Burton Group Identity Blog

Blogger: Kevin Kampman

Last year, there was an initiative launched by the American National Standards Institute (ANSI) and the Better Business Bureau (BBB) to examine ways to prevent identity theft. Last month, I attended a plenary session of the Identity Theft Prevention and Identity Management Standards Panel (IDSP) to learn how this effort was progressing. I was also interested to learn how the needs of consumers are being addressed.

The goal of the IDSP is to develop an inventory of existing standards related to identity. This work has been divided into three areas: Issuance, Exchange, and Maintenance and Management. The attendees came from a variety of communities, including government and standards bodies, financial and credit services, professional services, the software industry, and others.

The inventory of standards and regulations related to identity is impressive. Without diving into details, there are many we know on a regular basis, such as HIPAA and GLB. Many others are more obscure and limited to a particular domain. One would think that with the extensive list of controls, identity would be well understood and articulated.

However, the devil is in the details. For example, some of the regulations, like REAL ID, are mired in political challenges between the state and federal governments. Others, like HSPD-12, are limited to the federal government.

Many identity issues live on the fringes, for example, where no birth certificate was issued, or when someone migrates to the US from another country. Particular vulnerability areas were also identified, such as the exploitation of children by parents or guardians, theft of military or elderly identities, assumption of identities from the deceased, and so on.

Other identity issues stare us directly in the face. I recently spoke with a business intelligence analyst on a cross-country flight. He was quite concerned about how information about our affinity, debit, and credit purchases are aggregated and sold to other parties for unrelated purposes, such as insurance eligibility. The implication is that if you buy a carton of cigarettes or a bottle of liquor, this information will be used without your knowledge to provide or deny coverage, or to identify the rate you’ll pay.

This exchange of so-called personal information may not be covered by privacy regulations and represents an ethical challenge that most people don’t consider, much less care about (until it is used to their disadvantage). Standards that force people to opt-in, rather than to opt-out of this information sharing are sorely lacking, as are the ethical guidelines about what information should be shared for what purpose.

The work being accomplished by the IDSP will go a long way towards exposing what is, and isn’t in place to regulate the use of identity information. The latter will most likely be exposed by unfortunate experiences, tested in the courts, and addressed by the state and federal governments. It would be a significant benefit to everyone if the efforts of the IDSP expose these gaps and inconsistencies and make mitigation recommendations to commercial and government interests.

Blogger: Bob Blakley

DHS’ Data Privacy and Integrity Advisory Committee has issued its report on the implementation of the REAL ID Act; the report, which is excellent, can be found here.

The report’s introduction lays it out pretty explicitly:

“The REAL ID Act is one of the largest identity management undertakings in history. It would bring more than 200 million people from a large, diverse, and mobile country within a uniformly defined identity system, jointly operated by state governments. This has never been done before in the USA, and it raises numerous policy, privacy, and data security issues that have had only brief scrutiny, particularly given the scope and scale of the undertaking.

It is critical that specific issues be carefully considered before developing and deploying a uniform identity management system in the 21st century. These include, but are not limited to, the implementation costs, the privacy consequences, the security of stored identity documents and personal information, redress and fairness, mission creep, and, perhaps most importantly, provisions for national security protections.

The Department of Homeland Security's Notice of Proposed Rulemaking touched on some of these issues, though it did not explore them in the depth necessary for a system of such magnitude and such consequence. Given that these issues have not received adequate consideration, the Committee feels it is important that the following comments do not constitute an endorsement of REAL ID or the regulations as workable or appropriate.”

I’d make explicit the conclusion which the Data Privacy and Integrity Committee left readers to infer from their report:

The REAL ID act is a bad idea.  The problems with the REAL ID act listed in the Committee’s report should not be fixed, because fixing them will not address the core issues the REAL ID act raises.  Fixing the problems the Committee has identified will simply produce the best possible version of a very bad system.  If the REAL ID act is implemented, there is no chance it will meet its stated goals; there is every reason to believe it will have many unforeseen adverse consquences; and there is every reason to believe its costs will be huge in proportion to its benefits.

There are many reasons the REAL ID act is a bad idea, even if the Committee’s issues are addressed; here are a few:

1. The REAL ID act will spend an enormous amount of YOUR money on a technology which cannot in principle solve the stated problems.  An ID card does not now and cannot ever tell the authorities whether its holder intends to commit a terrorist act.  No unforgeable ID card can be produced, and if one could be produced, fraud would simply be refocused from attempts to counterfeit the card to attempts to subvert the issuance process to issue legitimate cards to the wrong people.  It is not clear that the US legal system could be bent to require people to carry and present cards in all situations of interest, and even if it could, many Americans would not want to live under the legal system which would be required.  And finally, of course, requiring the same card for lots of different high-value transactions makes the card itself a very high-value artifact, which makes the reward for counterfeiting the card very large, which makes it economically sensible to invest significant resources in developing equipment and techniques which can counterfeit the card....
2. The REAL ID act hands responsibility for solving a problem (terrorism and identity theft) to organizations (state DMVs) whose job does not involve solving these problems, who have no expertise in solving these problems, and who do not benefit in any way relevant to their own performance metrics from solving these problems.  It should be expected that states will implement the terms of the act grudgingly and ineffectively, as, from their point of view, there are only costs and no benefits.  Identity theft should be addressed by banks, not by the DMV.  Terrorism should be addressed by the state department, the defense department, and the police; not by the DMV.
3. The existence of single, federally mandated identifier for all US persons, required for all high-value transactions, will INEVITABLY create a host of secondary uses and a large number of unforeseen consequences.  Most of the secondary uses will work against individuals by denying them privacy protections and access to services.  Most of the unforeseen consequences will create risks for individuals and DMVs without involving any party who has the resources, expertise, and incentive to assume liability for losses or to mitigate risks.  I’ll go so far as to predict the first unforeseen consequence now: if this act is implemented, it will quickly be discovered that there is a large class of US Citizens who CANNOT BE IDENTIFIED in the way required by the act, because they lack the necessary documentation.  The system will then have to be modified to allow the rules to be broken for these people – and the alternative identification process thus created will become the first focus of identity thieves.