In “How old are you, are you single?, my friend, Kim Cameron, quotes an article in the post-gazette.com Business News talking about identity verification services. The article, describes the process as:
The Verification Chain
How new identity-verification services work.
- Users sign up for a new account on a classified, social-networking or dating site and are prompted to click through to the site of an identity verifier.
- Verification service prompts users to create profiles with details such as their age, address, and occupation.
- Verification services — or a separate company — electronically check data in public-record databases to verify assertions.
At first glance, this verification service looks like a good step forward. However, if you look closely, the process appears to mimic the same procedures that provide the foundation for much of the identity theft that exists to date — that being the fact that all I need to do to steal your identity is know a few key pieces of information (which will verify correctly).
I would hope that they start to add stronger verification that the person who “knows” this stuff is actually the person who's data is being verified. Things like what Paypal does for bank account verification (deposit two small sums in your account and require you to input the actual deposit values to prove you have access to the account).
We really need to move away from knowledge of basic facts as a verification of identity, especially when many of those facts are published in one form or another.
Paypal's approach is one of the best ways to prove that you have control of a particular bank account.
But it doesn't say much about how old you are – or whether you are single. So it's not a silver bullet in the wider scheme of things.
Too bad, because I couldn't agree more that knowing things about me doesn't prove you are me.
Isn't it amazing how many times we are required to tell people far too much about ourselves?
I've been asked so many times for the name of my first pet that I've had to make one up. My first pet was a turtle, and as far as I can remember, his short life didn't involve a name – we were both too young. Yet I have to use this silly name to avoid giving people my mother's date of birth.
Once you've revealed all, the party you've given it to can reveal all too. If there's a one in one thousand chance that someone will sell or misuse that information, when you have given it to one thousand people the probability of misuse has reached one.
Right now we give all our identifying information to every Tom, Dick and Harry, each of whom remember who we are by storing it – probably unsafely.
What if we just gave it to Tom, or a couple of Toms, and the Toms then vouched for who we are? We would “register” with the Toms, and the Toms would make claims about us. Then the chances of having our identity stolen would drop, in the example above, from certainty, to one or two in a thousand. Not perfect, but hey, I'll take it.
If Tom stands behind our identity for a number of years, he can become progressively more certain about our behavior, if not our childhood.
So I'm hoping that in the description given above of how a verification service operates, once you have registered with a service, it stands behind assertions about you, so you no longer need to release identifying information.