Blogger: Kevin Kampman
Last year, there was an initiative launched by the American National Standards Institute (ANSI) and the Better Business Bureau (BBB) to examine ways to prevent identity theft. Last month, I attended a plenary session of the Identity Theft Prevention and Identity Management Standards Panel (IDSP) to learn how this effort was progressing. I was also interested to learn how the needs of consumers are being addressed.
The goal of the IDSP is to develop an inventory of existing standards related to identity. This work has been divided into three areas: Issuance, Exchange, and Maintenance and Management. The attendees came from a variety of communities, including government and standards bodies, financial and credit services, professional services, the software industry, and others.
The inventory of standards and regulations related to identity is impressive. Without diving into details, there are many we know on a regular basis, such as HIPAA and GLB. Many others are more obscure and limited to a particular domain. One would think that with the extensive list of controls, identity would be well understood and articulated.
However, the devil is in the details. For example, some of the regulations, like REAL ID, are mired in political challenges between the state and federal governments. Others, like HSPD-12, are limited to the federal government.
Many identity issues live on the fringes, for example, where no birth certificate was issued, or when someone migrates to the US from another country. Particular vulnerability areas were also identified, such as the exploitation of children by parents or guardians, theft of military or elderly identities, assumption of identities from the deceased, and so on.
Other identity issues stare us directly in the face. I recently spoke with a business intelligence analyst on a cross-country flight. He was quite concerned about how information about our affinity, debit, and credit purchases are aggregated and sold to other parties for unrelated purposes, such as insurance eligibility. The implication is that if you buy a carton of cigarettes or a bottle of liquor, this information will be used without your knowledge to provide or deny coverage, or to identify the rate you’ll pay.
This exchange of so-called personal information may not be covered by privacy regulations and represents an ethical challenge that most people don’t consider, much less care about (until it is used to their disadvantage). Standards that force people to opt-in, rather than to opt-out of this information sharing are sorely lacking, as are the ethical guidelines about what information should be shared for what purpose.
The work being accomplished by the IDSP will go a long way towards exposing what is, and isn’t in place to regulate the use of identity information. The latter will most likely be exposed by unfortunate experiences, tested in the courts, and addressed by the state and federal governments. It would be a significant benefit to everyone if the efforts of the IDSP expose these gaps and inconsistencies and make mitigation recommendations to commercial and government interests.