Credentials and Identity (part 2)

First I will apologize to Bob, for being vague about which postings I was responding to. I’ll take more specific pot-shots next time. 😉 Next, I will thank him for taking the time to give me such a thorough response to my last blog posting. I appreciate the prodding to put more thought into this stuff. Thanks Bob!

I will apologize in advance for the lack of authoritative references in the two or three places below where I actually mention facts. Take the following for what it’s worth.

Okay, after some research on the web, I agree that the dictionary definition of “identity” that is most relevant to the task at hand is what Bob quoted: “The collection of attributes by which a person or thing is generally recognized or known.”

However, I would argue that a password (for example) is NOT a part of someone’s identity. A password is used specifically to authenticate with one specific system. It’s not a basis for being “generally recognized or known”. A password is specifically a credential.

One of the things that keeps tripping me up is whether the definition of “identity” permits a person to have multiple actual “identities”.

Let’s say I login to my online game as “beerhunter327”, and I have dozens of friends who know me only by that name. But they also know I have two kids and labrador retreiver. Is that a different “identity” than the one I use in “real life”? Is my identity at work the same as my identity at home? What if I manage to open a paypal account under the name of beerhunter327?

In one sense, my “distinguishing characteristics” are different in each different environment. They may even conflict. The color of my eyes might be different when I go out on dates from what it is when I am at home (if I use tinted contacts). If I know people who only see me in bars, do I have a different identity because they are sure that my eyes are blue instead of brown?

Biometrics, on the other hand, are harder to change arbitrarily. Of course, I would probably count a name signature as the very first biometric, and it’s not that hard to forge if work at it.

Some credentials are physical artifacts, like driver’s licenses, and some credentials are information, like a social security number or a password. Some are physical attributes, like your face. Obviously if you bundle a set of credentials together in a physical package that’s hard to split, the artifact becomes a stronger credential. (Hence putting your picture and signature on a driver’s license)

3. I might find out enough about you to open an account in your name, and have the institution which issues legitimate credentials make one with my picture on it and give me the PIN. This is IDENTITY THEFT followed by fraud.

Okay, here’s where we diverge. I agree that you describe the commonly used meaning for “identity theft”. My nit pick is that it’s an overly inflamatory term, and shifts the attention away from the institution on onto the fraudster.

First of all it’s fraud to open an account in a name that is not yours. Regardless of whether you end up being mixed up with another person or not.

It’s not fraud or a crime to know someone else’s SSN or even their bank account number. It’s only a crime to create fraudulent accounts.

Here’s how I would describe the same process that’s in Bob’s quote.

Create a fraudulent account that you know our lame-assed defective credit bureaus will equate with some other poor slob. (Okay, I suppose my description is a little more subjective sounding.)

The reason that the legal system found it necessary to create the term “identity theft” and to prosecute these criminals with greater tenacity is because they are exploiting a huge gapping hole in the computer systems that run the american credit business. And that business is BIG business. The credit business (as implemented by the big-name credit bureaus, and with the acceptance of all the largest finanacial institutions) touches almost every American’s life in a serious way.

If every savings and loan goes out of business at once, the government has to bail them out. To do otherwise would be a disaster. But after the bailout you try and fix things to make sure it doesn’t happen again. Bashing on so-called identity thieves is only thefirst step. We have to fix the root of the problem.

One improvement would be if you could order a token card from a credit bureau and tell them not to release any information unless the request includes a one-time password generated by the token card.

The credit bureaus hold a special combination of information. There is a record for me with a combination of bank accounts and loans. They claim that this collection of data represents a single warm breathing body. That collection of data represents a credential. It’s just like a drivers license that binds multiple pieces of information into one joint unit. Unfortunately it’s a credential that’s not visible to me, or controllable by me without serious hassle.

The Social Security Administration is also responsible for part of your identity, but fortunately that small piece doesn’t change. They assign it once, and then the individual is responsible for who gets the information. (Unlike credit bureaus)

Suppose someone gets a credit card with my name on it, and attached to my credit credential, but with his picture. Bob describes this as a “legitimate” credential. It’s “official” in the sense that it was created by the same physical process that creates “real” credit cards, and it the computer process used to create the account was not compromised. That doesn’t make it “legitimate” in my mind.

Of course, the practical consideration is that nobody can tell that’s it’s illegitimate from looking at the physical card. The physical card is a true representation of an illegitimate account.

The fact that this account is confused with other accounts held by someone else is the fault of the computer systems, and the weak credentials used by the financial institutions.

It could be addressed by asking for stronger credentials when opening new accounts, or it could be addressed by attaching stronger credentials to the joint credential held by the credit bureau.

there is nothing you can show the authorities which definitively proves that you are you and everyone else is not. (even DNA doesn’t do this for a small but important percentage of the population …

I’m not sure anyone needs to know what or who my physical body is. If there is a group of credit accounts associated together in the mind of a credit bureau somewhere, it only matters that all those accounts came from the same logical entity, be they human, artificial intelligence, drug lord, or mutated gorilla. The credit bureau’s job is to make sure the entity behind any of the accounts in a group will continue to act in a consistent manner. They are not the meatspace patrol.

If I want to create two online identities and establish two different credit ratings, I should be allowed to do that. (In a perfect, online world.) Of course, the FBI will claim that makes it harder for them to track down the warm-and-breathing body. I’m not claiming you have to be anonymous, I’m just saying that I don’t uniqueness has to be important to the problem of identity.

Uniqueness makes it easier to deal with fraud. (One identity per person please!). But it makes it harder to deal with data hiding. If I can easily and portably create two identities, I can use one for banking, and a completely different but official identity for casual chatting. My chatting identity can be known by thousands of people, but has no bank or finance information associated with it, so “stealing” that identity will do only minor harm.

you seem to have the theory that government is better at reducing identity risks than business. I think the opposite is true – businesses will very effectively control fraud when they are responsible for paying for it. It wasn’t the banks who decided to use Social Security Numbers for identification; it was the Federal government.

I think that when multiple business end up in a situation where they have to cooperate for the good of themselves and the consumer, they seem to be unable to do it. (On a completely different tangent, I look at the CD+/-RW and the DVD+/-RW wars as a demonstration of this). There is no way that banks and credit bureaus are going to agree on significant improvements in the credential infrastructure. There is too much infighting, and every computerized “authentication system” is being hyped by the special interests that have a financial stake in its success.

In the end I think the government ends up stepping in in these cases. I expect that once we have a few examples in the wild, of good strong credential systems, that the government will start to look at mandating one or more of them.

The credit bureaus were doing a TRAGIC job of following up on fraud, until the government required them to give more access to individual consumers.

In general I’m not a fan of government intervention, but I think large businesses can get into a “deadly embrace” of conflicting values, and sometimes need to be given a kick in the pants to get things unstuck.

Also, I think the feds created the SSN, and at the time (I heard, but I didn’t verify this) the feds said that the number would not be used as a global ID number, it would only be used for the administration of social security. Of course it was probably only two minutes before every large institution was using it as a convenient “global” ID number. The feds require banks to associate SSN’s with bank accounts (for tax purposes). The feds don’t require the banks to use this information as an authentication credential.

Hmmm….. Well if anyone got to the end of this, congratulations. I hope it wasn’t too boring.

Comments are closed.