Feature of the Month

Who Are You?--The Confusion over Identity Information and Determining Who You Are  

Who are we? In a societal context our identity is established through a series of events and relationships, starting with one's birth, along with the resulting documentation.   Our identity is represented to others through a patchwork of this identity documentation - original paper documents (or copies), ID cards, driver's licenses, passports, and other types of credentials.   In today's world, managing these items and keeping them safe is an increasingly difficult challenge for all of us.

How Many Identities Do We Have and Need?

All of us have and use numerous identities in our everyday lives.   Some examples are:

• Professional identity: identity information used by employers
• Financial identity: identity information used by financial institutions, such as credit card information
• Citizen identity: identity information used by governments, such as passport information.
• Healthcare identity: identity information used by the healthcare industry
• Online browsing/email identity: identity information used to access information on the Internet, such as usernames and passwords
• Ecommerce identity: identity information used to carry out electronic transactions, such as account numbers, passwords, shipping addresses and credit card information

Technological and process solutions are available that can create more manageable and secure identity tools.   Adopting these solutions can ease the fears we all have about identity theft and fraud and implement more efficient identity transactions.   To understand these solutions, however, we must understand some of the challenges that underlie the concept of identity.

What Is Identity?

Identity is represented by an assortment of information that can be tied to that individual and that describes an individual's characteristics and uniqueness.   An identity in this context is the information concerning the person, not the actual person.

An identity can be made up of many pieces.   Some common components of identity are:

• Demographics: information describing who you are (name, address, phone number)
• Biometrics: information measuring a person's physical or behavioral characteristics (e.g., fingerprint, face, iris, hand, speech)
• Actions: information describing what you do and/or where you go
• Preferences: information describing what you like or choose to buy
• Status: information describing your social status (member or nonmember, married or single, retired, grade level)
• Transactions: information describing a person's past transactions (financial credit status)

Current Identity Systems:   Multi-use or Silo?

Identity systems have proliferated in today's society.   Some of these systems have developed into multiple-use identity systems while others remain essentially identity silos - single-use closed systems.   The more applications a collection of identity information has and the more meaningful that information is to third parties, the more valuable that identity information becomes.   The U.S. driver's license is an example of a multi-use identity tool.   Its primary purpose is to prove driving status but it can also be used to provide evidence of identity when opening a bank account, buying alcohol, boarding an airplane, or applying for a job.   Another example of a multi-use identity system is a major credit/debit card.   Holders of these cards can use them to purchase goods and services almost anywhere in the world.   Other collections of identity information have limited use and are essentially identity silos, such as healthcare cards, single-retailer discount or member cards, single retailer credit cards, and online subscriber account information.   Although this identity information is more limited in scope than multi-use information, it is less likely that this identity information will be revealed outside of the system in which it is used.   For example, healthcare information may be less likely to be divulged to those not needing to know if it is kept within one identity system.   Of course, the problem of privacy is not solved by putting identity information in silos.   It must be emphasized that identity information is only as secure as the system designed to manage that identity information.   Identity information that is in a siloed system is less likely to be divulged outside the system only because it is used and transported less often than information in a multi-use identity credential.

Putting the Individual at the Center of the Identity System

Because it is important for individuals to maintain control over their private identity information, it is necessary to understand where the individual fits in the general identity system structure.   There are generally three parties to an identity system:

1. Identity system providers: Entities that proof information, enroll individuals, and issue identity credentials.   For example, governments provide identities to citizens through passports or visas.
2. Identity system members: The people who must use identity information to obtain privileges.   For example, an individual uses the ID badge issued by an employer to enter a secure facility.
3. Identity system users: Organizations that rely on identities and credentials (banks, law enforcement, retailers).   For example, an employer uses a person's driver's license or passport as proof of identity for a job application.  

As we can see, the individual is indeed at the center of the identity system - or maybe more aptly put - stuck in the middle.   With identity system providers responsible for collecting, verifying, and storing identity information, and identity system users clamoring to get access to this data, it's no wonder that individuals get nervous about their identity information.   So what to do?   Well, some of the main concerns that we all have regarding identity systems can be addressed by incorporating robust and auditable policies, practices and processes into our identity systems.   The following are some guidelines to use when creating an identity system:

• Consent.   Establish identity systems that enforce a policy of consent when transferring identity information.   Identity systems should only reveal information identifying a person with the person's consent.   The information should be limited to the information that is necessary to complete the transaction.
• Transparency.   An individual should be able to "see" how identity information is being used.   Although individuals may not be authorized to modify transaction information, both they and the entity they are interacting with are best served if the information is visible to them.   Visible information creates a higher level of trust between the individual and the entity and also creates a feedback security loop to help individuals police the use of their identity information.   (For example, credit card companies allow their customers to access a list of monthly transactions.   Fraudulent credit card transactions are often reported by the customer.)
• Privacy and security.   Incorporate privacy and security features as fundamental and pervasive elements of the identity system.
• Interoperability.   Make the identity system interoperable, so that the individual can use the identity information broadly.
• Biometrics.   Use biometrics as an integral part of the identity system, so that a person is physically associated with the identity information and the identity credential.
• Ease of use.   Adopt ease of use as a primary design principle.   The user experience should be simple and consistent.   Automating transactions to reduce time and complexity is an important consideration.

About this Article

This article is an extract from the Smart Card Alliance Identity Council white paper, "The Top 10 Hot Identity Topics," researched and written by the Identity Council and published in February 2006.   This white paper was developed to provide a high-level discussion of the top 10 challenges associated with current identity systems.   This paper covers a range of topics and offers perspectives on how the most critical identity issues can be addressed with policy, process, and technology solutions.     

Individuals from 15 organizations in the Identity Council collaborated on this white paper.   Lead contributors included representatives from:   Axalto, Booz Allen Hamilton, Datacard Group, Fargo Electronics, Hitachi America Ltd., IBM, International Biometrics Industry Association, Saflink, Texas Instruments, Viisage.

The full white paper and additional information about smart cards and the role that they play in secure identification and other applications can be found on the Smart Card Alliance web site at www.smartcardalliance.org .

About the Identity Council

The Identity Council is one of several Smart Card Alliance Technology and Industry Councils, a new type of focused group within the overall structure of the Alliance.   These councils have been created to foster increased industry collaboration within a specified industry or market segment and produce tangible results while raising public awareness to the value of smart card technology.

The Identity Council is focused on promoting the need for technologies, legislation and usage solutions regarding human identity information to address the challenges of securing identity information, reducing identity fraud and increasing the usefulness that secure identity information delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning and multiple organization resources to bear on addressing the challenges of securing identity information for proper use.   The Council is currently working on projects to raise awareness of the issues that organizations and the public face in implementing and using identity systems and to promote the use of the appropriate technologies to solve these issues.  

Copyright 2006-2007· Smart Card Alliance · 191 Clarksville Rd. · Princeton Junction, NJ 08550
Phone: (800) 556-6828 info@smartcardalliance.org · www.smartcardalliance.org