Perspective: How we went wrong on identity

After years working on identity and its protection, I've concluded that our identity infrastructure is fundamentally broken--and the Web is what ultimately broke it.

Thanks to the Internet we have lightning-fast communications, credit, and commerce. Unfortunately, we also have data breaches, identity theft, and obscene amounts of junk mail and spam.

Consumers are bombarded, victimized, and annoyed. They express great concerns about their privacy and security, yet little is made available to them to protect it. And they only have restricted access to their own identity information held by data brokers, being forced to pay to see it, if in fact the businesses that hold it are even willing to sell it to them.

Tinkering with the current systems won't fix it. Instead, identity needs to be re-engineered around the demands of its logical owner--consumers--providing them more control, transparency, privacy, and security.

Our personal information--name, address, date of birth, Social Security number, credit worthiness, buying preferences and patterns, etc.--forms our financial identity, government identity, medical identity, and what I like to call our "marketing identity." As a result of history and technology--as opposed to good design--identity has been functionally divided into these different silos.

Each silo has its own set of data repositories, its own regulatory and legal regimes, its own data brokers and list providers selling personal data, and its own advocates representing consumers. These silos generally don't follow the same rules, share standards, or communicate with one another.

My financial identity is actually in pretty good shape. Financial identity is a central focus for most consumers because they interact regularly with their financial identity. They trust their financial institutions, and they have a much better view into their personal financial identity information than they do in any other silo.

What with all the noise about identity theft and the focus on finance--and specifically credit cards--it may be surprising that, in fact, financial identity works pretty well for consumers, which is no coincidence. I would argue that the financial services industry provides the U.S. consumer with the strongest, most secure and well-managed identity they have--both online and offline. We should carry this industry's powerful ideas of value, portability, responsibility, and trust forward as we begin to re-engineer identity.

Where consumers' financial identity breaks down is with the data broker middlemen. Within the financial identity silo are the three credit bureaus, Experian, Equifax, and TransUnion. The credit reports they traffic in are critical to consumers, determining availability of credit, employment, and access. Yet credit reports are well known to be full of errors. What's more, they are a popular tool for identity thieves.

My government identity, however, is pretty broken. The core identity provider in the United States, the federal government, regularly loses, misplaces, and publishes the consumer data it collects. When our government wants to get data on consumers, it buys it from data brokers like ChoicePoint and LexisNexis--somewhat odd because those companies primarily sell public records, which generally originate with the government itself. Notwithstanding the demonstrated lack of security on the part of these companies, government identity--including drivers' licenses and passports--remains our core and most usable of identity "tokens."

My marketing identity is today the most broken, controlled by dozens of list and data brokers who make billions of dollars a year selling my personal information to thousands of organizations. They give me no rights to see or affect what they sell, they don't allow me to tell them what I want and what I don't want, and they make it intentionally complex for me to get off their lists. The result is almost 4 million tons of junk mail sent to Americans each year.

The data broker breaches in 2005 were the watershed event that first shined light on this incredibly secretive industry. Since then, more than 165 million data records of U.S. residents have been exposed due to security breaches. Consumers are vulnerable not only because of what arrives in their mailbox, but because of the thousands of data records holding their sensitive personal information.

Consumers are starting to wise up, demanding meaningful choice over how and by whom their identity is used. Fixing identity is going to require the efforts of industry, government, and technology leaders, but it requires the consumer to ignite change. It's their identity. They know who they are. They know what they want and what they don't want.

Heck, just ask yourself.

Biography
Steven Gal is CEO of ProQuo, a start-up that allows users to choose which paper junk mail to stop receiving from different sources. He writes a blog and also serves on the board of the Identity Theft Resource Center.

More Perspectives

[Len Bullard]

Pay Then Pray

Umm... what has done more damage is the continued use of the SSN as an identity token. It was a paper-based token and in the transition, the exposures were/are huge. Sign up for a cellphone in a local mall, then take into account that you are handing that information over to someone who probably makes less money than the people who pick up your trash. Now ask yourself what a month's worth of xeroxed applications are worth.<br /><br />Humans-in-the-loop are and always will be the wickedest problem of identity security. Identity is not an entity; it is a process.

[devbost]

SS numbers are the worst problem, but...

...any time you have to hand information over to a human being is problematic. My wife and I just had $800 charged to our debit card with several merchants in Brazil. We live in Massachusetts, and the card was safely in her wallet the whole time.<br /><br />As best we can tell, it was likely a human being who copied down her number somehow while she was doing a point-of-sale transaction.<br /><br />Fortunately, the bank was pro-active and had canceled the card before we even called to complain, and we got our money back in less than a week, but it sure doesn't inspire confidence that it can happen at all. I'm just thankful that the banks are getting better than they used to be about staying on top of it.

[zanely]

The financial sector...

...does not have a lock on the smarts required to safeguard their customers? privacy. Banks and brokerage firms are subject to criminal sanctions if there are breaches in any of their systems. This problem will disappear when the same strict regulation and severe penalties are mandated across the board for any organization, public or private, that holds sensitive consumer information.

[wbenton]

Lack of following Standards Compliance is the problem

ANSI, FIPS, ISO, SOX as well as a few other Standards make up the majority of "What should be done".<br /><br />Many in the financial sector follow ANSI standards, but NOT ALL.<br /><br />Some governments strictly adhere to FIPS, but NOT ALL.<br /><br />ISO is the international standards organization which most should follow, but NOT ALL.<br /><br />SOX: Sarbanes OXley is another one which should be followed, but NOT BY ALL!<br /><br />The key point is that ALL are excluded from the most important aspects of security. All of the above quoted standards were created to protect sensitive data.<br /><br />And how much more sensitive can one get than when discussing identity theft of others?<br /><br />These standards were created for a purpose. Many are required to follow these standards, but in reality, very few put them to actual use.<br /><br />THAT'S THE PROBLEM!!!<br /><br />Not a lack of standards, but a lack of standards compliance!!!<br /><br />Follow that up with a lack of ensuring standards compliance and you have the double-whammy position which our society is in today.<br /><br />The hundreds of millions of stolen identities are more than enough proof that the already set into place standards ARE NOT being followed to the T.<br /><br />That said... who's going to hold whom responsible for the non-compliance?<br /><br />Until the checks and balances of the security society are set into place, continue to see more of the same.<br /><br />Walt

[contagious solutions]

Unlist Assist

There is a new company Unlist Assist (dot) com that will remove <br />your name for 3 years from postal junk mail! I think this a good <br />step in the right direction on protecting our privacy from the many <br />companies that sell your name and info to other companies.

[patsimon]

Identity theft - The BIGGEST hole

The quickest, easiest way for ID thieves to steal your ID is to fill out a card changing your address and drop it in the mail box. The post office will notify you within a few weeks, but by the time they do, the theives have picked up enough of your first class mail to easily steal all your identities - financial, government, etc. Anyone can change your address any time, with no proof of identity.