Identity is currently a hot topic in the IT security field, and the ability to accurately identify the persons accessing systems and networks is a key component in apprehending and prosecuting cybercriminals. I have begun a multi-part series of articles for Windowsecurity.com that attempts to delve deeply into the subject of identity - what it is (and isn’t), the history of identity authentication, and identity management solutions for today’s organizations.
Evolution of online identity expectations
In the early days of the Internet, online and offline identities were often kept separate. Anonymity was more commonplace. When using online services such as AOL and CompuServe, most users went by “screen names” or “handles” and knew each other only by those pseudonyms. There was far less expectation that others would reveal their true identities. Some services allowed users to create multiple screen names for one account, so that even if you knew BigJohn233 was really John Smith down the street, you might not know that he also logged on and communicated with you as LoneRanger420.
It was much easier to keep your real identity a secret in the online community then because expectations were different. That community was much smaller and its demographics were different. After the Internet went “mainstream,” sometime in the 1990s, most workplaces adopted email. Those work email accounts usually contained (or at least were based on) the users’ real names. John Smith might still be able to retain a bit of anonymity by getting lost in the crowd of others with the same name, but those of us with less common names had no such luck (just try finding another Debra Shinder, online or off).
Of course anyone who wanted to could still create separate email accounts that don’t reveal their names, and the proliferation of web mail services makes that easy. Many people do - but as online communications became the norm, in many cases replacing traditional forms of communication, use of obvious pseudonyms began to be frowned on in many circles as “unprofessional.” Those who hid behind monikers were regarded with suspicion. The increasing incidence of cyber scams led Internet users to become less trusting.
By the time social networking started to replace email as the favored means of communicating online, those sites recognized the problems that could arise out of easy anonymity and set policies requiring their users to use their real names, and limiting the accounts to one per person. A quick perusal of the names on Facebook or Google+ will indicate that not everyone conforms to those rules, but the services have been known to remove accounts that were obviously violating those policies.
While the intent of the “real name” policy - to deter scams and keep the quality of discussion high - is good, it has unintended, and not so good, consequences. In some countries, people who make public comments critical of government or other authorities may be in real physical danger of repercussions. In other, less dire but frustrating cases, people were prevented from using the names by which they’re well known to the world.
As a result of the complaints over the policy, Google+ relented and revised their policy to allow some nicknames, maiden names, established pseudonyms and names in non-Latin scripts.
And that’s where it stands today. Although many, many people still attempt to hide their identities online, it’s getting increasingly difficult to do so. Anonymizer services and IP spoofing can slow down or prevent tracking of online communications to find the identity of the owner, but most people don’t go to that much effort.
The roles of identity in cybercrime
When it comes to cybercrime, identity comes into play in different ways. Cybercriminals steal the online identities of others for different purposes. They may do so to mask their own identities and deflect responsibility for their actions (which can result in the identity theft victim becoming a suspect or even being arrested for crimes he/she didn’t commit). Or they may steal others’ identities in order to obtain access to the victim’s resources (which allows them to use the victim’s credit to open accounts or make purchases, to steal money out of the victim’s bank accounts, etc.).
The law enforcement community is focused on catching the bad guys, and thus they would prefer that all anonymity be done away with completely, just as they prefer that everyone be required to carry official ID on their persons out there in the “real world,” and for the same reason: it would make their jobs easier. Privacy advocates would prefer that none of our online activities be traceable unless we choose to explicitly make them so, because that would reduce the chances that the tracking information would be abused, whether by the government wanting to control us, by corporations wanting to profit from us, or by individuals wanting to find us for nefarious reasons. Cybercriminals’ ability to easily uncover a person’s real identity from that person’s online postings make the criminals’ jobs easier, too.
Verification of online identity has become much more important because we now conduct so much business over the Internet. When going online was just about casual chatting, playing games, and browsing the web, identity mattered much less. Now we engage in all sorts of transactions, buying merchandise, making travel arrangements, doing our banking, paying our bills, and so forth. We have to do those things as our “real selves.” There has been talk about even allowing online voting in elections. All of this means we have to provide a means for those with whom we do business or interact officially online to verify that we really are who we claim to be. However, doing so means putting our credentials “out there” where they’re at risk of being intercepted by cybercriminals and used for their own illegal/fraudulent purposes.
Yet another way that identity is involved in cybercrime relates to the psychology of online interactions. Some people heavily compartmentalize different aspects of their personalities and for some of them, this is manifested as an online persona that’s very different from the one that they present to the “real world.” Such people may engage in behavior online - ranging from merely unpleasant/obnoxious to criminal - that they would never engage in offline. This dissociation makes it easier for them to justify their actions and in some cases may make it more difficult for law enforcement to track them down.
Is mandatory centralized identity management the answer?
There are many different online identity management solutions available and in use by various large companies, governmental entities and other organizations. These use different technologies and aren’t generally compatible with one another. The situation is a bit like the state of offline identification credentials in the United States, especially prior to September 11, 2001, with each state issuing its own driver’s licenses or ID cards. The issuance process varied widely from state to state and it was relatively easy in some jurisdictions to obtain an official government ID without really providing much (or any) proof of identity.
After the terrorist attacks, Congress passed the Real ID Act, which imposed federal standards and requirements on the states for issuance of driver’s licenses and ID cards. States must be in compliance by January 15, 2013. However, there has been a great deal of opposition to this legislation, with opponents arguing that it effectively turns state driver’s licenses/ID cards into de facto national ID cards, which would make it easier for the federal government to track ordinary (non-criminal) citizens and easier for identity thieves to steal identities, in addition to costing the states billions of dollars.
Some have suggested a centralized identity repository and identity management system for online identities, to be operated by the federal government. Last year around this time, CBS News reported that President Obama was planning to give the Commerce Department authority to create Internet IDs for all Americans. Although the Commerce Department Secretary assured us that the program would be completely voluntary and “there’s no chance that a centralized database will emerge,” privacy advocates are not so sure.
In April, the White House released its National Strategy for Trusted Identities in Cyberspace, which outlines its strategy for “making online transactions more secure for businesses and consumers” through a collaboration between public and private sector entities.
In the U.K., banks and credit card companies are working with the government to create a new online identity service through the Midata project.
In the U.S., some states have already created online identity management systems. The California DMV partnered with IBM on an identity service for authenticating users to access their driving records and vehicle registration information, and it has been more popular than expected.
Meanwhile, NIST (the National Institute of Standards and Technology) has made $10 million available in funding for research projects to resolve the problems associated with building a trusted online identity ecosystem.
The inevitable evolution of online identity
The direction in which we’re heading seems obvious. Just as we’re required to provide proof of identification for more and more interactions in the offline world, it’s likely that we’ll see the same trend online. I remember when I didn’t have to show my driver’s license or passport to get on a plane, but those days are far behind us. I don’t think it’s too far “out there” to imagine that one day, it will be illegal to log onto the Internet without providing proof of identity.
Is that a good thing or a bad thing? It might make it easier to track cybercriminals - but that will come at a cost. It will be up to our society to decide whether the cost is too high.
What are your thoughts on online anonymity vs. identity verification?