Woman with security tag

A crisis of identity

Data mishaps have put personal digital security in the spotlight.

Digital identity is becoming a source of anxiety as we learn how its elements can be used to plunder bank accounts, commit fraud, steal identities, or to profile or target people in discriminatory ways. 

But what exactly constitutes a digital identity? Some would say that it is the personal information and passwords we use to identify ourselves when we shop on the Internet or access sensitive information online. Others might refer to the biometrics, numbers and personal data held on state-issued electronic ID documents such as e-passports and driving licences.

A wider view is that digital identity is the growing mass of information about ourselves and our social or business transactions and relationships that exists in digital form whether stored within commercial or government databases or scattered on the Web in blogs and social networking sites.

New types of technology are emerging to help safeguard digital identities and even to help track and manage errant digital personas. But these raise almost as many questions as they answer about how personal data is secured, who owns it and whether current privacy and data protection laws are adequate for the digital age.

Digital authentication systems that rely on personal information - whether it's your mother's maiden name or a set of biometric identifiers - are based on the idea that such information is either a secret or can't be faked, says Mike Neuenschwander, vice president and research director of the US IT consultancy the Burton Group.

"If you can find the information publicly elsewhere, its use for transaction collateral is very limited. The way we've continued to approach that is to ask for more personal information, thereby destroying our privacy and our ability to authenticate ourselves simultaneously " he points out.

Breaches of accumulations of identity data have brought these concerns into sharp focus for millions of individuals. The biggest to date has been in the US when TJX, the parent company of TK-Maxx, lost 90 million ID records in one go in 2006 when criminals hacked into the retailer's computer system through an unsecured Wi-Fi network.

Digital apartheid

In the UK, the most significant data spillage has been Her Majesty's Revenue and Customs' (HMRC) recent loss of two unencrypted disks of the child benefit database with details of 25 million people. Subsequent revelations of a form of digital apartheid within the HMRC, where high-profile individuals' records are kept separately and they don't submit tax returns online because the system isn't considered secure enough, have further eroded public trust.

Not surprisingly, the trend in online digital authentication technologies is towards putting individuals in control of their own digital identity, with a focus on minimal disclosure and maximum privacy protection.

Companies such as IBM, Microsoft and the open source group Eclipse Higgins Project are proposing that an identity layer or 'identity metasystem' is added to current Internet protocols in order to improve transaction privacy and security for individual users while making it easier for programmers to add ID verification and authentication to software applications.

Microsoft's offering is based around CardSpace, which is software that allows users to generate virtual ID cards that have identity data associated with them but not stored on them. Instead, there is a signed and encrypted security token containing the required information (name and address, employer's name and address, or credit limit) generated by whoever created the card - whether it's the user or a trusted entity such as their bank or employer. The user decides whether to give this information to the online service. 

Open source group Bandit has, meanwhile, developed a similar card selector called DigitalMe, donated to the Higgins Project, which runs on Linux and Macintosh platforms. IBM's IDEmix (also donated to Higgins) is another cryptographic go-between - in this case one that allows people to hide their personal information so they also don't leave a data trail.

The software also uses an anonymous digital voucher from a trusted third party that the user can send to the online shop. Real credit card numbers are never revealed and the next time a purchase is made, a new encrypted voucher is used.

Rather more radically, Neuenschwander and his colleagues at the Burton Group are floating the idea of the 'Limited Liability Persona' - a legally recognised virtual person in which users could invest the financial or identity resources of their choosing. "If the LLP is compromised, you can destroy it and get a new one without mucking up your whole life," says Neuenschwander.

Developing a digital history

 "Personal identity is a sense of self, which in turn depends on memory and having a history," says Nigel Shadbolt, chief technology officer of the digital identity start-up Garlik and professor of artificial intelligence at the University of Southampton. "As we lay down increasingly detailed digital trails of our behaviour, with social networking websites leading the way, the digital manifestation of ourselves is becoming more complete, more comprehensive and is starting to assume a history, " he says. 

At Southampton, Shadbolt has been involved in shaping some of the protocols and standards for the future Internet. Instead of today's web of documents, the vision of the Semantic Web or Web 3.0 is a machine-readable web of data that by its very nature facilitates assembling digital identities. By using common formats for integrating data and a new language called RDF (Resource Description Framework) that records how data relates to a real world object in a subject, verb and object structure, people or computers will be able to combine multiple sources of information into a coherent picture. Or to quote from World Wide Web Consortium's site, "You start off in one database, and then move through an unending set of databases which are connected not by wires but by being about the same thing."

Garlik, set up by the founders of Internet banks Egg and First Direct, uses semantic-based search methods in its DataPatrol product to help individuals keep track of sensitive personal data that can be easily found in the digital world, whether on the Internet or in publicly available UK records sources. But the firm's free measure of digital identity, QDOS, is perhaps the most intriguing glimpse of how our digital identities might be reassembled and judged by others in the future.

QDOS looks at multiple presences of someone on the Web, picks out bits of information and puts them into an algorithm. "Our algorithm works out four components: how digitally active you are, how many friends and relationships you have, how much impact you have, and how individual you are. We represent those four dimensions to give a shape and provide an overall score," explains Tom Ilube, chief information officer of Garlik. He suggests, jokingly, that this could lead to a new digital taxonomy. "A Digital Windbag might be someone who blogs a lot but to whom nobody pays any attention," he says.

Garlik uses QDOS to make a serious point about how we might find ourselves digitally categorised in far less amusing ways. For instance, as part of its anti-terrorism data analysis operation, US Department of Homeland Security (DHS) has been using semantic data-mining techniques to display data patterns visually as semantic graphs to find links between people, places, events and so forth. Last year, the DHS had to suspend the activity, called ADVISE (Analysis, Dissemination, Visualization, Insight and Semantic Enhancement), on grounds that it violated federal privacy standards.

Selling into behaviour

Google's recent $3.1bn purchase of the Internet advertising services company DoubleClick raises similar privacy concerns because of the potential for Google to build highly detailed behaviour profiles by combining Web search records with information from DoubleClick's cookies placed on users' computers to track the websites they visit.

"If you combine my search results with the sites I browse you get an extremely detailed profile of what I'm thinking, what my interests are, what sort of life I lead, medical information perhaps from sites I visit that describe certain conditions, and even where and when I'm planning to travel," points out Daniel Cooper, who is an expert on privacy, data protection law and digital identity at the London office of the law firm Covington & Burling. "You'd know me better than my mother does."

The law is in an uncertain state regarding digital identity but, according to Cooper, there is a debate simmering about the need to ensure people have the same sort of rights in their digital identity as in real life.

Currently, individuals have certain rights to their personal data but don't own it. Moreover, in Europe, neither the Data Protection Directive 95/46/EC nor the ePrivacy Directive 2002/58/EC mandate that individuals are notified if their data has gone missing or there has been a breach of their privacy. "There is a proposal [about breach notification] sitting out there but whether it's enacted is anyone's guess," says Cooper.

In the US, in contrast, there are 39 individual state laws dealing with data security breach and security breach notification that require companies to notify customers if they've lost personal data. Congress is also thinking about security breach laws.

In the UK since May 2008, the Information Commissioner's Office has had the power to fine organisations that commit breaches of the Data Protection Act, but the law is not retroactive, so the government departments that have already lost identity data will not be fined.

Personal data in the EU is defined as any information that relates to an identified or identifiable living person. But many European regulators are espousing the view that if you develop a detailed profile of an individual, the information should be protected under the law, says Cooper. "It is not enough to say 'we don't know who this person is'. This is highly controversial, but it appears to be the direction the law is moving if the regulators have their say," he adds.

In the meantime, Nigel Shadbolt suggests we need a Warnock-style report on digital identity and privacy that looks ahead at the moral choices and dilemmas we are likely to face as technology develops. This might help us decide, he says, what we might brook as an acceptable level of publication of our digital identity or an acceptable level of diminution of privacy. 

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them