Privacy & Identity Theft Conference
I recently delivered a keynote address at the Privacy & Identity Theft Conference in Vancouver, Canada. My keynote was entitled, "The Big Picture: Defining and Redefining Identity Fraud." Below is the major portion of my keynote, along with the relevant slides here in a pdf.
At the time it was designed, the Internet was primarily a medium for sharing information. The architects of the Web did not conceive of activities like e-commerce and online banking that are so prevalent today.
So, the Web was not built with robust identity and authentication capabilities. Identity thieves and other malicious attackers have thrived on the Web's global connectivity, the anonymity it provides, the difficulty of tracing online scams back to their source, and the many valuable targets who can be reached through these scams. It's also difficult for computer users to determine what programs are running on their machines, what machines they are connecting to and with whom they are conducting transactions online.
At Microsoft, we recognize that solving the problem of identity theft is a long-term effort that will require fundamental changes in how personally identifying information is used and managed. But also, in the near term, there are some other important steps that consumers, governments and businesses can take to help mitigate the risk of identity theft.
It starts with doing more to educate consumers on how to recognize and avoid ID theft scams. Some important tips include:
Be suspicious of any e-mail that makes an urgent request for personal financial information. Phishers use these types of statements in their e-mails to get people to react. Valid messages from banks and online merchants almost never ask users to do things like re-enter their login credentials, update their records or reenter account data.
Think before clicking links in e-mail, instant messages or chat sessions . This is especially true if you can't be sure the message is authentic or if you don't know the sender. Instead, you should call the company on the telephone or visit its Web site by typing the Web address in your browser.
Install a Web browser toolbar . Look for one that helps identify known fraudulent Web sites and alerts the user if it finds a match. Internet Explorer 7 includes such a toolbar.
Request copies of your credit report at least once a year . Check the report for suspicious entries, such as accounts that have been opened without your knowledge. It's a good way to catch fraud early and minimize the damage an identity thief can cause.
It is important to educate consumers and help them make informed judgments about disclosing private information, to promote responsible data governance practices among organizations and to punish those who commit identity theft crimes.
But these actions alone are not enough.
Tackling identity theft more effectively will require a concerted investment in what Microsoft calls End to End Trust-giving people more usable information about whom and what to trust online by building the infrastructure required to help evaluate the people, devices, software and data that make up the Internet.
As part of building End to End Trust, we need to employ new identity practices online that are just as reliable but better protect against fraud and abuse. These new practices will leverage technology to give end users more direct control over their digital identities.
Instead of requiring users to produce personal information to establish their identity, we should think of personal information as too valuable to be shared directly.
An even better approach to enhancing security and privacy is to reduce reliance on "shared secrets" such as usernames, passwords, birthdates and government ID numbers to establish the right to do something online. In addition to being relatively easy to steal, these shared secrets can be difficult to remember, update and manage.
Microsoft is working with many others throughout the technology industry to establish ground rules for designing services that allow people to access those services while disclosing a limited amount of PII.
In more technical terms, we need to enable a system whereby users-or electronic systems-can present not PII itself, but digital identities containing only the minimum claims necessary to enable interactions and the establishment of trust online.
As long as personal information is used for authentication on the Web, the incentive to steal it is high. But if better practices provide no personal information and reveal no information of value to anyone other than the holder, the incentives and opportunities for identity theft will be drastically reduced.
Instead of requiring users to produce personal information to establish their identity, we should think of personal information as too valuable to be shared directly.
An even better approach to enhancing security and privacy is to reduce reliance on "shared secrets" such as usernames, passwords, birthdates and government ID numbers to establish the right to do something online. In addition to being relatively easy to steal, these shared secrets can be difficult to remember, update and manage.
Microsoft is working with many others throughout the technology industry to establish ground rules for designing services that allow people to access those services while disclosing a limited amount of PII.
In more technical terms, we need to enable a system whereby users-or electronic systems-can present not PII itself, but digital identities containing only the minimum claims necessary to enable interactions and the establishment of trust online.
As long as personal information is used for authentication on the Web, the incentive to steal it is high. But if better practices provide no personal information and reveal no information of value to anyone other than the holder, the incentives and opportunities for identity theft will be drastically reduced.
Information Cards are designed to work in an interoperable, vendor-neutral framework.
No username or password is transmitted when an Information Card is presented to a Web site, so it can't be stolen. Information Card technology also supports robust encryption methods that help prevent tampering with the data on the card or snooping to intercept it in transit. Relying parties can request only the minimum amount of personal information needed to authenticate an identity in a given transaction. For example, a particular card might have 10 fields-for name, address, birth date, credit card number, frequent flyer number and so on-but depending on the situation, a relying party might need only two fields of information to complete the transaction (such as name and birth date).
Information Cards are also designed to prevent data that is shared in one context from being reused in a different context. Since a unique set of keys is created for each combination of Information Card and relying party, the information used for transactions on one Web site is not available to other Web sites. And because Information Cards allow the user to supply additional information (such as name and e-mail address) on demand to Web sites for authentication or other purposes, organizations don't need to store this data in their systems for long periods of time-and risk it being stolen.
Microsoft's Information Card client software is called Windows CardSpace, but users of other software can also create and use Information Cards.
In June 2008, Microsoft joined with other prominent companies-including Equifax, Google, Novell, Oracle and PayPal-to form the non-profit Information Card Foundation. Our shared goals include fostering a simpler, more secure and more open digital identity on the Internet, increasing users' control over their personal information, and enabling mutually beneficial digital relationships between people and businesses.
The more secure the transaction, the more important it is that Information Cards be rooted in offline identity. This is especially true in areas such as e-commerce, online banking and online government services.
The identity claims we typically use in sensitive situations in the offline world-such as name, driver's license number and government ID number-are generally based on previous verification when we were physically present. For example, hospitals issue birth certificates based on eyewitness evidence that a newborn just entered the world. Later, when we're older, we might use that birth certificate to get a driver's license or passport from a government agency. We might then take this other document to a bank to open an account or to an airline counter to check in for a flight.
Likewise, the issuing of digital identities such as Information Cards will be most reliable if they are rooted in this type of in-person verification.
However, for transactions that don't need to be that secure--like registering at a news website--less robust identities (like a self asserted identity) are typically fine.
--Brendon Lynch, Senior Privacy Strategist, Microsoft