CNET también está disponible en español.

Ir a español

Don't show this again

Security

How we went wrong on identity

Steven Gal says the current ID infrastructure has left consumers annoyed and feeling victimized, and needs to be completely re-engineered.

    After years working on identity and its protection, I've concluded that our identity infrastructure is fundamentally broken--and the Web is what ultimately broke it.

    Thanks to the Internet we have lightning-fast communications, credit, and commerce. Unfortunately, we also have data breaches, identity theft, and obscene amounts of junk mail and spam.

    Consumers are bombarded, victimized, and annoyed. They express great concerns about their privacy and security, yet little is made available to them to protect it. And they only have restricted access to their own identity information held by data brokers, being forced to pay to see it, if in fact the businesses that hold it are even willing to sell it to them.

    Tinkering with the current systems won't fix it. Instead, identity needs to be re-engineered around the demands of its logical owner--consumers--providing them more control, transparency, privacy, and security.

    Our personal information--name, address, date of birth, Social Security number, credit worthiness, buying preferences and patterns, etc.--forms our financial identity, government identity, medical identity, and what I like to call our "marketing identity." As a result of history and technology--as opposed to good design--identity has been functionally divided into these different silos.

    Each silo has its own set of data repositories, its own regulatory and legal regimes, its own data brokers and list providers selling personal data, and its own advocates representing consumers. These silos generally don't follow the same rules, share standards, or communicate with one another.

    My financial identity is actually in pretty good shape. Financial identity is a central focus for most consumers because they interact regularly with their financial identity. They trust their financial institutions, and they have a much better view into their personal financial identity information than they do in any other silo.

    What with all the noise about identity theft and the focus on finance--and specifically credit cards--it may be surprising that, in fact, financial identity works pretty well for consumers, which is no coincidence. I would argue that the financial services industry provides the U.S. consumer with the strongest, most secure and well-managed identity they have--both online and offline. We should carry this industry's powerful ideas of value, portability, responsibility, and trust forward as we begin to re-engineer identity.

    Where consumers' financial identity breaks down is with the data broker middlemen. Within the financial identity silo are the three credit bureaus, Experian, Equifax, and TransUnion. The credit reports they traffic in are critical to consumers, determining availability of credit, employment, and access. Yet credit reports are well known to be full of errors. What's more, they are a popular tool for identity thieves.

    My government identity, however, is pretty broken. The core identity provider in the United States, the federal government, regularly loses, misplaces, and publishes the consumer data it collects. When our government wants to get data on consumers, it buys it from data brokers like ChoicePoint and LexisNexis--somewhat odd because those companies primarily sell public records, which generally originate with the government itself. Notwithstanding the demonstrated lack of security on the part of these companies, government identity--including drivers' licenses and passports--remains our core and most usable of identity "tokens."

    My marketing identity is today the most broken, controlled by dozens of list and data brokers who make billions of dollars a year selling my personal information to thousands of organizations. They give me no rights to see or affect what they sell, they don't allow me to tell them what I want and what I don't want, and they make it intentionally complex for me to get off their lists. The result is almost 4 million tons of junk mail sent to Americans each year.

    The data broker breaches in 2005 were the watershed event that first shined light on this incredibly secretive industry. Since then, more than 165 million data records of U.S. residents have been exposed due to security breaches. Consumers are vulnerable not only because of what arrives in their mailbox, but because of the thousands of data records holding their sensitive personal information.

    Consumers are starting to wise up, demanding meaningful choice over how and by whom their identity is used. Fixing identity is going to require the efforts of industry, government, and technology leaders, but it requires the consumer to ignite change. It's their identity. They know who they are. They know what they want and what they don't want.

    Heck, just ask yourself.