Death of the Attribute
Blogger: Kevin Kampman
Last week, I received a request from one of our Burton Group consultants for help in identifying where data breaches had occurred. When he saw the list, his response was unprintable. In another comment about data breaches, University of Colorado student Carrie Roll indicates that exploitation of this information is a disaster in waiting: "If anybody thinks their information hasn't been stolen yet, then they're pretty naive. Your information is gone, and it's just a matter of time until someone decides to use it."
This dismal outlook is closer to the truth than we want to admit. Industry has played fast and loose with identity information, and now we are all paying the price. Using common identity information for trustworthy business transactions is becoming more and more difficult, since much of the information has either been compromised or is available for a price from identity aggregators. Just doing a phone number lookup on the Internet introduces you to sources of identity information that may know more about you than you know yourself (see “The End of Secrecy”) . Not to mention the inconvenience and personal hardship that identity thefts create for those who have been compromised. Without identity attributes, we’ll soon find ourselves in a situation where interpersonal relationships are the only viable mechanism to assert that someone is who they say they are.
Businesses, educational institutions, and others have only themselves to thank for this morass. Early in my IT career (last century, enough said) I learned that Social Security numbers (SSN) weren’t unique and “not for identification” purposes. All you have to do is read the bottom of the card, which apparently, no one does. This issue is especially relevant for multi-national firms, since not every government has an identifier for their citizens. However, I quickly discovered that SSN was the common attribute for identity purposes in both North American commerce and education. So, on we went, blindly and full of faith that this would work forever. We didn’t realize that attributes were only protected to the extent that the systems that used them are secured. Although many attributes aren’t “private”, their publication or exposure lessens their value as a means to uniquely identify someone, or to assert their intent to enter into some form of relationship.
Today, the security of individual attributes like SSN and even attributes in combination are increasingly suspect. Financial institutions are leveraging information that only the individual asserts to know (unverified in many cases) for challenge/response identification purposes. Their usefulness becomes less viable as they are used in more and more cases, and eventually subject to compromise. Since biometrics represent just another attribute, the chance that someone will compromise these is just as likely as any other information. Just a matter of time.
The pool of identity attributes is much like any other natural resource, something to be protected and preserved. As this pool diminishes, we’ll lament their passing and the perils and inconvenience their absence creates. The creation of new identity attributes will be costly, in terms of their integration with systems that consume them and the retrofitting of legacy applications. Not to mention the inconvenience to individuals. This makes the case for disciplined protection handing of personal information, risk management, and the assumption of liability for those who disclose and misuse it (see Bob Blakley’s post on the identity oracle). It also makes the case for identity services, so that the information is handled in a more controlled and manageable environment. Otherwise, we’ll be counting on birthmarks and the word of our neighbors when it comes to identity assertions.
