Count me not among the privacy zealots, nor among the small—but influential—group that demands complete consumer control over all aspects of identity. In fact, I'm pretty relaxed when it comes to things like that. I really can't be bothered to get my name registered on the "Do Not Call" lists (although, to tell the truth, I am glad that my husband does). I am not even particularly concerned about any number of large companies having access to fairly private data of mine. It's pretty boring stuff, after all.

But my work in identity management and authentication has brought me into ever-closer contact with the world of identity theft, and now even I'm getting alarmed. This "perfect crime" (easy to do, low capital requirement, low risk of getting caught, light punishment if caught) is getting the attention of alert thieves and fraudsters everywhere. The most prevalent stuff—someone manages to open credit card accounts in your name, runs up big bills, and skedaddles—is troublesome enough. But for a person like myself—relatively savvy and with the resources to deal with it—the costs of this type of identity theft are manageable. At the end of the day the banks eat the loss; I'm just out the time it takes for me to straighten it all out.

There are other aspects of identity theft, however, which are truly mind-boggling. One is the criminal angle. Someone steals your identity, perhaps for the relatively benign purpose of stealing money. That person gets arrested (frequently for driving under the influence, or for robbery—there is a very high correlation between methamphetamine users and identity thieves), presents your name at time of arrest, and then skips bail. Suddenly, there is a bench warrant out under your name and address. If this has happened out of state, it has, in all probability, not been resolved at the time the thief skipped bail. In other words, no one has figured out that a stolen identity was used. So, the next time you visit that state and get stopped by the police for a broken taillight—WHAM! You find yourself in jail trying to prove that you are not that person who was arrested earlier and skipped bail.

Eventually you can probably persuade the authorities that you are innocent. But this may well be after a night or two in jail. And—get this—there is no guarantee that this won't happen again. After all, there is still that outstanding arrest warrant—and they don't have any other name to use but yours. There is, apparently, no systemic way of marking such warrants as suspect. This problem—which is very real—has been so horrific for some victims of identity theft that they have started to travel at all times with affidavits and notarized statements to the effect that they have been victims of identity theft. Shades of the old U.S.S.R.—or for that matter, France!

Equally frightening are stories of identity thieves who prey on children or the elderly. In Detroit, there was a recent series of cases where thieves took out mortgages on homes owned by older people who had long since paid off their own loans. Other thieves are taking out credit in the name of kids—who are faced with straightening out the mess just when they are trying to get going with their own adult lives. (In a bizarre twist, it turns out that at times it is the parents who are stealing their own children's identities, but that's another story.)

I may be relatively cavalier about having to deal with the theft of my identity—and its financial consequences—but the idea of having this happen to my son, or to my parents, gets my inner "mother bear" going. As a society we really need to figure out how to stop this crime from happening. Most advice right now, as I am sure you are aware, has been about lowering the odds that it will happen to you. But I think technology is giving us the tools we need to not just avoid it, but actually eliminate it.

Cause for Hope?

There may be an answer—if not today, at least within the next few years—in the digital identity technologies and standards that we at Glenbrook refer to as shared authentication. The Liberty Alliance is the most visible of these emerging protocols, but SAML, Microsoft Passport, Visa's Verified by Visa and MasterCard's SecureCode are all players in the same arena.

These are technologies and standards meant for the digital world—their genesis has been either in attempts to improve online security, or to simplify the process of logging onto multiple sites (so-called "single sign-on"). But they may well end up solving problems of the terrestrial world as well.

Consider the root cause—or at least the enabler—of the identity theft problem. This is the fact that credit is granted to an individual by a process that we call inferred authentication. Inferred authentication is used whenever someone applies for something remotely by telephone, in writing, or on the Internet. How does inferred authentication work? You make an identity claim, and someone else tries to figure out (infer) if that claim is real. They do this by testing the logic of your answers, by checking against "negative databases" of bad guys, by asking you increasingly tricky questions ("what kind of car do you drive"?), and by running complex algorithms using your claim and various databases. They do everything, in short, but ask you to prove your identity by presenting a credible identity credential.

You aren't asked to do that because currently there is no easy way to present a credible identity credential in a remote setting. Presenting proof would mean going to a physical location with some credible document or set of documents (drivers license, birth certificate, passport, etc.). And, even if these physical documents were presented, how would the clerk behind the desk or window be able to verify the legitimacy (and currency) of the document?

Inferred authentication is a reasonable process in the absence of a means of establishing direct proof of identity. But inferred authentication will always be a poor second to a good direct proof. So what if there were a way for an individual to prove their identity when making some type of application? And what if it were easy to verify this claim? And (this is the key) what if I could make direct proof a requirement for doing business with me?

Why Shared Authentication Provides the Answer

I think the emergence of the Liberty Alliance—and its brethren shared authentication protocols—will provide an answer. An individual will be able to easily—and solidly—prove their identity, by having a trusted third party electronically offer this proof on their behalf. An employer, a bank, a government—some entity who knows who you are and with whom you have an online, authenticated relationship—will be able to assert your identity, at your request, to enterprises who need to know who you are. This assertion will be verifiable, online, instantly.

Unlike other digital identity schemes, which have relied on first providing someone with a credential (such as a PKI certificate) and then enabling its use, shared authentication lets you take advantage of an identity relationship that already exists, for other purposes. Its costs will be incrementally negligible. And, as shared authentication will be based on standards that will be relatively easy to implement, it is possible to imagine the broad adoption of such a scheme. The value—in protecting the identity of individuals—will be immense.

It's As Simple as That?

Of course, there are a few hundred issues to be worked out along the way. This will only work for individuals who are online—but more than half of us are today, and the trend is upwards. There's a lot of stuff that needs to be done to understand the levels of verification that are needed, who stands behind these various identity assertions, and what that means. We need to figure out how to "close the door"—make sure that credit, for example, is not granted without an individual presenting direct proof. But legislatures, big and small, are showing a voracious appetite to legislate solutions to the identity theft problem—so I'm not too worried about that one.

I'm convinced that this is a story with a happy ending. There will still be fraud, of course, and abusers of these identity assertion schemes. But what is currently proving to be a gaping hole can and will be plugged. I'll be in much more in control of my identity—and that of my dependents. The identity thieves—who have hit a lucky streak with the "perfect crime"—can go back to whatever dastardly schemes previously occupied them.

Sometimes, technology is good.

Publication History

Initial Publication Date: April 11, 2003