Where you don’t need identity, don’t use it

[Dave Birch] Surely a guiding principle of an identity management system should be that it only uses identity when it is absolutely necessary to the transaction at hand — a rather obvious way to cut down on identity abuse and misuse is to stop using identity.  The overwhelming majority of day-to-day transactions do not require identity at all: they are about entitlement.  There are two rather obvious examples of this, that ought to be some kind of litmus test for identity schemes: proof of age and retail payment.
The grocer, the butcher, a cabinet maker and several other members of the town’s Mennonite community are planning to move to Arkansas over a Missouri requirement that all drivers be photographed if they want a license.
The Mennonites — a plain-living sect whose members are similar to the Amish, but usually more worldly — say the 2004 law conflicts with the Biblical prohibition against the making of “graven images.”The grocer, the butcher, a cabinet maker and several other members of the town’s Mennonite community are planning to move to Arkansas over a Missouri requirement that all drivers be photographed if they want a license.
The Mennonites — a plain-living sect whose members are similar to the Amish, but usually more worldly — say the 2004 law conflicts with the Biblical prohibition against the making of “graven images.”

Technorati Tags: credit cards, identity, security

I was thinking about this and remembering a story I saw on Phil Windley’s Technometria.  It was about a student in Utah who was refused entry into a bar because the bar owners believed that his "non-drivers licence" wasn’t an acceptable form of identification.  As Phil notes, the response from the Utah Department of Alcoholic Beverage Control (UDABC) is an interesting look at identification policy: state law doesn’t say that such bars need to check identification cards, it says that they shouldn’t sell to people under 21.  How bars establish whether you are under 21 is immaterial: thus, if your smart identity application in your mobile phone (for sake of argument) can prove that you are over 21 then it does not need to provide who you are or anything else about you.  Using a passport or driving credential or anything else increases the potential for identity theft because more people know who you are.

As an aside, there are people who don’t want to carry photographic identity, because they don’t want to photographed.  Such persons — in this case a U.S. Mennonite community who are planning to move to Arkansas over a Missouri requirement that all drivers be photographed if they want a licence — may be a niche, but they are an interesting niche: why shouldn’t they be able prove that they are over 21 without having to prove who they are? The Mennonites take seriously the Biblical prohibition against the making of “graven images” but this presumably does not extend to fingerprints (or voice prints or whatever) so there are ways of connecting entitlement to strong authentication of the individual.

Anyway, back to guiding principle: let’s get identity out of transactions that don’t need it.  Here’s someone who’s having a go: Steve Case (of AOL fame) is launching a new credit card to compete with Visa and MasterCard.  The new "GratisCard" aims to offer consumers and retailers better security.  They think that Visa and Mastercard cards are prime targets for thieves because they have an owner’s name and account number stenciled on the front. GratisCard is anonymous (well, strictly speaking, pseudonymous) because the cards display only a 16-digit verification number.  Although to be honest, retailers are probably more interested in the 0.5% interchange and their plan to eliminate interchange altogether (according to Jason J. Hogg, the CEO).  GratisCard, whose merchant-branded product can be used online as well at the point of sale, plans to work with bank issuers, acquirers, and independent sales organizations to help it reach merchants and consumers.  It comes with a customer loyalty programme that includes instant rewards, something that Aneace often talks about.  Anyway… Avivah Litan, an analyst at Gartner, says that:

"The GratisCard uses simple technology to make the cards anonymous and render the card data useless even if it is stolen," she said. "It is a living proof of concept that Visa and MasterCard could do the same thing if their member banks were willing to spend some money upgrading their card technology for the sake of tighter security."

I’ve spoken about this often: I want my bank to send me a chip and PIN debit card with no stripe, no embossing, no name or number printed on the front and no name coded in the chip.  Just let me upload any old picture I like and put that on the card.  Then if someone finds it, or steals it, they can’t use it to commit identity fraud because they cannot deduce my identity from it and they can’t use the details to make counterfeit magnetic stripe versions.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]