Identity management

Download Identity management

FROM THE ECONOMIST INTELLIGENCE UNIT

Leading organisations in the post‐9/11 age must tighten physical security while balancing the privacy rights of individuals

In December 2008, a man entered a post office in Maryland and presented a United States Postal Service (USPS) employee with the following documents: an application for a US passport, a New York state birth certificate and a Florida driver’s license. After reviewing the materials – matching the information on the application form to the birth certificate and driver’s license – the USPS clerk accepted the man’s birth certificate and application fee, administered an oath, and told the applicant that the passport would be available within four to six weeks. Four days later, the US State Department issued a passport to the applicant and mailed it to the address on the application form.

The only problem: the applicant had presented a counterfeit New York birth certificate as proof of US citizenship, a bogus Florida driver’s license as back‐up documentation, and the name and Social Security number (SSN) of a person who died in 1965.

The good news is that the aforementioned applicant was an undercover investigator working for the US General Accounting Office (GAO). The bad news is that the passport issued was the fourth this same investigator received using counterfeit or fraudulently obtained documents, such as birth certificates and drivers’ licenses, along with the SSNs of fictitious or deceased individuals, including that of a 5‐year‐old child—even though his counterfeit documents and application indicated he was 53 years old.

Persistent vulnerabilities

According to the GAO’s investigation—a follow‐up to a 2007 report by the agency that detailed the vulnerability to fraud of more than 8,000 passport acceptance facilities nationwide—organisations and businesses, as well as government agencies, have much work to do to ensure that employees, partners and customers are who they say they are. Governments have the most obvious need to verify the identity of their citizens and visitors, but businesses also rely on identity verification to prevent fraud and secure sensitive information.

The US Federal Trade Commission (FTC) estimates that in one year, as many as 10m people—4.6% of the US population—discover that they are victims of some form of identity theft, which translates into reported losses exceeding US$50bn. The FTC receives 15,000‐20,000 contacts per week on a telephone hotline that feeds its centralised database of identity‐theft complaints.

Whether it’s a bank authenticating a customer making an ATM withdrawal, a healthcare company protecting patient records from unauthorised access or a multinational corporation restricting access to sensitive facilities worldwide, ensuring that the right people are gaining access to the right facilities and information is a fundamental business requirement in the post‐9/11 age. Justifying heightened security isn’t difficult when faced with findings such as those in a February report by the Ponemon Institute, a US research firm, estimating that the average per‐incident cost of a data breach in 2008 was US$6.65m.

Terry Hartmann, Unisys Corp’s identity and credentialing global practice lead, says such measures are necessary to instil confidence among business partners and clients. “Accurate identity verification by organisations breeds trust in their customers and is key to the business processes of that organisation,” he says. Organisations need to determine “the appropriate logistics around that. You can’t just assume that taking existing processes and adding technology will [yield] the most success. You need to re‐engineer your business processes and workflows to take advantage of the capabilities that the technology offers you and to deal with situations you might never have had to deal with before.”

Yet, achieving this level of security often means installing expensive equipment, overhauling existing IT infrastructures to enable integration of the data collected by these systems, and changing mindsets among employees, partners and customers who must become comfortable with often strict controls. Security can be too tight, for example, if employees can’t access the company network to do their job because they’ve inadvertently left their smart access card at home, or if a customer‐service representative can’t help an after‐hours caller because security rules limit access to financial data to normal business hours only.

Security vs privacy

Perhaps the biggest obstacle to identity verification is the concern over privacy. Governments’ attempts to verify the identity of their citizens often come under attack, such as complaints about the Real ID Act being implemented by the US Department of Homeland Security (DHS). This legislation requires state‐issued drivers’ licenses and ID cards to meet uniform standards, so they can also be used as credentials for air travel or entry to government buildings and would be linked to a national database. But its lack of privacy protections has received strong criticism even from one of the DHS’s own committees, which recommended that the privacy provisions in the act be reviewed.

Even more irksome to privacy advocates are electronic systems that collect personal information but aren’t capable of capturing instances of identity fraud. The Obama administration, for example, is seeking to make the federal E‐Verify hiring programme–under which employers check employee names and social security numbers against Social Security Administration and DHS databases to root out illegal immigrant workers‐‐mandatory for government contractors. But the programme is only as good as its underlying data: to date, it has seen hundreds of errors‐‐cases of illegal immigrants passing through the programme undetected as well as legal workers erroneously flagged as illegal.

Private corporations also suffer from `Big Brother’ accusations when employees and customers believe these companies are collecting too much—or not the appropriate type—of information about individuals, fearing that data will be misused or stolen.

“Security and privacy sort of fight each other, and because of that there has to be a balance,” says Bryan Ichikawa, chief architect and head of Unisys Federal Systems’ Identity and Access Management practice. For example, in the post‐9/11 era, travellers on international flights are probably willing to have their fingerprints taken in exchange for the ability to board an overseas flight, Mr Ichikawa says. On the other hand, the use of fingerprint readers in public schools to control the distribution of lunches is probably not an acceptable trade off of privacy for security.

“Privacy doesn’t mean a centralised, Big Brother database of everyone in the world,” Mr Ichikawa adds. “Privacy can be enhanced, for example, by deleting information immediately, once the purpose you captured it for has passed.”

One card fits all

Supporters of identity verification maintain that sound identity management not only aids organisations, but also secures and simplifies processes for individuals who interact with those organisations. The government of Malaysia, for example, has begun enrolling its 23m citizens in an identity card programme to create a single smart card that verifies their identity, replacing multiple documents including drivers’ licenses, ATM cards, healthcare records and travel documents. These identity cards have cut government costs by reducing to one the number of agencies that collect and safeguard identity information about its residents. And the government claims residents are getting faster, more convenient service.

On an even larger scale, the government of India plans to issue unique ID cards to its 1.2bn citizens that will verify each person’s identity and feed that information into a centralised database.

The trust gained from better identity management must flow in both directions, experts say.

“If you have security and trust, and you have the right business processes and policies, then you have the basis by which you can combat identity fraud and you can facilitate customers,” says Mr Ichikawa.

Business and government benefit from trusting that they know who they are doing business with, while individuals must feel that their ID information is safe and not being misused or stored for unauthorised purposes. Greater trust is particularly critical for organisations that collect and store sensitive financial or other confidential information.

Accurate and fraud‐resistant identity verification can help corporations and governments build that trust. But organisations must commit to limiting use of the data collected to the stated purpose and implement best practices for privacy protection to maintain trust among all their stakeholders.

In the end, advances in technology – whether they are more accurate and cost‐effective biometric scanners or more sophisticated, better integrated database software on the back end – can only take businesses and government agencies so far, Mr Ichikawa says. “A lot of folks focus on the technology, but it’s also your business processes … because without the proper policies and procedures in place, the technology all by itself doesn’t work,” he adds.