How Do We Preserve and Protect Identity / Identity Theft

From IIW

Session Topic: Identify Theft: How do we preserve & protect identity (medical, financial, social) in era of big data – where algorithms to detect fraud/surveillance aren’t working.

Tuesday 4B

Convener: Kris Alman

Notes-taker(s): Kris Alman

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps: Identity theft & big data: how to protect and preserve through policy and technology

Whether taxpayer related/ credit card / medical, identity theft is financially motivated.

This same problem exists in Europe where the SSN is used as an ID and not for authentication.

Overarching problem that our identity is overused in transactions; authorization-based access control (such as that used for bit coin) subtracts the person’s identity out of the equation. Cached data should not be bound to individual. That said, de-identified data can be re-identified (Latanya Sweeney);

2-factor authentication: through phone/postal/email an identifier is sent and necessary for the process. Using postal service is most expensive. A random sequence generator creates passwords that are temporary.

Algorithms to detect fraud are population-based; they never work well for the individual.

There should be uniformity across states to protect against identity theft.

There will always be potential for fraud; if this occurs through the postal system (mail is stolen), this is a federal offense (the penalty)

Discussed using third parties who authenticate identity for new password authentication using public information. Potential promise, but prevailing concern was that attackers who know your history, know your data better than you. This contrasts with proving who you are through shared secrets.

Discussion whether we are better off with policy vs tech solution; concerns about regulatory capture.