Article 3 min

Identity Information for the Privileged

computer sample

When you need to be known as the correct, unique individual, how does it happen today?

The answer of course is “it depends”.

If you are applying for a passport or drivers license, you usually do face to face verification, which establishes that you and your face matched some physical documents in front of trusted individuals at a place and time.

It used to be (in the USA) that the same was true for you opening a bank account, but about ten years ago, the banks moved to “online” account establishment. There are various ways to do this, most of which are too expensive for the majority of businesses to use and involve horrible user experiences whilst answering “knowledge based authentication” questions. Companies such as PayPal leverage previously established accounts using micro deposits or services such as Yodlee that use your authentication credentials to prove you can access an online bank account.

Credit files are sadly used in way too many cases for identification – credit ratings and files are barely adequate for their intended purpose (they tell what you did – paid your bills and loans, not what you are able to do – your capacity or likelihood to pay in the future). They certainly lack the types of reputation information that are useful in identification systems. Credit files and reporting mechanisms do employee powerful mechanism for identity validation though – they track your payments and the associated information (billing address et al). However, the nature of legislation covering such information means that the validation can only be used for fraud risk analysis. That precludes a very large range of companies and entities that may have a valid need to establish your identity before giving away access to your information and content.

Other types of validating information obtainable from Credit Reporting Agencies (CRAs) or other data aggregators fall into a very different category. Essentially the information is derived from information we assert about ourselves it obtains validity and use because it is asserted consistently, and historically and eventually becomes believable (this is a subject for a whole other blog entry). One of the problems with this type of data is that there are few if any feedback mechanisms that allow information to be updated, corrected or confirmed. The result is stale information that contains errors.

The compliance constraints of CRAs and the costs of disseminating information for validation purposes means that only the very largest companies can afford to get such information. Under the operating principles of the existing systems this is probably just as well for most of us as we as individuals being identified have no insight or control over how this information is used.

Sadly this is the worst of all possible worlds. The entities that we would like to be identified to may not be able to verify who we are. The entities that are verifying who we are are usually doing it without our permission.

Its time we fixed things.

by Andrew Nash – CTO