Verifying identity, identity relationships and identity cards

I've previously emphasised the importance of verification (data dozen for privacy-protective identity management systems, and how identity theft can be facilitated by lack of proper verification).

An excellent article by English lawyers Nicholas Bohm and Stephen Mason on "Identity and its Verification" is well worth reading (via Bruce Schneier.)

While the article was triggered by proposals by the Council of Bars and Law Societies of Europe to introduce an "identity card" for European lawyers its scope is much broader, looking at what is "identity" and what's involved in verifying identity, with some general observations about identity cards.

Their conclusions:

"Those faced with the problem of how to verify a person's identity would be well advised to ask themselves the question 'Identity with what?' An enquirer equipped with the answer to this question is in a position to tackle, on a rational basis, the task of deciding what evidence will be useful for the purpose. Without the answer to the question, the verification of identity becomes a sadly familiar exercise in blind compliance with arbitrary rules.

In short, identity cards will not solve the problem of establishing identity relationships. Identity cards for lawyers will also risk creating costs, burdens and liabilities for lawyers and their professional bodies without conferring any countervailing advantage either on them or on society."

That last paragraph in particular of course applies to identity cards generally, not just ones for lawyers.

Social media - video of Polis "reality check" seminar

Discussion of 4 March 2010 at London School of Economics between social networking experts Michael Pranikoff from PR Newswire, Molly Flatt from 1000 Heads and Tomas Gonsorcik from London Interactive, with Polis director Charlie Beckett.

Also of possible interest: my write up of a previous LSE discussion on the future of the internet with representatives from Google, Facebook etc (with link to MP3 of the discussion).

How to commit identity theft

Bob Walder of Gartner recounts, from Gartner's Identity and Access Management (IAM) Summit, the true story of Bennett Arron who was the victim of identity theft:

"It all started with a mail-shot from a home shopping catalogue company to an old address, which allowed the unscrupulous person now residing at that address to place an order and open an account with the home shopping company. That credit account allowed him to acquire a mobile phone or two. From there it was not too difficult to open bank accounts and obtain credit cards – all in Bennett Arron’s name.

The end result was Arron, who had already given notice on rented accommodation to buy a house, failed to acquire a mortgage, couldn’t rent another property, couldn’t get a line of credit, burned through savings and ended up penniless and living with parents with his pregnant wife. It took him two years to clear his name, by which time property prices had tripled and he could no longer afford to buy a house anyway!"

Arron appeared in a documentary for Channel 4 where at a local shopping mall he social engineered 18 (out of 20) people to give him their personal details, credit card numbers etc, by pretending to be someone advising on the dangers of identity theft!

He also proved how easy identity theft can be, using the example of politician Kenneth Clarke. Walder reported that:

"Arron applied for a duplicate birth certificate in Clarke’s name, and within 3 days it arrived. Using that, he applied for a duplicate driving license from the UK Drivers & Vehicle Licensing Authority (DVLA), which took just a couple of weeks to arrive. As part of this process, the DVLA requested photographs for the license which had to be authenticated on the reverse with a statement from a trusted, non-family member that this was a true likeness of Kenneth Clarke. This Arron completed himself using a false name. Something of a root trust issue, here, I think….

Naturally, with a birth certificate and driving license Arron could have gone on to open various accounts, building up to bank accounts and credit cards. Scary stuff. One good thing came from this – it is now no longer acceptable to use a birth certificate as the sole means of ID when applying for a UK driving license. Wonder if they have plugged that photo certification loophole too?"

It's real life examples like these that bring home how our society has a very long way to go yet in protecting citizens against identity theft. A root trust issue, indeed. As I mentioned in my suggested Data Dozen of identity management for privacy, proper verification of the base information has to be the foundation.

"Cloud cloud maybe" video - cloud computing history as you've never seen it before

Never mind the Gartner hype cycle, you know a topic like cloud computing has peaked when video takes on it start proliferating.

There was the Hitler spoof video on cloud computing security I mentioned recently, and now we have this rap-style video, stuffed full of cloud references, which is actually an ad by cloud provider Vembu Home.

It's a canter through the history of cloud computing rather than a parody, though given the title it seems like it's meant to be more a parody of Vanilla Ice's "Ice Ice Baby".

Trivia - that song landed Vanilla Ice in trouble as he had used a sample of the bassline from Queen's song "Under Pressure". The bassline here is rather similar, it even starts on the same note, so one hopes Vembu haven't made the same expensive mistake as Vanilla Ice! The last note of Vendu's bass riff actually differs by a tone, probably deliberately; let's hope for Vembu's sake it's enough…

Forrester's privacy heat map

Interesting - Forrester's interactive privacy & data protection heat map (via Broadstuff) -

There's also a list view -

And how does the UK do? Not too well, caution...

The USA too -

Both those countries share the exclamation mark "government surveillance" warning with, well, the Russian Federation and China.