The Identity Challenge: On the Internet, Nobody Knows You're a Dog
I recently read Better Identity in America, a report by the Better Identity Coalition, an organization launched earlier this year to focus on promoting the development and adoption of solutions for identity verification and authentication. The report outlines a policy agenda for improving the privacy and security of digital systems and help combat identity fraud.
How bad is the problem? Data breaches, large-scale fraud, and identity theft are becoming more common. In 2017, there were 16.7 million victims of identity fraud in the US, causing a loss of $16.8 billion; there was a 44.7% increase in US data breaches between 2016 and 2017 and a 30% rise in online shopping fraud; 179 million personal information records were exposed to data breaches, 69% of which were identity theft incidents.
The report notes that “the ability to offer high-value transactions and services online is being tested more than ever, due in large part to the challenges of proving identity online. The lack of an easy, secure, reliable way for entities to verify identities or attributes of people they are dealing with online creates friction in commerce, leads to increased fraud and theft, degrades privacy, and hinders the availability of many services online.”
As the report reminds us, the extent of this challenge was famously captured back in 1993 by Peter Steiner’s New Yorker cartoon with the caption On the Internet, nobody knows you’re a dog. 25 year later, the cartoon still perfectly describes the identity challenge. If anything, the challenge is even more serious in 2018, given that the volume and variety of online transaction services are greater than ever before.
Identity plays a major role in everyday life. It’s the key that determines the particular transactions in which we can rightfully participate as well as the information we’re entitled to access. Think about going to an office, getting on a plane, logging to a website or making an online purchase. We generally don’t pay much attention to the management of our identity credentials unless something goes seriously wrong.
For much of history, our identity systems have been based on face-to-face interactions and on paper and plastic-based identity credentials. But, in a world that’s increasingly governed by digital transactions and data, our existing methods for verifying someones identity based on a physical credential are far from adequate.
Some countries have a mandatory national ID, but not the US. Americans still need to get some sort of government-issued identity documents and credentials, - e.g., a social security card, drivers license, passport, - for activities like getting a job, paying taxes, receiving government benefits, driving a car, boarding a planes, and so on. But if someone doesn’t need to do any of these things, there are no laws requiring them to get an ID.
“Instead, a patchwork system has emerged of identifiers and credentials issued by a variety of different Federal, state and local entities. This patchwork has worked relatively well for in-person transactions… However, the model has fallen apart online… Americans remain dependent on paper and plastic-based identity credentials, none of which were designed to be easily used - or validated - online.”
“Moreover, in hindsight, they look like attempts to ignore the elephant in the room: that government alone confers identity authoritatively, and that government is thus in the single best position to address the challenges we have today and make identity better… Not by issuing a national ID - but by allowing consumers to ask government that it stand behind the paper and plastic credentials it already issues in the physical world.”
The report outlines five key recommendations for addressing the identity challenge.
Prioritize the development of next-generation remote identity proofing and verification systems
What is identity? As explained in A Blueprint for Digital Identity, - a 2016 report by the World Economic Forum, - identity is essentially a collection of information or attributes associated with each specific individual.
In recent years, Knowledge-Based Verification (KBV) has been widely used by the private and public sector to validate online identities. KBV relies on an individual’s ability to answer secret questions based on information that, presumably, only the individual would know. But, as a result of all the recent data breaches, adversaries have stolen enough data to defeat many KBV systems. Answers that were once secret no longer are.
To address this problem the report recommends that “Governments should offer new digital services to validate attributes - modernizing legacy paper-based identity systems around a privacy-protecting, consumer-centric digital model that allows consumers to ask the agency that issued a credential to stand behind it in the online world – by validating the information from the credential. The Social Security Administration (SSA) and state governments – the latter in their role as issuers of driver’s licenses – are the best positioned entities to offer these services to consumers.”
Change the way America uses the Social Security Number
The Social Security Number (SSN) is being used as both an identifier and an authenticator, - two very different uses. The SSN was first created as a 9-digit number, an identifier that uniquely associates an individual with wage and tax data as well as Social Security benefits. Over time, the use of the SSN as an identifier has expanded way beyond its original purposes. Other government agencies use the SSN to administer their own services, and lots of businesses collect the SSN when an individual opens an account with them.
Government and business also use the SSN as an authenticator, that is, a way to verify that someone is who they claim to be. Needless to say, our SSNs are now in data bases all over the Internet, and even if they were once secret, after massive data breaches they no longer are.
“Stop using the SSN as an authenticator,” says the report. It’s OK to use it as an identifier, as the risks are much smaller, but its use should be reduced whenever feasible, - laws that require companies to collect and retain the SSN should be changed. Finally, government should not seek to replace the SSN, as some have recommended. It would cost billions and create massive confusion while offering very little in terms of security benefits.
Promote and prioritize the use of strong authentication
“Inherent in any policy change that removes use of the SSN as an authenticator is a way to replace it with something better. Government should continue work already underway in promoting strong authentication and update legacy policies that create barriers to its adoption.”
There’s no such thing as a strong password or shared secret, since they’re easily compromised by data breaches and other common attacks. Strong authentication methods like multi-factor authentication are much less vulnerable to attacks by adversaries. The report cites a a few multi-stakeholder initiatives, - the Fast Identity Online (FIDO) Alliance, the GSMA’s Mobile Connect, and the World Wide Web Consortium’s Web Authn, - whose strong authentication technologies are being embedded in devices, operating systems and browsers.
In addition, research efforts are underway around the world, such as the open identity and data sharing framework being developed by MIT’s Trust::Data Consortium. As explained in this recent paper, since identity is fundamentally a data-sharing problem, what’s required is the ability to share information in a privacy-preserving manner. The paper describes a new paradigm it calls Open Algorithms (OPAL), based on the collective exchange of vetted algorithms among participants in a trust network ecosystem.
The basic premise underlying OPAL is that instead of gathering raw data into a central location for processing, raw data must always remain in its permanent repository under the control of the repository owners. Open, vetted algorithms or queries to validate identity credentials are sent to the data owners’ repositories and processed there. Only the results of applying the algorithm or query against the data are returned. In addition, the data holders must obtain the explicit consent from the subjects whose data they hold for the use of their data to validate their personal identity.
International coordination and harmonization
“Consumers and businesses operate in environments beyond American borders, and other countries are also contemplating new approaches to making identity better.” The US should thus coordinate with other countries to harmonize requirements, standards and frameworks where feasible.
Educate consumers and businesses about better identity
Finally, “As part of improving the identity ecosystem, Americans must be aware of new identity solutions and how to best use them. Government should partner with industry to educate both consumers and businesses, with an eye toward promoting modern approaches and best practices.”