Treatise on Identity: Problems with the Status Quo

December 17, 2015

Who are you? You are a member of a nation, a community and a family. You are a son or a daughter, perhaps a father or a mother. You are a professional, the fuel for the economic combustion engine. You engage in social activities with friends and family, perhaps you are part of a club or organization that shares similar interests. You like sharing, blogging and tweeting, you express your thoughts and share your most precious moments on social media with those closest to you. In this very moment you represent a 32-bit IP address in a huge cluster of other global identifiers.

As an individual, you are an entity of identities. You represent identities and change them regularly, depending on the situation you are in. Similarly to an actor, you are constantly and regularly changing your masks to fit the current act of the play. Your identity is associated with the moment, in which you represent someone uniquely identified, pseudonymously or anonymously. Your identity is for example associated with being customer at a bank, an employee at a company, a member of a club or pseudonym on a forum. The identities you possess are endless and any interaction, whether with another individual or with a company, require different identities. Therefore, who you are is dependant on the situation you are in and who you want to represent.

This is especially true in the virtual realm, where who you can be is limited by your imagination. On the internet today, representing a 32-bit IP address is not enough, that’s why you are required to sign-up and provide information about your identity. This identity is often up to the user to create and is not required to be based on proof or fact. Virtual Realities such as The Sims, Second Life, IMVU and Habbo allow the player to play as an Avatar that is based on ones imagination instead of a virtual representation of oneself. With this virtual identity, the player can engage in any activity possible: they can go clubbing, dancing, drinking, they can engage in discussions with other players and they can even pursue business activities (because who doesn’t want to be rich and famous in a virtual reality?). Apart from Virtual Realities, Social Media has opened up new possibilities of creating and representing identities. Social Media acts as a filter that allows you to decide which content about you gets published, most of the time only the most memorable and “glory” moments get published to the close circle of friends you have on Facebook, Twitter, Instagram or Snapchat. Today it’s all about “Sharing the Moment” and letting others know what you are doing right now and how you are feeling about it.

Social Media today is a lot more than just this. It has evolved into an archive that tracks your every moment, the activities and discussions you are engaged in, who you love, like, hate. Facebook, Twitter, Instagram and others are a magnet of data, collecting data about everything circling around you. This makes it apparent that the identities you create on the internet are not possessed by you, but the centralized servers of a company over which you have no control. So really, who are you when you don’t own your identity?

The Problems of Identity

Today, digital identity and identity in general are inherently flawed. We place too much trust on central institutions with the hope, that they will handle our sensitive information correctly. Trust on the internet has become something so natural and obvious, that we often forget that it is nothing more than an illusion except if we ourselves are able to enforce and ensure it. Trust in identity solutions is the problem in the Developed world, lack of identity in the developing one. Countries in South Asia and Africa lack the infrastructure and the right policies to correctly identify people starting from simple birth certificates, identity cards to death certificates. The effects of this are what is haunting the developing world today: families that are trapped in a poverty trap, since their kids with no identity are not able to be educated and get a better job.

The sad truth is that we live in an era where identity theft and mass surveillance are part of our identity. We have lost access to our true identity, who we are is dictated by those who are supposed to serve us. Privacy today is a sacrifice you take to be able to use a product. Your personal information is a precious good that is weighed in Dollars or Euros and traded between companies to target you with new products and services you most likely don’t care about. The information that you publish once is forever engraved and shared between servers around the globe, waiting to be accessed by an intruder. On the other side of the coin, we have a situation where people don’t know who they are because they didn’t receive proper identification on birth or during their lifetime. The economic potential and the personal freedom of millions of people is being limited through this issue of lacking identification.

Even though the issues of identity are vast and many, we will elaborate on 3 of the main issues and concerns in regards to identity, digital identity and our identity management of today.

The Problem of Identity Theft

The internet was designed without identity in mind. This has lead to a series of problems, ranging from privacy intrusions to identity thefts with serious consequences. Today a user needs to remember a wide range of passwords, pins, emails and usernames to access their identity on a specific website. Not only is this cumbersome and can lead to service interruptions (how often did you forget a password of a website you haven’t accessed in quite some time?) but through sophisticated attacks such as phishing or MITM-attacks these identities can be accessed and stolen by intruders and eventually cause great damage. Recent examples such as Target, where 40 million credit and debit card accounts as well as data on 70 million customers were stolen, or Sony, where personal information of well over 80 million users was stolen, show how far reaching these attacks can be and how much destruction, both financially and also on a personal level, can be caused by malicious attackers.

The issue with identity theft is that we are making it far too easy for hackers to penetrate vulnerabilities and steal our precious information. We go to websites and are often more than open to give out sensitive information in order to purchase goods or access certain parts of the website. We give out this sensitive information without knowing who exactly we are giving it to, what will happen with it, how it is stored or if it will be encrypted or not. When you go to a coffee shop, do you handout your credit card number, expiration date and CVV to the cashier so that she can process the transaction for you, in hope that nobody is intercepting the conversation and that the cashier is behaving honestly? The answer is obviously no, but we are often behaving like this on the internet. I once had a VPS provider require me to send them a picture of the front of my credit card to confirm that I actually own the credit card. The consequences if the provider is dishonest, gets hacked or the email intercepted would be devastating.

A similar case is the one of KYC and AML. KYC/AML compliance means that the service provider requires the user to upload personal information and documents (proof of identity, proof of address and even proof of bank ownership) in order to provide access to certain areas of the platform. This data is then processed and so that the service provide can be assured that the user is who he claims to be, that he/she owns what he claims to own and that the user is not on any PEP (politically exposed person), sanction, money laundering or fugitive lists.

A prime example are Bitcoin exchanges, which out of fear of being shut down often simply force the user to submit numerous personal documents in order to ensure that the government is pleased and won’t shut down the operation. This transmission of personal and sensitive information often even happens through a HTTP connection and with absolutely no guarantee how the data is being handled or where it’s being stored. No wonder that Bitcoin exchanges are quite popular targets, not only the wallet.dat’s, but also the sensitive information of users is worth a lot.

As is often the case, the information requested is far exceeding the information that is required for the service to function. Often everything that is really needed is a username or a simple stamp of approval “this person is who he/she claims to be”, but the services go far beyond this and request a lot of unnecessary, but very sensitive information. This leads to the next problem, which is privacy intrusion.

The Problem of Privacy

Imagine that you suddenly discovered that you have been involuntarily participating in a global ‘Truman Show’ (or ‘Big Brother’ for our European readers), where everything that you have done in private or public was broadcast to TV’s and Internet Livestreams (Twitch) all around the globe. Shock, disgust and terror are the words that best describe the emotions rushing through your veins. Every private conversation you had, everything you liked and shared on Facebook, all the weird things you searched on Google and even your browser cache, which you carefully deleted every month in a futile attempt to delete some of the more peculiar things (apart from the usual cat videos) you have visited on the Internet. Every single detail of your real life and virtual life, open for the public see. You would be outraged and do everything in your power to stop it and sue those responsible. Now imagine that this happened to virtually every citizen. You would expect large protests and movements demanding the end of this intrusive existence.

But even though today privacy is basically non-existent, there are no protests or outrage over how our sensitive information is being used by corporations and governments. Snowden’s heroic act of revealing the absurdities of our government’s attempt to control our everyday lives was nothing more than a scream into void (or like in the movies, where someone drives to the beach only to scream his anger out, making sure nobody can hear him but the quiet ocean).

No better word best accompanies privacy today than “intrusive”. We are being tracked, monitored, recorded and watched every second of our digital and also of our outside life. Our internet traffic and communications are being intercepted, stored and used on algorithms to determine our behavior, our taste and our activities. Our personal information has (d)evolved from an identity used to communicate with and access a service provider, to a good that is categorized, priced and traded between companies. We think that we are equal and every human is “worth” the same, but the WWW has proven this to be a fallacy. What you are worth depends on where you live, your age, your purchasing power and most importantly, how much data there is on you that can be sold to advertisers with specific needs.

This hunger for more data is long from being stilled. A great example are apps in the iOS or Android app store. Instead of only requesting you to provide them with access to the bare minimum for their service to function, certain applications go well beyond this and request access to nearly every part of your mobile phone.

alt tag

Big Data is no longer just a science for bettering humanity by answering some of the bigger and fundamental questions and improving our knowledge about ourselves and the environment that surrounds us. Through the emergence of Google and Facebook, Big Data today is about collecting as much personal information and data about users to find better ways to monetize the user experience. New ways to track users are at an all-time high in terms of demand by private and also public companies. After all, the algorithms to determine and predict behavior need to be fed with new data.

Privacy intrusion has long been an issue that was created by the WWW, and it seems to continue to be an unsolved problem, as current identity solutions do not solve the problem presented.

The Problem of Accessibility

We take it for granted that we know the exact day, hour and even the seconds of our birth. Birth certificates are issued immediately after birth and for us, it’s impossible to even leave the hospital without such a certificate. Why would we leave without a birth certificate? A birth certificate is the most basic identity an individual can have. It provides information about your name, sex, the exact moment you were born and your parentage. It certifies that you are legally alive and thus it provides access to a variety of basic human rights, such as citizenship, health care, schooling, voting, financial services and property ownership.

Sadly, receiving such a certificate upon birth is not at all that common around the world. Yearly, more than 40 million babies will spend the rest of their lives unregistered, with any kind of economic and personal potential for prosperity stripped away from them. Only 44 per cent of sub-Saharan Africa’s children under-five years of age are registered today, and in rural areas, the rate is even lower. For children of Eastern and Southern Africa, the reality is even more worrying: only 38 per cent of children are registered, ranging widely from 3 per cent in Somalia to 95 per cent in South Africa. An even worse statistics by UNICEF shows that 1.5 Million children die each year (which is 17% of deaths in children under 5 years old) of diseases that could be prevented through vaccines. A major contributor to these deaths is the lack of identification which makes it impossible for the live-saving vaccines to reach the children.

These statistics are truly worrying and devastating for entire nations. Not only birth certificates, also death certificates (one could call it the end of all identities) are not very common in developing countries. Death certificates give the family of the deceased the right of inheritance, entitlements and claims to insurance benefits (if available). Without such a document any claim on these rights will simply be dismissed as another fraud attempt. Even though birth certificates are more likely to be issued than death certificates (such as in India, where for example death registration coverage is 66% compared with more than 80% for births), both of these identities are vital for an entire nation to function economically and socially.

Since two of the most basic identities are not guaranteed, one does not have to wonder what the actual ID system of the respective country looks and functions like. Many countries do not have identity systems implemented or do not have the right policies to enforce registration. This makes it impossible for citizens to call themselves “citizens” and thus be identified as who they claim to be. Because of this, these identity-less people lose access to beneficial infrastructures, social programs, aid interventions, financial and health care services. This in turn causes a huge waste of resources and energy put up by poverty prevention programs that are not able to reach the people actually in need. The prime example here is India, where the governments spends nearly 3% of its GDP on subsidies for food grains and fertilizers for farmers in need. Exactly these social programs to help the poor are being exploited by corrupt politicians and government workers for their personal gain. A sA study from 2008 shows that only 42% of the grains in the Indian Public Distribution System reached the target audience (i.e. the needy farmers). Another example is Nigeria, where loss of identification costs the country more than $175m per year.

The question of “Who are you?” is a much more fundamental one in the developing world, as it can often not be answered.

This lack of identification and national identity system bears the worst of all fates with it: it traps citizens in poverty. The concept of a poverty trap is that you are unable to escape your current situation (poverty) as you lack the abilities, access or initiator to get out of poverty. As was described above, the negative economic effects of lacking identity systems are widespread: Children cannot be educated, thus any chance for employment outside the informal sector is slim; through the lack of identity, it is impossible to apply to aid, assistance or any kind of social program intended to help the poor and provide them with necessities; access to financial services is not possible due to not being able to identify oneself; collecting tax payments is nearly impossible for the government, thus it cannot provide the necessary infrastructure to support the poor on their pursuit out of poverty.

Escaping such a poverty trap is difficult, but it can be combatted with the right measures (and outside intervention). Some governments have taken great initiatives in identity management and providing biometric electronic ID’s to their citizens. Indonesia with their e-KTP has signed up more than 100 Million citizens in less than a year, Nigeria with their electronic identity card which becomes mandatory for all citizens by 2019 to be able to vote or the CARIPASS travel card that enables fast travel between the Caribbean Islands (though I can’t find any update anywhere on the fate of this system). The most renown electronic and biometric identity system is in India. The Aadhaar biometric identity system has already signed up nearly 900 Million citizens, out of a total of 1.25 Billion. Even though the project is inherently expensive and has cost taxpayers already nearly $1 Billion, it is a great effort to provide citizens of the largest democracy in the world with a unique identifier.

This unique identification system opened up new opportunities and solved (some) problems. The biggest problem that was solved was that it is now possible to uniquely identify citizens through the Aadhaar system. One clear advantage of the program was the social benefits for the unemployed that the government could provide for and sent to the needy more easily. For example the NREGA program, which gives unemployed Direct Benefits Transfers to a bank account directly tied to their Aadhaar card.

The UIDIA is inexplicably expensive and most of the incurred expenses are completely redundant, but apart from expenses, the Aadhaar program is inherently limited in its ability to help the poor and it has other systemic flaws that can cause far worse damage than monetary expenses. Lets summarize some of the major concerns of the UIDIA Aadhaar identity system. (these concerns are not only characteristics of the Aadhaar system, but of most identity system present today):

  • Single point of failure, which is that all the data is stored on centralized servers (if all 1.2 Billion people are enrolled in Aadhaar, this will amount to more than 15 Petabyte of data). Biometric information is part of our human identity and it cannot be changed, imagine the damage that can be done if someone had the biometric information of more than 900 Million people? This is not only the biometric information of a single finger, but of all 10 fingers including an iris scan and facial picture of every single person that opted in for the Aadhaar program. Even more frightening is the fact that citizens that opt-in for the program do not know what is happening with their private information. If this data is stored on American servers, Uncle Sam will have no problem to access personal information of all the Aadhaar users.
  • Privacy concerns. Especially because the data is stored on centralized servers, it can be easily accessed by the government which may use the information they gathered to launch surveillance programs on their citizens to “fight terrorism”. The Australian government has received a lot of criticism, as under their new counter-terror law the biometric information gathered in Airports can be shared with intelligence agencies around the globe. Luckily, the Indian Supreme Court ruled against this sharing of biometric and personal data with any third party or government agency, but we have seen how far governments will go to “protect” their citizens.
  • Citizens that entered the program do not own their identity. As mentioned above, users of the program do not know what is happening with their identity information, which means that the supposed owner of the identity is completely stripped away of any control over their identity. This is further highlighted with the fact that once you have entered your personal information on the Aadhaar card, it cannot be changed.
  • The Aadhaar card is only a Proof of Identity, not a Proof of Citizenship. Additionally, it does not solve the problem of birth and death certificates. Because of this, the Aadhaar card is limited in its scope, since it cannot provide for the basics of identity, authentication and authorization.
  • Privacy is being neglected for “Proof of Identity”. Whenever you show your Aadhaar card to someone to prove your claim on who you are in a certain transaction, that person will know sensitive details about you (such as information of where you live). When everything that would have been required is the proof that you are a “unique” citizen.
  • Fraud is still possible, especially when it’s done by the very agencies and politicians that are supposed to act honestly. More than 150 biometric ration cards were created by a corrupt government official, 384,000 cards had to be revoked and it’s still possible to fake the Aadhaar card.

There are obviously more issues in regards to the Aadhaar card, such as forcing citizens to signup for the Aadhaar card in order to access basic infrastructure and education. This problem was ruled as illegal by the Indian Supreme Court and has lead to the Aadhaar identity card to be nothing more than piece of paper, with no actual benefit and purpose to its owner. Identity is flawed and even throwing nearly $1 Billion at an identity project does not solve the problem for governments.

But that’s what this blog post series is actually about: Describing what a feasible solution may look like.

Where to go from here

This blog post briefly described (in 10 pages) the current issues with identity are. This is the first blog post in a whole series of blog posts discussing identity and how we can work on a solution. The next blog post will actually describe the Axioms of Identity in greater detail.

References

1: http://krebsonsecurity.com/2014/01/target-names-emails-phone-numbers-on-up-to-70-million-customers-stolen/

2: http://krebsonsecurity.com/2011/04/millions-of-passwords-credit-card-numbers-at-risk-in-breach-of-sony-playstation-network/

3:http://www.icn.ch/images/stories/documents/publications/fact_sheets/10a_FS-Birth_Registration.pdf

4: http://www.unicef.org/esaro/5480_birth_registration.html

5: http://www.unicef.org/immunization/files/Immunization_brochure.pdf

6: http://www.censusindia.gov.in/2011-Documents/CRS_Report/CRS_Report_2010.pdf

7: https://en.wikipedia.org/wiki/Subsidies_in_India

8:http://www.bloomberg.com/news/articles/2012-08-28/poor-in-india-starve-as-politicians-steal-14-5-billion-of-food

9: https://en.wikipedia.org/wiki/Public_distribution_system

10:http://www.news24.com/Africa/News/Nigeria-spends-175m-on-ghost-workers-20111028

11: https://en.wikipedia.org/wiki/Countries_applying_biometrics

12: https://en.wikipedia.org/wiki/Indonesian_identity_card

13: http://www.secureidnews.com/news-item/nigeria-rolling-out-eid-cards/

14: http://www.caricom.org/jsp/single_market/caripass.pdf

15: https://portal.uidai.gov.in/uidwebportal/dashboard.do

16: http://uidai.gov.in/images/uidai_exp_jan_feb_march_2015.xlsx

17: https://en.wikipedia.org/wiki/National_Rural_Employment_Guarantee_Act_2005

18: http://www.planetbiometrics.com/article-details/i/2268/

19:http://indianexpress.com/article/india/india-others/supreme-court-bars-sharing-of-uidai-info-denial-of-benefits-to-those-without-aadhaar/99/

20:http://www.deccanherald.com/content/304160/bogus-ration-cards-created-biometrics.html

21:http://www.biometricupdate.com/201212/uidai-discovers-384000-false-aadhaar-numbers