The ID Space

We’ve officially joined the twitterverse or twittersphere, or whatever you prefer to call the land of twitter (In case you are still learning the lingo like me, check out this twitter dictionary)

We don’t have many followers yet, but you can help change this by clicking “Follow me” on our twitter profile (not a tweeple yet?  Join here) and start to follow our tweets.  And if you send @idology a tweet, we’ll try to follow you back!

One of the biggest misconceptions we are constantly addressing is the confusion between shared secret questions and dynamic knowledge based authentication questions. And this week’s IEEE Symposium on Security and Privacy isn’t helping to clear up the confusion since Microsoft and Carnegie Mellon University are showing that the secret questions used to secure the password-reset functions of a variety of websites aren’t safe.

I’ve long preached the dangers of shared secret questions and how easily it is to guess the answers. The problem is as consumers we usually pick questions with answers that are easy to remember, which as it turns out we tend to forget anyway according to this article about the study:

The study found that secret questions fall short on both accounts. Even for the most memorable questions–Yahoo’s, as it turned out–the participants forgot 16 percent of the answers within three to six months. Overall, one out of every five people forgot all of the answers to their secret questions, the researchers found.

Just the other day I was discussing the psychology of shared questions with a colleague and how difficult it is to remember the precise way I may have answered a question. The real problem is that most of the answers to shared questions can be guessed – especially with the increase of Facebook and other social networks. In social networks, we are sharing more and more personal information about ourselves with our friends without really realizing that this information can easily be used against us by a fake “friend” to hijack any number of our accounts including bank accounts, emails and even our social network profiles!

But while I agree that shared questions aren’t really safe, dynamic KBA solutions do—and are – working to stop fraud and id theft. What’s the difference you ask? Well, dynamic KBA solutions present questions for you to answer to identify that you are who you say you are but the difference is you never picked the question and provided the answer. These questions are dynamically generated in real-time based on your personal history and are more detailed about things like places you’ve lived, people you know, or cars you’ve owned. The best thing is they are easy for you to remember but difficult for anyone else to guess.

Of course, the real issue and way to solve the problem is to eliminate passwords altogether which is what Information Cards is all about but given this is still in early-adoption, I’ll simply refer you to the Information Card Foundation to learn more.

And just in case you are still confused about dynamic KBA questions, I’ll refer you on to this whitepaper which addresses 10 of the most common misconceptions associated with identity proofing and KBA.

Spending the week in sunny San Fran for the annual RSA security conference.  A great kick-off to the conference was the Liberty Alliance Workshop that took place yesterday called “Harnessing the Power of Digital Identity.”  We’ve been involved in the Information Card Foundation since it was formed and have been a leader in helping to establish Trusted Identities online for several years now.  It was exciting to see the launch of the new Information Card Foundation website that coincided with the workshop.  And it’s great to see the real-world use cases of Information Cards in the market being featured both on the site and during the workshop.  I definitely recommend that you download and read the whitepaper on the site titled “The Information Card Ecosystem: The Fundamental Leap from Cookies and Passwords to Cards and Selectors”.  It was authored by Craig Burton (one of the founders of the Burton Group) and gives a good overview of Information Cards and what it all means to users, relying parties and identity providers alike.

Wow, it’s hard to believe that 6  months has gone by since non-banking related creditors and some credit unions got a reprieve from the Nov 1 Red Flag Regulation deadline. Now the question is – are you ready?  I’m betting there are still a few companies that must comply that are still confused and think it doesn’t apply to them.  I read a great article from BankInfoSecurity which does a good job of explaining who needs to comply:

Broder says the covered entities, no matter what their size, must design and implement a written identity theft prevention program. The rule is not based on what kind of information a business collects, but whether it is a financial institution or a creditor. “A creditor is broadly described as anyone who defers payment on a debt, or anyone who defers payment on goods or services,” Broder says.

Under the ID Theft Red Flags Rule a creditor is:

• Any entity that regularly extends, renews or continues credit;
• Any entity that regularly arranges for the extension, renewal or continuation of credit;
• Any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.

Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. But creditors do include:

• Finance companies;
• Automobile dealers;
• Mortgage brokers;
• Utilities;
• Telecommunications companies.

Even healthcare providers who defer payment (provide credit) for patients also fall under the creditor status, according to the rule. Any interaction where a consumer is not paying up front would make the business a creditor. “So in the healthcare context, even where a consumer offers insurance (that would normally cover the bill), if the patient is still ultimately responsible for medical fees not covered by insurance, then that hospital or doctor’s office would be considered a creditor,” Broder says.

Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors. Most creditors, except for those regulated by the federal bank regulatory agencies and the National Credit Union Administration (NCUA), fall under the FTC’s jurisdiction.

The article also points out that the FTC has set up a dedicated website on ID Theft Red Flags which includes a how to guide which at quick glance looks very helpful.   And you can you can still get our guide to see how identity verification plays an important role.

If you’ve been procrastinating or only just realized you need to be compliant, don’t fret.  The good news is we can help you be ready in time.

So I stumbled on some news from a European company called MyID.is and their Paypal approach to help consumers tie real world identities to their virtual world identities.  While the concept is interesting, I somewhat question its ability to scale.  Although it seems to be working in Europe, in our instant gratification world where we want instant access, instant results, instant feedback, I wonder if the majority of U.S. consumers would be OK in waiting for snail mail to get their registration code?

MyID.is could easily automate this process by incorporating electronic identity verification which would lend to a more automated approach to sending the registration codes (like through email or text message)

Then again, there might be one argument for not automating the registration code process if they ever launch in the United States– the Post Office might not have to cut back to a 5 day delivery schedule!

Interesting article in the Washington Post last week about joining Facebook when you have an unusual name like Batman, Pancake or Six.  Given this social networks “real identity” focus, I understand their wanting to be sure that unusual names are real and not someone trying to set up fake profiles.  And while I’m sure the circumstances of unusual names are minimal compared to their 175 million plus members, this is just another good way identity (and age) verification can help prove an identity exists in an easy, friendly and cost-effective way.  Facebook could quickly reduce the time and effort of manually reviewing unusual names by automating the process with identity verification.  Plus they’ll get the added benefit of a few more satisfied and happy members!

Tune in next time, same bat-channel.

Well after the recent news about 90,000 sexual predators being removed from MySpace (before the Task Force issued their Report, MySpace only admitted to removing 25,000) and the most recent sexual predator sex ring bust on Facebook that involved 31 students and an 18 year old man, I can’t help but reiterate our position that the Final Report’s conclusions were misleading. Again, here are two reasons why:

1.  The scale of SNs were not taken into account. In fact, the article about the sexual predator on Facebook points this out in context to the percentage of impersonation schemes:

(In a somewhat bizarre twist, Facebook responded to news of the sex ring by stating that fewer than 1% of its 150 million users are affected by impersonation schemes. So, around 1.5 million people. Not exactly a confidence-inspiring statistic.)

2.  The Final Report downplayed the issue of “sexual predators” by focusing on the fact that the stereotypical image of an adult predator was a middle aged man. In fact, as we pointed out in IDology’s member statement to the Internet Safety’s Task Force Final Report:

the research indicates that 54% to 57% (more than a majority) of sexual solicitors are either over the age of 18 or their age could not be determined.

Interestingly is Facebook’s update to its Terms of Service:

…. rewording many of its rules to make them easier to understand and explicitly prohibiting some common transgressions, like including false information in profiles or creating fake accounts. But there was one far more timely addition: “If you are required to register as a sex offender in any jurisdiction, you may not use the Facebook Service.”

Certainly this is a step in the right direction but the only way to know if an adult is creating a fake account is to ID and age verify them. Given Facebook’s real-life focused mentality (meaning most people create accounts on Facebook to connect and keep in touch with their friends and family), it’s a great Social Network to test ID verification and age verification. And I hope all Social Networks will strongly consider the applications for such a technology and quickly put it into practice.

It’s been a few weeks since the Internet Safety Technical Task Force released its Final Report and the media coverage keeps coming. It’s no secret that IDology had some comments/objections with the Final Report which apparently from this article in the Wall Street Journal so did the Attorneys General. You might also want to check out this Washington Post article which also gives an overview to some of the controversy over the Final Report including disagreements from other Task Force members who aren’t involved with providing identity and age verification solutions in case you might find our opinion biased.

Some of the articles I’ve read discuss “age verification” as “not offering substantial help in protecting minors from sexual solicitation.” I think it’s important to stress that the evaluation of “age verification” that the Task Force’s Technical Advisory Board conducted included many solutions classified as “age verification” technologies including a biometric device and also a vetting process that included schools and the information on their students. As you read articles or see people speaking on the subject of age verification, be careful to recognize that in many cases the issues they are discussing are based on attempts to age verify a minor, which our solution is not designed to do. Remember that the data available on minors is strictly protected. Which is why we suggested the walled garden approach – because age and identity verification can be (and is already) used to verify anyone 18 or older.

Creating distinct communities for minors and adults is a logical step that Social Networks have already done. They just need to enforce it and the first step toward enforcement is starting to verify the id and age of their adult members.

On December 17, 2008 we submitted a supplemental Member Statement to the Internet Safety Technical Task Force’s Final Report. The report was delivered to the Attorneys General on December 23 and made public today. The final report was not a consensus document and the Member Statements served as an avenue for us to state our comments and/or objections in a one-page format with a link to additional information if needed. This blog post is dedicated to expanding on the points we presented in our Statement as well as to address the reoccurring arguments we heard from certain Task Force Members this past year.

Our original Statement can be found in Appendix F of the Final Report and is as follows:

Statement Regarding the Internet Safety Technical Task Force’s Final Report to the Attorneys General

IDology, Inc finds issue with the Final Report and recommendations regarding the use of identity verification (IdV) and age verification solutions because:

• There are several technologies that exist that can help keep kids safe when used in a layered approach
• Policies of Social Networking Sites (SNS) rely on age and identity segmenting to protect minors and restrict content access as outlined in Appendix E of the report yet the verification processes are ineffective
• Terms of Service for most SNS require members to register with true and factual information about themselves making identity verification feasible
• Identity and age verification is commercially reasonable and being used today in numerous commercial applications including verification pursuant to government regulations
• The recommendations were developed around the perception that there is minimized risk to minors based on research; however, the scale of SNS is not taken into context so that even a small percentage of risk translates into millions of people
• The researchers admittedly report that there are limited numbers of large-scale studies and that there is no research regarding the online activities of registered sex offenders which was one of the major areas the Task Force was to study

Using IdV and age verification helps protect kids from 2 of the 3 threats the report outlines including sexual solicitation and access to problematic content.  Overall IdV and age verification:

• Is commercially reasonable and verifies individuals 18+ that are legitimate identities
• Provides a higher knowledge-based authentication method to verify someone is who they claim to be which is proven and effective today in helping businesses prevent fraud and identity theft in multiple industries
• Can help law enforcement locate an individual if there is inappropriate behavior from an adult toward a minor
• Separates adults from minors and prevents minors from accessing restricted content

Using IdV and age verification is a policy decision not a technology issue.  The Task Force agrees that IdV is effective in certain environments; however it did not adequately discuss ways technologies and policies could be layered together and used to reduce risks to children.  The Task Force does not provide best practices to solve the problem we were charged with examining and the report is based on limited research.  The report criticizes effective technologies while promoting the limited steps SNS have taken.  There is clearly much more work and vigorous discussing needed.  For more information on IDology’s position, visit www.blog.idology.com tag word MySpace or Internet Safety Technical Task Force.

While our Statement concisely captures our points, we want to expand upon our comments related to the Final Report:

1. The Task Force took the approach of looking for point solutions that would be the silver bullet to the issues of online safety for our children. The Task Force did not take the more logical step of determining how layering technologies could improve online safety by supporting the steps that Social Networks have taken or should take.
2. There is limited large-scale research and no research available on sexual predators online activities. The Final Report attempts to minimize the risks to minors from sexual predation and does not factor in the scale of Social Networks which we know is immense.  Further this minimized risk is based on statistics from studies which state: “Youth identify most sexual solicitors as being other adolescents (48%; 43%) or young adults between the ages of 18 and 21 (20%; 30%), with few (only 4%, 9%) coming from older adults and the remaining of unknown age (Finkelhor et al 2000; Wolak et al 2006).”  First these are studies that were completed before the accelerated growth of certain Social Networks.  Second, the Final Report’s emphasis on the “few” older adults is understating the issue as the above numbers indicate that 54% to 57% (more than a majority) of sexual solicitors are either over the age of 18 or their age could not be determined.  Given the limited large-scale research available, the lack of actual research relating to sexual predators online activity, the scale of Social Networks (MySpace indicates that its site has 122 million monthly active users) and that the majority of sexual solicitors are over the age of 18 or their age could not be determined, there is still substantial research to be done before a conclusion can be determined on the extent of online sexual predation on minors.
3. Age and identity verification is commercially reasonable technology that is being used today in social networks to create walled gardens by separating adults and minors.  An example includes SecondLife (operated by Task Force Member Linden Lab) which is using a third party to verify age.  And some Social Networks highlighted in Appendix E including MySpace and Facebook, already rely on age and identity segmentation for their members but use ineffective verification processes including relying on the honesty policy.  An example of current age and identity segmentation on these sites can found in Appendix E where MySpace states that it “restricts the ability of younger users to access age-inappropriate content.  For example users under 18 are denied access to age-appropriate areas such as Romance & Relationship chat, forums, and groups:  all groups designated as Mature; and Classified categories such as Personals and Casting Calls.“
4. No Best Practices and Recommended Guidelines were provided to solve any portion of the problem, even though several technologies exist and can be layered together to address certain issues the Task Force was formed to examine.

While most agree there is no silver bullet to address all the issues, this fact proved to be detrimental.  A “it is not effective to police the whole Internet” approach was taken versus a “what baby steps can be taken today to improve online child safety in Social Networks” approach to determine ways in which technologies could be used together today to address a portion of the problem.  Starting at a baseline that not one solution solves all problems, we believe the Final Report would have been more useful to Social Networks and law enforcement had we examined different risk scenarios and discussed ways technologies could be used versus looking at each technology in a silo.   For example, creating a walled garden by using identity and age verification to establish an “adult” garden separates the pool of members.  This approach combined with moderation, filtering, access controls that some Social Networks have already implemented, and education of minors and adults is a step toward a solution.

During the year, IDology presented to the Task Force the ways identity and age verification work and how this technology keeps kids safe.  Our presentation focuses on how age and identity verification is being used today in social networks and in other industries.  Over the course of the year, we heard several arguments related to the use of identity and age verification which we feel are important to address again:

1. “Not international in scope” - several countries are addressing the issue of age verification and the Task Force did not evaluate what other steps or regulations have been established in other countries in its analysis.
2. “Costs of making widely available to the public” - identity and age verification has a cost associated with it for Social Networks.  There is no economic impact on consumers unless the site charges a premium for its  verification service.  Some Social Networks have taken this approach in regard to restricting access to adult related content.  It is our belief that cost is the white elephant in the room as to why certain Social Networks choose not to use identity and age verification to verify their adult members.  As with a bricks and mortar company, age and identity verification is a cost of doing business.
3. “It is invasive and violates privacy issues” - identity and age verification requires minimal information from the consumer most of which is already being captured by most Social Networks.  Results of verifications are limited to the validation of the claim versus sharing data.
4. “Prevents anonymity” - providing anonymity should be supported through profile settings and screen names.
5. “Kids can fool the system” - a higher level of verification such as dynamic knowledge-based authentication prevents members from joining using someone else’s identity credentials.  This is a technology that is being used today to stop fraud and identity theft and is a compliance requirement in some industries.
6. “It doesn’t verify kids” - the limitations of any age verification solution are based on the availability of data and where minors are concerned this data is protected.  However, identity and age verification does identify adults and can be used to establish an adult walled garden community with fewer restrictions related to content and activities.  Several Social Networks are already doing this including Task Force Member Linden Lab within SecondLife (see Linden Lab’s Member Statement in Appendix F)

Our Thoughts on Next Steps:

Many of the necessary components are available today to develop a better process for Social Networks to protect children online.  It involves a multifaceted approach which includes parental involvement and education, employing layers of technology (identity verification, filtering and moderation) and strengthening the steps the Social Networks have taken to monitor activity while establishing effective means of separating unwanted activities between adults and children.

Although some may believe that the Internet should make us suspend the community rules that we have established to protect minors in the physical world, the reality is we need effective ways of establishing those community rules for the Internet.  For example, in our bricks and mortar world most parents talk with and educate their children about underage drinking.  Law enforcement and associations such as Mothers Against Drunk Driving develop awareness programs aimed at teens about the dangers of drinking.  However, if a teen walks into a liquor store we still rely on the fact that the sales clerk will ID them.  In other words, there are multiple checkpoints to try to prevent underage drinking.  As our online communities continue to grow businesses, consumers, and law enforcement need to work together to mirror the protection standards we all enjoy in our “real” communities that keep our children safe.

We would recommend the following as next steps:

1. Accurately establish the walled garden approach some Social Networks have already taken by using id and age verification methods.  Clearly the Social Networks see the security value in separating minors from adults through the practices they have put in place today related to minors.  For example, both Facebook and MySpace provide restrictions for ways minor profiles can be searched, how  friends are established with users under 18, and the default privacy settings of minor profiles (see Appendix E).  While the data availability limitation prohibits an identity and age vendor from verifying the age of a minor, it does verify adults.  There are two issues that cause an identity not to be verified:  the person is either under 18 or the person is a lying adult.  Both these situations warrant limiting the actions people can take within an unverified community to better protect our children.  Additionally, creating a walled garden doesn’t mean that no interaction is allowed between verified adult members and unverified members.  This type of walled garden creates a safer, more positive experience for adults, such as teachers, coaches, and relatives to interact with minors.  And should something inappropriate transpire between an adult and a minor, having a verified community better supports law enforcement.
2. Best Practices and Recommended Guidelines for online safety should be developed.  This is a natural progression given the tremendous growth of Social Networks.  For example, CTIA has established guidelines for the access of adult related content that would be useful for Social Networks.  The Task Force did not fully study, discuss and evaluate how other industry guidelines (telecommunications, alcohol, tobacco, movies, etc.) have been established to protect children  online.
3. More research needs to be conducted around sexual predator activities online.  Both law enforcement and Social Networks need to work better together in communicating and sharing information to better protect minors.
4. Continue education efforts toward parents and kids alike.  IDology fully supports the education efforts, as well as technologies that empower parents, which have been made to date.  Our stance regarding age verification has always been “it takes a village” (see our age verification whitepaper published in 2006).  Technology solutions and education efforts are complementary to each other and should never be considered as “either or” solutions.