Over the last several years, I have been invited to speak at a variety of conferences and seminars focusing on privacy. I suspect that privacy advocates perceive that their objectives should naturally align with the fight against identity fraud.
Intuitively, it seems reasonable that tightening up on the loose and/or carelessly held bits of personal information that float about should logically mitigate the threat of identity fraud. The empirical evidence, and my own experience in investigating identity frauds, however, have convinced me that privacy measures actually offer little to no assistance in this regard.
There are a number of very good reasons why privacy initiatives fail to address identity fraud, but it all begins with a widely-held misunderstanding about what human identity actually is and how it functions in a modern and increasingly technical society.
Although we all possess an identity, we seldom pause to consider exactly what it is and how our individual identities allow us to function and interact with society. The basic misunderstanding actually begins with our own very personal misperception about our own identities. We tend to perceive that our identity is somehow intrinsically and indivisibly fused to who we are. From this perspective, it seems reasonable that identities represent something that we can own and therefore, something capable of being “stolen”. This misconception contributes to our vulnerability and effectively detours us from developing effective strategies to combat criminal identity fraud.
Identity is not a “thing” it is, in fact, a collection of diverse “stuff” about ourselves that, when accumulated, in differing circumstances and in various ways, makes us recognizable to others. It is not who we “are” but merely a vital but nebulous representation of who we are. Our individual identities begin to form after birth when, starting with our names, we accumulate the bits and pieces of information that society uses to distinguish us from one another. These individual pieces of information are, in fact, capable of being stolen or otherwise misappropriated, but as individuals we seldom own or control these various identity elements. In fact the various elements that we string together in a sort of social equivalent of an algorithm most likely originate and “belong” to multiple and diverse sources outside our actual control. Regardless, this leads privacy advocates to believe that protecting these personal identity elements, particularly those held outside of our control, will mitigate identity “theft”. At first glance, this seems like a reasonable assertion but, unfortunately, that approach completely misunderstands how society and the individual actually use identity to interact.
Not only do we not own or control the majority of our identity attributes, despite our perceptions, neither do we own or control the identity that they collectively come to form. The concept of ownership denotes a certain set of rights and subsequent control over something. Neither criminal nor civil law affords us such rights to our identities. For something to be stolen it must first be capable of being owned.
Privacy experts might suggest that I am simply arguing semantics. They will say that, regardless of what it is called, mischief committed in relation to an individual’s identity begins with the misappropriation of personal information and that privacy initiatives aim to protect that information in a number of ways. This is naïve. The practical truth is that even with the most basic information about somebody, a criminal can easily generate enough new personal identity elements to make a co-opted identity viable.
The solution to identity fraud requires a review of how a very limited and traditional approach to identifying human beings has failed to keep pace with the modern technology of communication and commerce. Traditionally, society has relied on a named-based identity system that is very effective at securely associating names with assets. The challenge now, however, occurs in attempting to confidently and securely link a unique individual with their name and other identity elements. When the vast majority of people lived in small communities, society relied on natural biometrics to accomplish this.
Human beings have an innate but somewhat limited ability to process a range of biometrics. To varying degrees, we can distinguish, identify and recall a number of human characteristics that are perceivable through our senses. Subject to the limitations of our senses, memories and intellects, we can recognize people’s faces, voices and even mannerisms. This works extremely well in small communities where this still serves as the primary means used to identify others and effectively relegates the importance of an actual name to nothing more than a useful mechanism in secondary social interactions. Our ability to employ natural biometric recognition has been increasingly compromised by the growing size of our communities, as well our need to interact with one another remotely and over long distances. Society has responded by adding additional identity factors, authenticators and corroborators to augment people’s names in an attempt to bridge the growing identity gap. Identity vulnerability has been additionally aggravated, not because of the prevalence and availability of personal information as privacy experts would suggest, but rather due to the lack of it.
But even access to a wider range of identity authenticators and elements will eventually fail to address the identity gap fermenting in Marshal McLuhan’s ever-shrinking global village. The problem is further exacerbated by the fact that identity has now become the most accepted means of financial exchange, eclipsing more traditional forms of currency. Not only are our identities vulnerable; they are valuable. The combination of vulnerability and value create a potent enticement for criminal mischief.
In order to protect our financial systems and economy it will become increasingly important to securely link the individual to their identity. I believe that this will mean employing a wider range of automated biometric systems to replicate, but considerably extend, our ability to confidently and accurately recognize each other. This approach is generally considered an anathema to privacy advocates and admittedly does not come without significant risk. As my colleague Jeanne Proulx has appropriately pointed out, once we bind a person’s social identity to them biometrically, the individual, rather than simply their identity, becomes the new currency in the modern world. I acknowledge that this has significant implications in the event that a person’s biometric data was ever compromised as it would be virtually impossible to restore.
The below model illustrates these concepts. It demonstrates that in attempting to mitigate identity crime, privacy initiatives target the wrong element. Until we can effectively strengthen the manner in which we associate an identity to the actual individual, the growing problem of identity crime will not have been addressed.
Functioning Social Relationships - Identity
© Sterling Security and Information Integrity www.sterlingsecurity.ca
