Controlling your online identity

Interesting that this item, which was first published here almost 4 years ago still got around 10000 readers in 2013…wonder whether it will sustain that level of interest through 2014.

Geo-location services are very useful, helping you find a post office, ATM, decent restaurant, or hooking up with friends. They are commonly used in conjunction with smart phones and other mobile devices that ping your location (based on network coordinates or the global positioning system, GPS) back to the owner of a given system.

Location-based services also represent a security threat, especially if you hook whereabouts up to the likes of FourSquare and other social networking sites that can be set to reveal publicly your status in a timely way and reveal your precise position to all and sundry. Now, a new security awareness site, going by the ironically informative name of PleaseRobMe.com, demonstrates the hazards inherent in location-based services. The site’s strapline proclaims that they are: “Listing all those empty homes out there” and in interviews this week the owners have been telling the media that they’re not helping burglars but warning users about revealing too much about themselves on the networks.

This latest debacle, if you can call it that, highlights once again the fact that individuals are not necessarily aware of the privacy and security issues associated with revealing personal information and their identity online. Some observers have suggested that digital identity online will be “the next big thing”. One can imagine that it certainly will be, especially as governments, businesses, healthcare organizations, and others will increasingly require us to prove our identity digitally when we access their services online. But, wherever there is a lock guarding something precious, there is someone who will go set out to pick that lock.

If you’re not worried about privacy just check out these sites to see what systems can find out about you without your even logging in – EFF Panopticlick experiment and web tracking, what the internet knows about you.

As such, identity management, known in the “industry” as IdM is a more and more important aspect of one’s online persona for joining, interacting, and leaving countless systems. There are numerous protocols available, such as OpenID and the OAuth systems that allow you to login to one service by verifying you with a prior login process on a third-party trusted site.

Researchers in the UK explain that IdM could be reaching crisis point. “There is overwhelming evidence that current IdM is failing us, says Mark Pawlewski of Loughborough University and colleagues. Pawlewski is a Principal Researcher working for BT Innovate and Design.

Countless websites require registration and logins and users are now faced with the task of remembering dozens of usernames and passwords or else suffering “password fatigue” whereby they employ insecure practices, such as using the same username and password combination on multiple sites. The researchers have an explanation for the IdM problem:

At the root of the problem is the fundamental flaw that the internet was not designed, but evolved without a uniform system of digital identity in place. There have been numerous attempts to solve this problem, such as Microsoft Passport, but many of these have failed leaving a scattering of inconsistent, ad hoc, partial solutions.

One of the challenges is to give users immediate access to a particular site where they have not already registered, but do meet the requirements for access, e.g., being over 18 years of age and possessing a valid credit card. The OpenID system (and others such as Card Space and Liberty Alliance) goes part way to addressing this issue, as do the linkage systems employed by Facebook apps and similar systems that allow one to comment on some blogs using Facebook or other credentials. However, it would be foolhardy to trust a Facebook app with the login for one’s bank account. An Identity Provider (IdP) that mediates between users and websites is clearly needed.

But, there are only a very limited number of IdPs around and they provide only very limited functionality, certainly none is at the trust level yet for the average user to connect with the e-commerce sites they use, such as amazon.com, their online banking, or even all of their social media and networking accounts from Facebook to Twitter via LinkedIn.

Unfortunately, preserving the status quo is the approach adopted by sites and internet service providers. After all, the creation of an IdM system and trusted IdPs will not be cheap and will also face the resistance of the millions of internet users happy to create yet another username-password. On the bottom line, it is a matter of preventing fraudsters from getting a key to unlock one’s virtual valuables.

If service providers maintain fraud at an “acceptable”, level then the status quo will persist. However, if there is a surge in identity fraud the costs of which outweigh the necessary investment in IdM, then we might just see the emergence of a system that is simple, secure, and safe. In the meantime, just keep up the good work with those complex passwords and don’t tell everyone on the internet when you’re heading out the door, you might as well not lock up if you do.

So, how do you hack your online identity? Well, there’s lots of advice out there, this post from Liverpool University says it well.

Research Blogging Icon T. Martin, C. Durbin, M. Pawlewski, & D. Parish (2010). Future vision of identity Int. J. Liability and Scientific Enquiry, 3 (1/2), 86-98