[Dave Birch] A couple of days ago I was in a discussion concerning the discrepancy between what enlightened experts (eg, me) think about identity management and what governments, civil servants and IT vendors think about identity management. One of the points I made, which I think I can defend, is that the “common sense” notion of identity, rooted in our pre-industrial social structures and pre-human cortex, is not only not very good at dealing with the properties and implications of identity in an online world but positively misleading when applied to system and service design. The fact is that virtual identity and “physical” identity are not the same thing, and they differ in ways that we are only beginning to take on board. Here’s an interesting reflection on the difference between physical and virtual identity.

I used to work on campus 5 days a week, but working at home more has coincided with the advent of blogs and twitter. My professional and personal profile on campus is now much higher than it was when I attended every day, but largely sat in my office, and occasionally ventured out for coffee.

[From Establishing Our Online Identity « Ramblings of a Remote Worker]

Interesting. An online identity in a context that makes it worth more than an offline identity, because it is more connected. The Facebook economy, so to speak. Which leads me on to…

OK, so we all know that a virtual identity can be worth something. That also makes it worth stealing, and it’s much easier for people to steal your virtual identity than your physical identity. I know someone whose laptop was stolen. It wasn’t protected in any way, so when the thief opened it up, they started using it. The passwords to web sites were remembered by Firefox, just as they are on my machine (which is protected, I hasten to add), so the thief logged in to a few sites “masquerading” as the victim. One of the sites was Bebo, and the thief started posting all sorts of horrible messages. Compared to someone stealing a credit card, this is a much worse crime, isn’t it? While Facebook users are undoubtedly becoming better educated about identity, privacy, security and so forth, the lack of any real (ie, not password-based) security for these critical virtual identities make them an obvious focus for criminals. Ever vigilant in the pursuit of new opportunities, the “419” crowd have made Facebook their new frontier. And they are catching people out, taking over Facebook identities and then using them to perpetrate inventive frauds.

A current favourite is the “friend in distress”. If you got a message, via Facebook, from a good friend telling you that they are in Paris and have been mugged and desperately need money quickly and could you wire them $500 immediately, what would you do? Plenty of people send the cash, not suspecting that their friend’s identity has been stolen. It’s easy to do this: you just need the password. And those are easy to obtain: just send out a spam “this is Facebook, we’re just checking our security systems, please log in” message. And when you do find out you’ve been scammed, where do you go?

Facebook was very slow to respond. The criminals switched the email address on his Facebook account, and the email provider was also slow to respond to the fraud reports. Unfortunately, some of his friends fell victim to the scam and sent money with the criminals receiving the funds posing as my friend, and there was not much recourse that could be taken with the money transfer service provider.

[From Mobile Financial Services: Who Provides the Customer Support? | Mobile-Financial.com]

Now this is real identity theft and I think has much more personal impact on the victims than the theft of the money. If someone takes over your Facebook page or your Linkedin page they really have stolen your virtual identity. Not like “stealing” an MP3, where the source still has the MP3 and still has full use of it, or “stealing” your credit card that can be cancelled and reissued, but proper stealing: you are deprived of the use of that identity. It isn’t yours any more. And if you can persuade Facebook to issue you with a new password, how will your friends begin to trust that identity again? It’s a real headache.

If you can’t get control and regain trust, that means you have to abandon that identity and start all over again, building an entirely new online footprint. This is much more important, looking forward, than what we currently see as the “identity theft” problem, which as far as I can see from most reporting is about the tangible subset of identity theft concerned with payment cards.

identity theft is not actually an identity being stolen but is usually a bank/credit card company being robbed and passing off the blame for their own poor security on the victim.

[From Is It ID Theft Or Was The Bank Robbed? | Techdirt]

I wouldn’t go that far, but I would observe that for banks this is about a perfectly reasonable risk management balance, but for (eg) Facebook it isn’t: a bank can easily restore my money, but it’s much harder for Facebook to restore my reputation (apart from anything else, a reputation takes time to build). Which is the worse crime? As in so many walks of life, Shakespeare has already nailed this one:

Who steals my purse steals trash; ’tis something, nothing;
‘Twas mine, ’tis his, and has been slave to thousands;
But he that filches from me my good name
Robs me of that which not enriches him
And makes me poor indeed.
“Othello”, Act 3 Scene 3.

[From William Shakespeare Quotes – Read Print]

Indeed.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

1 comment

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: