How the Liberty Alliance and related digital identity protocols may
solve the identity theft crisis.
Count me not among the privacy zealots, nor among the smallbut
influentialgroup that demands complete consumer control over all
aspects of identity. In fact, I’m pretty relaxed when it comes to things
like that. I really can’t be bothered to get my name registered on the
"Do Not Call" lists (although, to tell the truth, I am glad
that my husband does). I am not even particularly concerned about any
number of large companies having access to fairly private data of mine.
It’s pretty boring stuff, after all.
But my work in identity management and authentication has brought me
into ever-closer contact with the world of identity theft, and now even
I’m getting alarmed. This "perfect crime" (easy to do, low capital
requirement, low risk of getting caught, light punishment if caught) is
getting the attention of alert thieves and fraudsters everywhere. The
most prevalent stuffsomeone manages to open credit card accounts
in your name, runs up big bills, and skedaddlesis troublesome enough.
But for a person like myselfrelatively savvy and with the resources
to deal with itthe costs of this type of identity theft are manageable.
At the end of the day the banks eat the loss; I’m just out the time it
takes for me to straighten it all out.
There are other aspects of identity theft, however, which are truly mind-boggling.
One is the criminal angle. Someone steals your identity, perhaps for the
relatively benign purpose of stealing money. That person gets arrested
(frequently for driving under the influence, or for robberythere
is a very high correlation between methamphetamine users and identity
thieves), presents your name at time of arrest, and then skips bail. Suddenly,
there is a bench warrant out under your name and address. If this has
happened out of state, it has, in all probability, not been resolved at
the time the thief skipped bail. In other words, no one has figured out
that a stolen identity was used. So, the next time you visit that state
and get stopped by the police for a broken taillightWHAM! You find
yourself in jail trying to prove that you are not that person who was
arrested earlier and skipped bail.
Eventually you can probably persuade the authorities that you are innocent.
But this may well be after a night or two in jail. Andget thisthere
is no guarantee that this won’t happen again. After all, there is still
that outstanding arrest warrantand they don’t have any other name
to use but yours. There is, apparently, no systemic way of marking such
warrants as suspect. This problemwhich is very realhas been
so horrific for some victims of identity theft that they have started
to travel at all times with affidavits and notarized statements to the
effect that they have been victims of identity theft. Shades of the old
U.S.S.R.or for that matter, France!
Equally frightening are stories of identity thieves who prey on children
or the elderly. In Detroit, there was a recent series of cases where thieves
took out mortgages on homes owned by older people who had long since paid
off their own loans. Other thieves are taking out credit in the name of
kidswho are faced with straightening out the mess just when they
are trying to get going with their own adult lives. (In a bizarre twist,
it turns out that at times it is the parents who are stealing their own
children’s identities, but that’s another story.)
I may be relatively cavalier about having to deal with the theft of my
identityand its financial consequencesbut the idea of having
this happen to my son, or to my parents, gets my inner "mother bear"
going. As a society we really need to figure out how to stop this crime
from happening. Most advice right now, as I am sure you are aware, has
been about lowering the odds that it will happen to you. But I think technology
is giving us the tools we need to not just avoid it, but actually eliminate
Cause for Hope?
There may be an answerif not today, at least within the next few
yearsin the digital identity technologies and standards that we
at Glenbrook refer to as shared authentication. The Liberty Alliance is
the most visible of these emerging protocols, but SAML, Microsoft Passport,
Visa’s Verified by Visa and MasterCard’s SecureCode are all players in
the same arena.
These are technologies and standards meant for the digital worldtheir
genesis has been either in attempts to improve online security, or to
simplify the process of logging onto multiple sites (so-called "single
sign-on"). But they may well end up solving problems of the terrestrial
world as well.
Consider the root causeor at least the enablerof the identity
theft problem. This is the fact that credit is granted to an individual
by a process that we call inferred authentication. Inferred authentication
is used whenever someone applies for something remotely by telephone,
in writing, or on the Internet. How does inferred authentication work?
You make an identity claim, and someone else tries to figure out (infer)
if that claim is real. They do this by testing the logic of your answers,
by checking against "negative databases" of bad guys, by asking
you increasingly tricky questions ("what kind of car do you drive"?),
and by running complex algorithms using your claim and various databases.
They do everything, in short, but ask you to prove your identity by presenting
a credible identity credential.
You aren’t asked to do that because currently there is no easy way to
present a credible identity credential in a remote setting. Presenting
proof would mean going to a physical location with some credible document
or set of documents (drivers license, birth certificate, passport, etc.).
And, even if these physical documents were presented, how would the clerk
behind the desk or window be able to verify the legitimacy (and currency)
of the document?
Inferred authentication is a reasonable process in the absence of a means
of establishing direct proof of identity. But inferred authentication
will always be a poor second to a good direct proof. So what if there
were a way for an individual to prove their identity when making some
type of application? And what if it were easy to verify this claim? And
(this is the key) what if I could make direct proof a requirement for
doing business with me?
Why Shared Authentication Provides the Answer
I think the emergence of the Liberty Allianceand its brethren shared
authentication protocolswill provide an answer. An individual will
be able to easilyand solidlyprove their identity, by having
a trusted third party electronically offer this proof on their behalf.
An employer, a bank, a governmentsome entity who knows who you are
and with whom you have an online, authenticated relationshipwill
be able to assert your identity, at your request, to enterprises who need
to know who you are. This assertion will be verifiable, online, instantly.
Unlike other digital identity schemes, which have relied on first providing
someone with a credential (such as a PKI certificate) and then enabling
its use, shared authentication lets you take advantage of an identity
relationship that already exists, for other purposes. Its costs will be
incrementally negligible. And, as shared authentication will be based
on standards that will be relatively easy to implement, it is possible
to imagine the broad adoption of such a scheme. The valuein protecting
the identity of individualswill be immense.
It’s As Simple as That?
Of course, there are a few hundred issues to be worked out along the
way. This will only work for individuals who are onlinebut more
than half of us are today, and the trend is upwards. There’s a lot of
stuff that needs to be done to understand the levels of verification that
are needed, who stands behind these various identity assertions, and what
that means. We need to figure out how to "close the door"make
sure that credit, for example, is not granted without an individual presenting
direct proof. But legislatures, big and small, are showing a voracious
appetite to legislate solutions to the identity theft problemso
I’m not too worried about that one.
I’m convinced that this is a story with a happy ending. There will still
be fraud, of course, and abusers of these identity assertion schemes.
But what is currently proving to be a gaping hole can and will be plugged.
I’ll be in much more in control of my identityand that of my dependents.
The identity thieveswho have hit a lucky streak with the "perfect
crime"can go back to whatever dastardly schemes previously
Sometimes, technology is good.
Initial Publication Date: April 11, 2003