EDUCAUSE | Identity Theft

Spock's Risky Take on Trust, Privacy, and Identity Management Online

catherine — Tue, 04 Dec 2007 07:38:34 -0600

This post sort of follows on from my musings on Pownce, and the relative (in)utility of the current glut of social networking "services".

Received any Spock trust invitations lately?

Spock, a self-described “people search application that allows you to see what your friends and colleagues are doing on the web”, could potentially tell us something about the future of metasearch engines—those clunky crawlers that tried, and mostly failed, to bridge the gap between structured web directories like Dmoz, and the chaotic openness of Google’s PageRank™ technology. Although its interface design, a web-2.0-ified “Google Classic Home”, is so trendy that I’m afraid it’s already terribly dated.

The Spock team have got one thing right: web search is now the primary vehicle for information discovery, and the sudden realisation of this (by the media, at least) has created all sorts of headaches for identity management and privacy online.

We, i.e. the affluent, educated, Western audience that remains the dominant internet consumer group, have made search engines, and the companies that run them, immensely powerful because we have enabled them effectively to constitute our interface to the world. Consequently, we have endowed search engines -- and their enabler, internet connectivity -- with powerful social meanings. “Searchability” means potential, openness, connectedness, currency, agency—qualities that are socially desirable in early 21st century cultures; or at least, the “globalised” cultures of the developed world.

Spock’s positive appeal to consumers is to tap directly into these powerful social meanings. Its negative appeal to consumers consists of using the language of risk to talk about identity management on the web:

“The first step towards managing your online identity is putting the information you want seen about you online. That allows you to control what is being said about you. The second step is staying up to date on new information about you as it appears.” (Spock blog)

Both aspects of Spock’s appeal, positive and negative, come at absolutely the right time for the consumer market: in education, careers advisors are trying to convince students of the need to “clean up their profile”, while teachers, counsellors and youth workers grapple with issues around cyberbullying; in the media and political spheres, the risks posed by ID theft loom large.

So, no argument on my side that managing online identity is important, and becoming increasingly more so. But if you already have an online identity, and if you proactively manage your online identity by publishing indexable information that allows others to locate you, then I don’t see value in the “service” Spock provides. Instead, I see considerable risk.

If you read through Spock’s Terms of Service, it becomes immediately apparent that the Spock folks are terribly worried about two things: the currency of the information on Spock, and the potential for individuals to create profiles that do not belong to them.

Like many, if not most, social networking services (e.g. StumbleUpon, Flickr), Spock is largely reliant on its user community to create value. The first cause of anxiety for Spock, of course, is that if Spock user profiles become out-of-date, then Spock is a useless “non-service” and people will just go back to Google. So, Spock talks tough, threatening to terminate your service if you do not maintain your information.

The second worry for Spock is that a user profile might not “authentically” represent an individual. Again, Spock is totally reliant on users to co-operate in this way to create a community of trust, because Spock itself cannot guarantee identity, and if users do not trust the identities they find on Spock then Spock again is exposed as a useless “non-service.” Doing a couple of sample searches on Spock for people that you already know have a well-established web presence reveals an intrinsic problem for Spock: Spock can and often does generate multiple search results for a single individual, just as happens on the “open” web via a traditional search engine.

Spock tries to solve this problem by encouraging users to consolidate these results into a single profile, by “claiming” them. In this way, Spock is asking users to help conserve its overall aim of having one Spock profile represent a single individual.

But why would you choose to help Spock by doing this? One of the things about the web in general is that information has a short life, and that is exactly what enables people to retain some control over their privacy. What if I change my personal or career goals, leave an organization or group of which I was a member, or move to a different city? Life happens, and people reinvent themselves all the time. But that might not necessarily mean that I want to reject or withdraw “obsolete” information about me – at times, it’s best to just let it alone, and let new information take its place.

It’s not especially useful, and it could even be dangerous, for a company to try and create a public expectation that “identity management” equates to an individual actively “controlling” all the personal information that is available about him/her on the web. And I can’t help thinking that it’s naïve at best, stupid at worst to think that an individual can solve the problem of managing his or her online identity (which consists of a complex mish-mash of information, some generated by the individual, some created by others) by creating Yet Another Profile on this type of system. At this stage, Spock’s goal of a single profile per user looks fundamentally incompatible with the way people—and the web in general—works.

Spock is behaving a bit like the banks that try and stop consumers from sharing their PIN numbers, even with immediate family members. Its attempt to make one profile represent “one authentic user” already looks redundant. Try asking kids using Bebo or Xanga not to share passwords, or create new profiles for their friends -- an interesting theme of the recent symposium on Facebook research.

With my academic hat on, I’d say we’ve already got other, better mechanisms to do the things that Spock says it’s offering users. Mechanisms that allow people to selectively share their information with services and with other individuals, and that don’t rely on submitting personal information to a commercial third party provider. I recognise that my bias towards sharing information, and towards open systems and standards, isn't necessarily shared by tech firms or the general public. But if people are prepared to share information with a system like Spock, surely it's worth looking again at OpenID, ClaimID and FOAF for trust and authentication; or Explode as a way to display distributed networks of people. Somebody like Scott Wilson can probably explain this much better than I can; check out FeedForward, his alpha tool for personalized information discovery.

FTC Workshop on "Security in Numbers: SSNs and ID Theft"

Rodney — Mon, 12 Nov 2007 09:49:22 -0600

On December 10 and 11, 2007, the Federal Trade Commission will host a public workshop, “Security in Numbers: SSNs and ID Theft,” to explore the uses of Social Security numbers in the private sector and the role of SSNs in identity theft. This workshop continues the work of the President’s Identity Theft Task Force, and, in particular, its recommendation to explore ways to reduce unnecessary uses of the SSN.

The workshop will provide a forum for public-sector, private-sector, and consumer representatives to discuss the various uses of SSNs by the private sector, the necessity of those uses, alternatives available, the challenges faced by the private sector in moving away from using SSNs, and how SSNs are obtained and used by identity thieves. The workshop will be free and open to the public.

For more information, visit http://www.ftc.gov/bcp/workshops/ssn/index.shtml

FTC Seeking Comments on SSN Use - Including Usage by Colleges and Universities

Rodney — Mon, 06 Aug 2007 16:46:37 -0500

The Federal Trade Commission (FTC) has announced that it is seeking comments on the use of Social Security Numbers (SSNs) in the private sector. This inquiry is in response to a recommendation in the President’s Identity Theft Task Force Strategic Plan that called for the development of a comprehensive record on the uses of the SSN in the private sector and evaluate the necessity of those uses.

The FTC invites interested parties to comment on the various uses of SSNs by the private sector (including colleges and universities), the necessity of those uses, alternatives available, the challenges faced by the private sector in moving away from using SSNs, and how SSNs are obtained and used by identity thieves. The FTC asks that comments be as specific as possible, and include items such as studies, surveys, research, and cost estimates. Comments must be received on or before September 5, 2007. For more detailed information on how to submit comments and the specific questions and topics the FTC would like addressed in the comments, please see: http://www.ftc.gov/opa/2007/07/ssncomments.shtm.

New PSA Addresses Identity Theft

vvogel — Thu, 02 Aug 2007 17:37:04 -0500

Similar to love, identity theft can occur when you least expect it! When that hot guy or girl in the coffee shop starts flirting...it could be more than just your heart at stake!

This PSA was inspired by a winning submission for the 2007 Computer Security Awareness Video Contest, which was organized by the EDUCAUSE/Internet2 Computer and Network Security Task Force, in cooperation with ResearchChannel, and sponsored by the National Cyber Security Alliance.

View or download this year's winning videos. And don't forget to check out the 2006 winners.

GAO Releases Report on Data Breaches and Identity Theft

Rodney — Tue, 24 Jul 2007 15:00:19 -0500

The Government Accountability Office (GAO) has released a Report on Data Breaches that concludes while "breaches of sensitive information have occurred frequently and under widely varying circumstances, . . . the extent to which data breaches have resulted in identity theft is not well known." It further concludes that "should Congress choose to enact a federal notification requirement, use of a risk-based standard could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk."

Some further higher education references in the report:

EDUCAUSE, a nonprofit association that addresses technology issues in higher education, conducted a survey in 2005 on data security at higher education institutions in the United States and Canada. Twenty-six percent of the 490 institutions that responded said they had experienced a security incident in the past year that resulted in the compromise of confidential information." (page 16)
Representatives of the American Council on Education and two other higher education associations stated that while data breaches at colleges and universities were not uncommon, they were aware of little to no identity theft that had resulted from such breaches. (page 23)
7 higher education institutions are identified (although not by name) among the 24 large publicly reported data breaches from January 2000 - June 2005 that were examined by the GAO which included interviews with educational institutions. (page 26)
There are also costs associated with actual notifications - potentially including printing, postage, legal, investigate, and public relations expenses . . . Entities also may incur costs related to staffing call centers to field inquiries from consumers about the breach. For example, representatives of the University of California at Berkeley told us that following a 2005 breach of 98,000 records, the university spent $75,000 in staffing, telecommunications, and other call center costs. (page 34)

The report also makes frequent reference to the President's Identity Theft Task Force Report released in April.

Podcast:: Security Breaches and Identity Theft

gbayne — Tue, 26 Jun 2007 15:05:47 -0500

In this 55 minute podcast, we present a general session from the EDUCAUSE 2007 Policy Conference entitled, “Security Breaches and Identity Theft”. This is a panel discussion moderated by EDUCAUSE Government Relations Officer and Security Task Force Coordinator, Rodney Peterson. The discussion features:

Michael Atleson, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission

Liz Gasster, General Counsel and Acting Executive Director of the Cyber Security Industry Alliance

As Congress strives to pass legislation that would provide a uniform federal law for security breach notifications, a number of related privacy and security policy proposals are under consideration in the Congress and executive branch agencies. This panel will address topics such as preventing misuse of Social Security numbers, requirements for a personal data privacy and security programs, and measures to prevent identity theft.

UCLA Hearing Testimony: "Identity Theft: Innovative Solutions for an Evolving Problem"

vvogel — Fri, 23 Mar 2007 10:50:06 -0500

On March 21, 2007, Jim Davis (Associate Vice Chancellor and Chief Information Officer at the University of California, Los Angeles) appeared before the United States Senate Judiciary Committee's Subcommittee on Terrorism, Technology and Homeland Security Committee to provide his testimony during a hearing on "Identity Theft: Innovative Solutions for an Evolving Problem".

EDUCAUSE Offers Michigan Seminar on Higher Ed Data Security and Privacy Issues (UPDATED)

cluckett — Thu, 22 Feb 2007 12:24:53 -0600

In this one-day seminar, “A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations,” on May 2, 2007, keynote speakers (UPDATED) Rodney J. Petersen, Government Relations Officer and Security Task Force Coordinator, EDUCAUSE, and David Escalante, Director of Computer Policy & Security, Boston College, will outline a blueprint for protecting sensitive data according to the EDUCAUSE/Internet2 Computer and Network Security Task Force. The seminar will be held at Michigan State University in East Lansing. A recent study by the EDUCAUSE Center for Applied Research (ECAR) found that campus security incidents compromised personal information, leading to bad publicity and the potential for identity theft. This seminar will address the steps necessary to protect sensitive data, which include implementing an information security risk management program, data-classification policies, awareness programs, and technology solutions, as well as clearly defining roles and responsibilities.

View the program.
Access the PowerPoint presentation for the seminar.
Register by April 6 for low, early-bird rates; this limited-enrollment seminar tends to fill quickly.
Peruse additional EDUCAUSE resources on Security Management and Data Security.

Tune In August 16: Fight Back Against Identity Theft

cluckett — Wed, 09 Aug 2006 13:55:45 -0500

Tune in August 16 to hear from the FTC's Nat Wood about how you can protect yourself from identity theft and make presentations to your community. Unable to tune in? Listen later by visiting the archives.

Airline passenger's details insecure

StuartYeates — Thu, 04 May 2006 09:14:11 -0500

The Guardian is carryingan article by Steve Boggan on how insecure airline passenger'sdetails are. He paints the US government as the principal underminerof the privacy and security of the individual's information, but Iimagine that a number of organisations on this side of the Atlanticfind access to the information very useful too.