It's time to redefine identity

There is no such thing as electronic privacy. The essence of our very being is distributed across thousands of computers and databases over which we have little or no control. From credit reports to health records, from Department of Motor Vehicles computers to court records to video rentals, from law enforcement computers to school transcripts to debit card purchases, from insurance profiles to travel histories to our personal bank finances, everything we do and have done is recorded somewhere in a digital repository.

"The sad fact is that these very records which define us as an individual remain unprotected, subject to malicious modification, unauthorized disclosure or out-and-out destruction. Social Security Administration employees have sold our innermost secrets for $25 per name. Worse yet, as of today, there is nothing you can do to protect the digital you. You are not given the option or the opportunity to keep yourself and your family protected from electronic invasions of privacy.

"Your life can be turned absolutely upside down if the digital you ceases to exist. Electronic murder in cyberspace: You are just gone. Try proving you're alive; computers don't lie. Or if the picture of the digital you is electronically redrawn just the right way, a prince can become a pauper in microseconds. In cyberspace, you are guilty until proven innocent."

I first wrote these words in my 1991 book Information Warfare (free online), and they are still disturbingly true. According to the Better Business Bureau's (BBB) 2005 Identity Fraud Survey Report , the identity theft problem is improving significantly. But that's small consolation to the 9.3 million victims in 2004 (down from 10.1 million in 2003) that cost our economy a staggering $52.6 billion last year.

What causes the majority of ID theft cases is sheer stupidity. The solution to ID theft is sheer simplicity.

Despite global reliance on e-commerce, we still take a 1930s approach to identity management, with Social Security numbers (SSN) our de facto national identification. Knowledge of name, address, credit card and SSN - all publicly available information - is still all that is required to establish a legally binding means of personal authentication. Congress' shortsighted E-Sign bill of 2000 compounded the problem instead of raising the security bar.

The BBB Identity Fraud Survey shows that only 11.6% of ID theft cases occur online. The rest comes from traditional offline physical means: lost ID, checks, credit cards, stolen mail and dumpster diving. Yet we still rely on static data as ID proof positive. What to do?

We need to legally redefine what we mean by "proof of identity." We should employ rigorous two-factor identification through real-time handshaking to establish identity to a higher standard. Whether it is a smart card with password, a time-based token or some form of biometric ID, anything is superior to today's dangerous relic.

Congress should not try to legislate 21st century life with 1930s technology. It should instead recognize that the nature of legal identity has so radically changed it must be redefined to thwart the ease of ID theft.

This is not a new problem. Our government chose to ignore it, thus creating a multibillion-dollar crime syndicate that easily disrupts citizens' lives. We all pay the price with higher prices and interest rates, and loss of productivity. This is sheer insanity, especially when the answer has been readily available for 15 years.

Will any ID theft solution be perfect? No. Will someone always find a way around the system? Yes. Is raising the security bar a good step? Always. To try to fix past errors by making the same mistakes over and over is sheer insanity. Let's give sheer simplicity a try. We have the technology. We can fix this problem.


Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022