Who are you?
In a societal context our identity is established through a series of events and relationships, starting with one’s birth, along with the resulting documentation. Our identity is represented to others through a patchwork of this identity documentation – original paper documents (or copies), ID cards, driver’s licenses, passports, and other types of credentials. In today’s world, managing these items and keeping them safe is an increasingly difficult challenge for all of us.
How Many Identities Do We Have and Need?
All of us have and use numerous identities in our everyday lives. Some examples are:
• Professional identity: identity information used by employers
• Financial identity: identity information used by financial institutions, such as credit card information
• Citizen identity: identity information used by governments, such as passport information.
• Healthcare identity: identity information used by the healthcare industry
• Online browsing/email identity: identity information used to access information on the Internet, such as usernames and passwords
• Ecommerce identity: identity information used to carry out electronic transactions, such as account numbers, passwords, shipping addresses and credit card information Technological and process solutions are available that can create more manageable and secure identity tools. Adopting these solutions can ease the fears we all have about identity theft and fraud and implement more efficient identity transactions. To understand these solutions, however, we must understand some of the challenges that underlie the concept of identity.
Identity is represented by an assortment of information that can be tied to that individual and that describes an individual’s characteristics and uniqueness. An identity in this context is the information concerning the person, not the actual person. An identity can be made up of many pieces. Some common components of identity are:
• Demographics: information describing who you are (name, address, phone number) • Biometrics: information measuring a person’s physical or behavioral characteristics (e.g., fingerprint, face, iris, hand, speech)
• Actions: information describing what you do and/or where you go
• Preferences: information describing what you like or choose to buy • Status: information describing your social status (member or nonmember, married or single, retired, grade level)
• Transactions: information describing a person’s past transactions (financial credit status)
Identity systems have proliferated in today’s society. Some of these systems have developed into multiple-use identity systems while others remain essentially identity silos – single-use closed systems. The more applications a collection of identity information has and the more meaningful that information is to third parties, the more valuable that identity information becomes. The U.S. driver’s license is an example of a multi-use identity tool. Its primary purpose is to prove driving status but it can also be used to provide evidence of identity when opening a bank account, buying alcohol, boarding an airplane, or applying for a job. Another example of a multi-use identity system is a major credit/debit card. Holders of these cards can use them to purchase goods and services almost anywhere in the world. Other collections of identity information have limited use and are essentially identity silos, such as healthcare cards, single-retailer discount or member cards, single retailer credit cards, and online subscriber account information. Although this identity information is more limited in scope than multi-use information, it is less likely that this identity information will be revealed outside of the system in which it is used. For example, healthcare information may be less likely to be divulged to those not needing to know if it is kept within one identity system. Of course, the problem of privacy is not solved by putting identity information in silos. It must be emphasized that identity information is only as secure as the system designed to manage that identity information. Identity information that is in a siloed system is less likely to be divulged outside the system only because it is used and transported less often than information in a multi-use identity credential.
Because it is important for individuals to maintain control over their private identity information, it is necessary to understand where the individual fits in the general identity system structure. There are generally three parties to an identity system:
1. Identity system providers: Entities that proof information, enroll individuals, and issue identity credentials. For example, governments provide identities to citizens through passports or visas.
2. Identity system members: The people who must use identity information to obtain privileges. For example, an individual uses the ID badge issued by an employer to enter a secure facility.
3. Identity system users: Organizations that rely on identities and credentials (banks, law enforcement, retailers). For example, an employer uses a person’s driver’s license or passport as proof of identity for a job application. As we can see, the individual is indeed at the center of the identity system – or maybe more aptly put – stuck in the middle. With identity system providers responsible for collecting, verifying, and storing identity information, and identity system users clamoring to get access to this data, it’s no wonder that individuals get nervous about their identity information. So what to do? Well, some of the main concerns that we all have regarding identity systems can be addressed by incorporating robust and auditable policies, practices and processes into our identity systems. The following are some guidelines to use when creating an identity system:
• Consent. Establish identity systems that enforce a policy of consent when transferring identity information. Identity systems should only reveal information identifying a person with the person’s consent. The information should be limited to the information that is necessary to complete the transaction.
• Transparency. An individual should be able to “see” how identity information is being used. Although individuals may not be authorized to modify transaction information, both they and the entity they are interacting with are best served if the information is visible to them. Visible information creates a higher level of trust between the individual and the entity and also creates a feedback security loop to help individuals police the use of their identity information. (For example, credit card companies allow their customers to access a list of monthly transactions. Fraudulent credit card transactions are often reported by the customer.)
• Privacy and security. Incorporate privacy and security features as fundamental and pervasive elements of the identity system.
• Interoperability. Make the identity system interoperable, so that the individual can use the identity information broadly.
• Biometrics. Use biometrics as an integral part of the identity system, so that a person is physically associated with the identity information and the identity credential.
• Ease of use. Adopt ease of use as a primary design principle. The user experience should be simple and consistent. Automating transactions to reduce time and complexity is an important consideration.