Perspective: How we went wrong on identity

by Christopher Byrne | November 1, 2007 at 06:35 am

412 views | 6 Recommendations | 3 comments

Athens, GA (Nov 1, 2007) - When I travel across the United States and Europe to speak to groups about privacy issues, there are three points I always make sure to make. The first is that people do not truly understand what is considered personal and private data. The second is that the rules vary from state to state in the United States, and are different in every country. The third, and most important, point is that the Internet changes anything.

There is a great deal of information that has always been public, such as real estate records and legal matters. Before the Internet age, it was prohibitively costly to assemble this data, so people assumed it was "private". No longer can people labour under this false assumption. If, in the United States, you want to lock your credit data, you can do so freely in 39 of the 50 states. If you unlucky enough to live in the other 11 states where the lawmakers have been bought and paid for by lobbyists, the three major credit reporting agencies (TransUnion, Equifax, and Experian) have recently announced plans to allow consumers to be able to freeze their data. However, there is a catch. To do so, consumers will have to pay $US10 each and every time they want to lock and unlock the data. So if you want to apply for a mortgage, refinance your mortgage, you will have to pay $US10 to unlock the account and another $US10 to relock it after the application is processed. And this is for each person involved in the transaction. So the companies responsible for selling and losing your data are giving you the opportunity to protect YOUR data, but it will cost you.

People in the United States cannot expect help from their congressional representatives. In 2006, Rep. Steven LaTourette, R.-Ohio, co-sponsored a bill to override the laws of the 39 states that allow people to put freezes on their credit so unauthorized people cannot open accounts in their name. One troubling aspect of the law is that freezes would only be allowed for actual victims of identity theft that have filed a police report. As a victim of identity theft, I could not even get the police to take a report. Perhaps if the Congressman's identity was stolen, he would see first hand how difficult, and in some cases impossible, it is to do this.

In the following column from cNet, Steven Gal writes on how the identity system is broken and what it will take to fix it. If you would like to read more, you can visit my blog for articles on privacy and identity theft In addition, an excellent book to read on the topic is The Digital Person: Technology and Privacy in the Information Age by Daniel Solove of the George Washington University Law School.

Perspective: How we went wrong on identity by Steven Gal

perspective: After years working on identity and its protection, I've concluded that our identity infrastructure is fundamentally broken--and the Web is what ultimately broke it.

Thanks to the Internet we have lightning-fast communications, credit, and commerce. Unfortunately, we also have data breaches, identity theft, and obscene amounts of junk mail and spam.

Consumers are bombarded, victimized, and annoyed. They express great concerns about their privacy and security, yet little is made available to them to protect it. And they only have restricted access to their own identity information held by data brokers, being forced to pay to see it, if in fact the businesses that hold it are even willing to sell it to them.

Tinkering with the current systems won't fix it. Instead, identity needs to be re-engineered around the demands of its logical owner--consumers--providing them more control, transparency, privacy, and security.

Our personal information--name, address, date of birth, Social Security number, credit worthiness, buying preferences and patterns, etc.--forms our financial identity, government identity, medical
identity, and what I like to call our "marketing identity." As a result of history and technology--as opposed to good design--identity has been functionally divided into these different silos.

Each silo has its own set of data repositories, its own regulatory and legal regimes, its own data brokers and list providers selling personal data, and its own advocates representing consumers. These silos generally don't follow the same rules, share standards, or communicate with one another.

My financial identity is actually in pretty good shape. Financial identity is a central focus for most consumers because they interact regularly with their financial identity. They trust their financial institutions, and they have a much better view into their personal financial identity information than they do in any other silo.

What with all the noise about identity theft and the focus on finance--and specifically credit cards--it may be surprising that, in fact, financial identity works pretty well for consumers, which is no coincidence. I would argue that the financial services industry provides the U.S. consumer with the strongest, most secure and well-managed identity they have--both online and offline. We should
carry this industry's powerful ideas of value, portability, responsibility, and trust forward as we begin to re-engineer identity.

Where consumers' financial identity breaks down is with the data broker middlemen. Within the financial identity silo are the three credit bureaus, Experian, Equifax, and TransUnion. The credit reports they traffic in are critical to consumers, determining availability of credit, employment, and access. Yet credit reports are well known to be full of errors. What's more, they are a popular tool for identity thieves.

My government identity, however, is pretty broken. The core identity provider in the United States, the federal government, regularly loses, misplaces, and publishes the consumer data it collects. When our government wants to get data on consumers, it buys it from data brokers like ChoicePoint and LexisNexis--somewhat odd because those companies primarily sell public records, which generally originate with the government itself. Notwithstanding the demonstrated lack of security on the part of these companies, government identity--including drivers' licenses and passports--remains our core and most usable of identity "tokens."

My marketing identity is today the most broken, controlled by dozens of list and data brokers who make billions of dollars a year selling my personal information to thousands of organizations. They give me no rights to see or affect what they sell, they don't allow me to tell them what I want and what I don't want, and they make it intentionally
complex for me to get off their lists. The result is almost 4 million
tons of junk mail sent to Americans each year.

The data broker breaches in 2005 were the watershed event that first shined light on this incredibly secretive industry. Since then, more than 165 million data records of U.S. residents have been exposed due to security breaches. Consumers are vulnerable not only because of what arrives in their mailbox, but because of the thousands of data records holding their sensitive personal information.

Consumers are starting to wise up, demanding meaningful choice over how and by whom their identity is used. Fixing identity is going to require the efforts of industry, government, and technology leaders, but it requires the consumer to ignite change. It's their identity. They know who they are. They know what they want and what they don't want.

Heck, just ask yourself.

Biography

Steven Gal is CEO of ProQuo, a start-up that allows users to choose
which paper junk mail to stop receiving from different sources. He
writes a blog and also serves on the board of the Identity Theft Resource Center.