal with related social issues. From an english language point of view I have a bone to pick here. The whole “online identity” notion would be better called “online credentials”.

According to, Identity : (2a) the distinguishing character or personality of an individual (2b) the relation established by psychological identification. This is clearly talking about things that live inside a person’s head.

Credential: something that gives a title to credit or confidence. Clearly talking about an artifact. A something. The only hazy part is that you have to understand that in this case (identity theft), the artifacts that often get stolen are information. Like social security number, bank account number, etc. Those are information artifacts. They are somethings.

Your social security number is NOT part of your identity, in any stretch of the term “identity”. Your social security number is a peice of information that CORPORATIONS use as a credential. You call someone on the phone, you give them a social security number, and they assume that you are the person whom that social security number was assigned to.

So identity is identity and credentials are credentials. There’s no reason to wax philosophical about the true nature of identity when we’re discussing new kinds of computerized credentials. There’s no point.

Begin rant…

Modern so-called “identity theft”, is more accurately called “fraud”, plain and simple. The problem is not that a brand new evil practice (“identity theft”) has become rampant. The problem is that consumer databases have become massively more connected, and the coporations that interface with those databases are still using the credential systems that they used 20 years ago.

Actually, you could say that corporations (bank, insurance companies etc) are using weaker credentials than they used to. Signatures and bank visits used to be required in many cases. These days, (to lower costs) computers and phone trees are are doing the same work, and you can’t give a handwritten signature over the phone or internet.

We don’t need to invent anything to solve the problem of identity theft. All we need to do is hold corporations accountable for fraud that they fail to prevent.

Cracking down on identity thieves is politically easier to do, since they are obviously the “bad guy”. But from an enforcement point of view, it will never be effective in the long run. Desperate people will do stupid things for money no matter how severe you make the penalty.

Cracking down on corporations is harder to do because corporations donate millions to political parties and candidates and Political Action Committees, etc, etc. And the most guilty corpoprations are the largest ones. Banks, insurance companies, government departments, etc.

From a global point of view (considering all social costs) the most effective way to reduce this kind of fraud is to place legal requirements on the kinds of credentials that can be used for significant financial transactions. The government could require corporations to use stronger credentials (like a token card, or calling from your home phone with ID enabled, or using a pass-phrase, or reading a number that was mailed or emailed to them … None of these is a perfect solution, and the better ones are a bigger hassle.

Some services, departments, or corporations are worse than others. The weakest links in the chain become the most common point of entry for identity fraud. First a criminal gets a sears card in your name, then they use that to get a mastercard, etc, etc. If we tightened the credentials in the worst places, that would be the best way to cut down on identity fraud.