I Can Prove Who I Am: The Case for the Positive Identity Affidavit

by Carol Coye Benson on April 11, 2003

in Carol Coye Benson, Writings

By Carol Coye Benson

How the Liberty Alliance and related digital identity protocols may
solve the identity theft crisis.

Count me not among the privacy zealots, nor among the small—but
influential—group that demands complete consumer control over all
aspects of identity. In fact, I’m pretty relaxed when it comes to things
like that. I really can’t be bothered to get my name registered on the
"Do Not Call" lists (although, to tell the truth, I am glad
that my husband does). I am not even particularly concerned about any
number of large companies having access to fairly private data of mine.
It’s pretty boring stuff, after all.

But my work in identity management and authentication has brought me
into ever-closer contact with the world of identity theft, and now even
I’m getting alarmed. This "perfect crime" (easy to do, low capital
requirement, low risk of getting caught, light punishment if caught) is
getting the attention of alert thieves and fraudsters everywhere. The
most prevalent stuff—someone manages to open credit card accounts
in your name, runs up big bills, and skedaddles—is troublesome enough.
But for a person like myself—relatively savvy and with the resources
to deal with it—the costs of this type of identity theft are manageable.
At the end of the day the banks eat the loss; I’m just out the time it
takes for me to straighten it all out.

There are other aspects of identity theft, however, which are truly mind-boggling.
One is the criminal angle. Someone steals your identity, perhaps for the
relatively benign purpose of stealing money. That person gets arrested
(frequently for driving under the influence, or for robbery—there
is a very high correlation between methamphetamine users and identity
thieves), presents your name at time of arrest, and then skips bail. Suddenly,
there is a bench warrant out under your name and address. If this has
happened out of state, it has, in all probability, not been resolved at
the time the thief skipped bail. In other words, no one has figured out
that a stolen identity was used. So, the next time you visit that state
and get stopped by the police for a broken taillight—WHAM! You find
yourself in jail trying to prove that you are not that person who was
arrested earlier and skipped bail.

Eventually you can probably persuade the authorities that you are innocent.
But this may well be after a night or two in jail. And—get this—there
is no guarantee that this won’t happen again. After all, there is still
that outstanding arrest warrant—and they don’t have any other name
to use but yours. There is, apparently, no systemic way of marking such
warrants as suspect. This problem—which is very real—has been
so horrific for some victims of identity theft that they have started
to travel at all times with affidavits and notarized statements to the
effect that they have been victims of identity theft. Shades of the old
U.S.S.R.—or for that matter, France!

Equally frightening are stories of identity thieves who prey on children
or the elderly. In Detroit, there was a recent series of cases where thieves
took out mortgages on homes owned by older people who had long since paid
off their own loans. Other thieves are taking out credit in the name of
kids—who are faced with straightening out the mess just when they
are trying to get going with their own adult lives. (In a bizarre twist,
it turns out that at times it is the parents who are stealing their own
children’s identities, but that’s another story.)

I may be relatively cavalier about having to deal with the theft of my
identity—and its financial consequences—but the idea of having
this happen to my son, or to my parents, gets my inner "mother bear"
going. As a society we really need to figure out how to stop this crime
from happening. Most advice right now, as I am sure you are aware, has
been about lowering the odds that it will happen to you. But I think technology
is giving us the tools we need to not just avoid it, but actually eliminate
it.

Cause for Hope?

There may be an answer—if not today, at least within the next few
years—in the digital identity technologies and standards that we
at Glenbrook refer to as shared authentication. The Liberty Alliance is
the most visible of these emerging protocols, but SAML, Microsoft Passport,
Visa’s Verified by Visa and MasterCard’s SecureCode are all players in
the same arena.

These are technologies and standards meant for the digital world—their
genesis has been either in attempts to improve online security, or to
simplify the process of logging onto multiple sites (so-called "single
sign-on"). But they may well end up solving problems of the terrestrial
world as well.

Consider the root cause—or at least the enabler—of the identity
theft problem. This is the fact that credit is granted to an individual
by a process that we call inferred authentication. Inferred authentication
is used whenever someone applies for something remotely by telephone,
in writing, or on the Internet. How does inferred authentication work?
You make an identity claim, and someone else tries to figure out (infer)
if that claim is real. They do this by testing the logic of your answers,
by checking against "negative databases" of bad guys, by asking
you increasingly tricky questions ("what kind of car do you drive"?),
and by running complex algorithms using your claim and various databases.
They do everything, in short, but ask you to prove your identity by presenting
a credible identity credential.

You aren’t asked to do that because currently there is no easy way to
present a credible identity credential in a remote setting. Presenting
proof would mean going to a physical location with some credible document
or set of documents (drivers license, birth certificate, passport, etc.).
And, even if these physical documents were presented, how would the clerk
behind the desk or window be able to verify the legitimacy (and currency)
of the document?

Inferred authentication is a reasonable process in the absence of a means
of establishing direct proof of identity. But inferred authentication
will always be a poor second to a good direct proof. So what if there
were a way for an individual to prove their identity when making some
type of application? And what if it were easy to verify this claim? And
(this is the key) what if I could make direct proof a requirement for
doing business with me?

Why Shared Authentication Provides the Answer

I think the emergence of the Liberty Alliance—and its brethren shared
authentication protocols—will provide an answer. An individual will
be able to easily—and solidly—prove their identity, by having
a trusted third party electronically offer this proof on their behalf.
An employer, a bank, a government—some entity who knows who you are
and with whom you have an online, authenticated relationship—will
be able to assert your identity, at your request, to enterprises who need
to know who you are. This assertion will be verifiable, online, instantly.

Unlike other digital identity schemes, which have relied on first providing
someone with a credential (such as a PKI certificate) and then enabling
its use, shared authentication lets you take advantage of an identity
relationship that already exists, for other purposes. Its costs will be
incrementally negligible. And, as shared authentication will be based
on standards that will be relatively easy to implement, it is possible
to imagine the broad adoption of such a scheme. The value—in protecting
the identity of individuals—will be immense.

It’s As Simple as That?

Of course, there are a few hundred issues to be worked out along the
way. This will only work for individuals who are online—but more
than half of us are today, and the trend is upwards. There’s a lot of
stuff that needs to be done to understand the levels of verification that
are needed, who stands behind these various identity assertions, and what
that means. We need to figure out how to "close the door"—make
sure that credit, for example, is not granted without an individual presenting
direct proof. But legislatures, big and small, are showing a voracious
appetite to legislate solutions to the identity theft problem—so
I’m not too worried about that one.

I’m convinced that this is a story with a happy ending. There will still
be fraud, of course, and abusers of these identity assertion schemes.
But what is currently proving to be a gaping hole can and will be plugged.
I’ll be in much more in control of my identity—and that of my dependents.
The identity thieves—who have hit a lucky streak with the "perfect
crime"—can go back to whatever dastardly schemes previously
occupied them.

Sometimes, technology is good.

Publication History

Initial Publication Date: April 11, 2003

Comments are closed.

Previous post:

Next post:

Clicky Web Analytics