Yet again, I open my laptop, check out the news, and see that there has been another mega-hack. This time the target was Equifax, and the victims, 143 million US customers (and quite possibly 44 million UK customers too). Again, we are seeing hand-wringing by various industry experts. Again, this is said to be a horrendous disaster by the security industry. The problem is that this is one in a long chain of similar events, including the Target hack (c. 70 million hacked), OPM (c. 21 million hacked) and the twice bitten Yahoo (c. 1.5 billion hacked records). The end user, usually the consumer, has their identity in tatters, but they are not the only losers in the breached account game. Shortly after the Equifax attack was made public, the share price of the company plummeted by almost 15%.
There is now an urgency for all organizations to look at how to avert the disaster of stolen personal data. Everyone is affected. It feels as if it is an almost impossible war to win. But there is one way that may, if used correctly, hold the key to managing the use of, and control of, personal data: verified consumer identity.
What Is a Verified Identity?
Back in 2005, Kim Cameron of Microsoft wrote about the “Criminalization of the Internet.” In his treatise on the “Laws of Identity,” Kim described phishing scams, which have since become the bane of everyone’s online life, and malware, harvesting credentials, and financial information. In this treatise, he talked about identity being a missing Internet layer and the idea of a “unifying identity metasystem” to harden the Internet against personal data exposure. Kim was correct in thinking that identity holds the key to containing data exposure. However, it has to be used within a certain context.
A “verified identity” is something that the enterprise world has taken advantage of for many years. If you joined an organization, you, as an employee, generally went through checks before joining. Depending on the organization and the job, these could be very thorough. Healthcare workers, for example, usually need to have proof of professional registration. As online identity has moved outside the constraints of the enterprise, we still need to have a way to verify the identity owner. This is where identity verification comes in. A “verified identity” is one that has been created using various checks against the registrant. The user, during registration, will have to prove their identity. These checks can be done both on- and off-line. Over recent years, the National Institute of Standards and Technology (NIST) and various other groups, including the UK government, have set out a prescription for what verification entails. For example, the UK government has a reference document, “Good Practice Guide 45: Identity Proofing and Verification of an Individual,” which sets out the parameters needed to assign a level of assurance to an identity.
However, this prescriptive approach to identity assurance is being challenged by NIST, which has deprecated (to a degree) the validity of hard-coded levels of assurance. And this approach to a more fluid view of verification is being seen elsewhere, as other industries take on the challenge of verifying a person. Some examples of other industries needing to verify a customer include:
Online gambling: The industry needs to know the user is over a specific age and often within a given location.
MOOCs (e.g., Coursera): Students have to verify their identity using behavioral analysis as well as facial recognition.
Freelance networks (e.g. Upwork): Verify their freelancers using facial recognition across Skype as well as other factors such as a U.S. bank account (if U.S.-based).
Banking: KYC measures using online techniques are beginning to replace F2F checks as online banking continues to grow.
Verifying an identity is crucial to its use in a commercial world of customers. But the extent to which that verification is performed and how it is achieved is highly variable.
Each one of these types of accounts requires personal data to check various attributes. These personal data are then often stored by the company. We are building up silos of personal data across the Internet, silos that make us vulnerable.
Identity Out in the Open
The US has had the Identity Theft and Deterrence Assumption Act since 1998 to tackle identity theft, but even with laws against identity theft, the crime continues. Recently, I was the victim of identity fraud. Someone took out a large loan in my name. This is hardly surprising because identity fraud is soaring. According to IdentityTheft.info, so far this year, over 10 million US citizens have had their identity stolen. According to the UK anti-fraud organization CIFAS, 83% of identity fraud is committed online.
When an online identity is stolen, it is usually the underlying personal data that is taken. In the case of the loan taken out in my name, the thief was unlucky because they had some of my data, but not all. The company double-checked that the loan request was genuine because one of the attributes given didn’t match my records. I was lucky, but most identity theft victims aren’t. As more and more of our personal data makes it onto databases on the Dark Web, the likelihood of building a complete picture of a person’s full identity, increases.
Achieving the requirements to obtain a verified identity could, if not done correctly, be a double-edged sword.
On the one hand, it’s great for companies as they know who they are doing business with.
On the other hand, it is like giving the cybercriminals the keys to the kingdom. They’d have confirmed personal data. Obstacles such as mismatched attributes would be removed.
Much of our personal data is already out there. If you go to haveibeenpwned and enter an email address you use for online transactions, you are likely to find that accounts associated with that email address have been compromised. Having verified attributes takes us into dangerous territory. But it is necessary for an online business to innovate and provide better services. Having a verified identity will crack a number of digital nuts, including e-government enablement, enhanced customer engagement, and better patient-caregiver collaboration. Verified identity opens up many use cases that currently we struggle to meet. But we need to get the implementation and use of verified identity right.
The privacy of personally identifiable information (PII) is essential to a safe Internet.
How to Have Your Identity Cake and Eat It
Having a verified identity is about giving a human being a digital persona that truly represents them and can open up models of use across the Internet.
Having a verified identity that does not “spill the cyber beans” at the first hack is about using technology smartly.
They key to using a verified identity for good is in the techniques you use to ensure the privacy of the PII therein.
As an organization you need to ask yourself some key questions:
- If I am creating a verified identity, do I need to keep the data associated with that identity OR do I just need to know that person is truly who they say they are? When you create a verified identity, do you really need all of the data you collect to verify that individual?
- When that person asserts their identity, do I need to ask for full data in the response or have an indicator instead? For example, if you sell age-restricted goods, you can ask that the user proves, during identity assertion, they are over 21, but that their actual date of birth is not revealed.
- Can you use anonymization or pseudonymization techniques to hide or remove identifying attributes? Using these sorts of techniques also helps towards compliance with HIPAA and GDPR. The EU’s Article 29 has some useful information on anonymization techniques.
Can the Blockchain Help Out?
There is a lot of hype around the use of the blockchain and identity. However, it does have its uses. The blockchain can be used to store digital signatures because they are typically very small. A verified identity can be associated with a digital signature on the blockchain. When a service (e.g., a financial institution) wants to do business with you, they can access this digitally signed verified identity on the blockchain—the customer proving it is them by digitally signing that transaction. Verified identities should be immutable and the blockchain ticks this box nicely. An example of an open-source system that is being designed to use the blockchain specifically for privacy enhanced identity transactions is the Sovrin Foundation.
You may also at this juncture say, “Yes, but what if a cybercriminal uses my stolen PII to create a verified identity in my name?” The answer to this lies in a number of key technologies; namely, policies around geo-location awareness, behavioral analysis, and anti-fraud measures, including machine learning capability, as well as other factors, such as knowledge-based questions. Once the verified identity is created, the cybercriminal would be hard pressed to create a clone. And, if the online service requires the verified identity to transact, the cybercriminal would not have the facility to do so in your name.
Killing the Beast of Cybercrime with Privacy
Cybercrime happens because our personal data is dotted about the internet like a veritable star-filled sky. We open up online accounts every time we have to perform an online transaction. We have, on average, seven social media accounts but, on top of this, we have accounts for banking, retail purchases, eBay, Paypal, Amazon, and on and on. Our data is being spread across the Internet like muck on a farmer’s field. We need to draw this back in by building a verified identity infrastructure. It doesn’t have to be a single “one identity to rule them all” but it does have to be contained. A verified identity that is built on the premise of minimization of data, privacy-enhanced disclosure, and with a backbone of the blockchain has the real potential to kill the cybercrime beast.
Privacy is not a dirty word anymore. It is something that will open up the Internet to new use cases. Privacy of personal data will build trust. Privacy will give us back the confidence to transact online. If we do not heed the warnings of the Equifax attack, and put systems in place to mitigate these types of threats, we may as well just give the cybercriminal our PII and be done with it.