Identity is the new currency. Every day we exchange our identity currency for goods,
services and access. In fact, it is difficult to buy goods, access government services, enter an airport, log in to your work computer or even attend an amusement park without sharing information about yourself. In this digital and data-driven modern-day world we live in, many transactions between individuals and organisations are specifically enabled by identity assets. Consequently, our identity currency is very valuable – valuable to individuals, to corporations, to government agencies and, unfortunately, to criminals as well.
Privacy and security are vital to protecting these valuable identity assets. However, to provide sufficient protection, such assets must be well understood. This requires understanding an asset’s content, structure, and vulnerabilities. To protect an individual’s identity information assets, a complete inventory of those assets must be known and their complete worth must be calculated.
Identity Threat Assessment and Prediction project
The Identity Threat Assessment and Prediction (ITAP) project at the Center for Identity at The University of Texas (UT CID) collects and models data about how identity information is used by commercial businesses, government agencies and even criminals, and models cases of authorised and unauthorised uses. This UT CID Identity Ecosystem research project extracts data from the ITAP to model and analyse an international inventory of identity assets, the values of those assets, and the liability or cost of their exposure.
Despite the fact that a wide range of businesses treat identity information as an asset, the existence of entire industries based on the collection and monetisation of identity assets make identity valuation not an easy calculation. Is a specific identity asset, for instance, worth hundreds, thousands or millions of Euros? Like a currency, identity assets are frequently subject to manipulation, theft, fraud, and abuse. Prior efforts to calculate the worth of identity information assets have been primarily based on black-market values. For example, passports can cost up to a few thousand Euros on the black market, depending on country of origin. The UT CID postulates that identity valuation based on monetisation potential is a much more accurate and compelling method to calculate identity asset value. To calculate the currency value of a specific identity asset, the UT CID Identity Ecosystem project asks the following question: “How much benefit can be reaped from possessing or using a specific identity asset, both by authorised and unauthorised individuals and/or organisations?” Nearly 6000 ITAP case studies (and counting) of unauthorised and authorised incidents involving the monetisation of identity assets have been modelled, offering some specific data with which to begin arriving at a framework for calculating the value and liability of identity assets. A parallel line of inquiry is examining how much damage can be done or liability created if an individual’s passport (say) is fraudulently used. In other words, the UT CID is asking the question: What are the potential financial benefits and consequences resulting from possessing and using specific identity assets? Figure 1 shows the identity assets (nodes in the graph) coloured by liability (red, yellow, and green) and sized by value.Figure 1: Identity assets coloured by liability (red, yellow and green) and sized by value.
Identity currency questions
As individuals and organisations attempt to define their identity asset inventories, other questions arise. “Who issues an individual’s identity currency?”, “Who owns an individual’s identity currency?”, and “Where is an individual’s identity currency on deposit, and is it secure and held with the confidentiality expected?” The answers to these questions are often different, based on who you ask – the organisation who collected the currency (for example, an online retailer), the organisation that issues the identity currency (for example, a credit card issuer or government agency), or the individual whom the identity currency describes, and who will suffer the greatest personal financial, reputational and emotional damage if this currency is stolen or fraudulently used.
Identity asset categories
There are over 500 identity assets currently identified. Conceptually, we view identity assets as falling into four categories:
- what you KNOW (such as mother’s maiden name, address);
- what you ARE (such as physical biometrics);
- what you HAVE (such as passports, access cards, or other credentials issued by government agencies, employers, retailers, financial institutions);
- what you DO (including emerging behavioural attributes).
The creators and issuers of identity currency vary from category to category – just a quick look in one’s wallet or smartphone can begin an inventory of identity assets and associated issuers. Another, less obvious place to look for identity currency is an individual’s patterns of behaviour, such as websites visited, GPS locations visited, and other patterns of life. From credit cards and driving licences to fingerprints, passwords and apps, these identity credentials are all used to prove you are who you say you are in different contexts and settings. Additionally, many of these credentials are linked to identity information assets provided to enrol in a system or programme in order to acquire these credentials.
Safeguarding identity currency
Not only do identity assets and issuers vary, but the responsibilities for safeguarding and securing identity currency are distributed with varying regulations and liabilities. Government agencies, commercial organisations from almost every market sector (for example, financial services, energy, telecommunications, retail, healthcare and education), data aggregators and even individuals issue and are responsible for safeguarding and securing identity currency. And despite all of the obvious and understandable focus on cybersecurity as the primary line of defence against unauthorised access and abuse of identity information, it is people, not technology, that are often the biggest vulnerabilities. Consequently, it is imperative that consumers and citizens be educated and empowered both to take control of their identity assets and to better understand the trade-offs for sharing that information. Figure 2 reflects the types of identity assets modelled in the UT CID Identity Ecosystem and the analytical questions answered.Figure 2: Types of identity assets modelled in the UT CID Identity Ecosystem and the analytical questions answered.
At this time, protections for identity assets are generally country- and market-sector specific. For example, European regulations are different from those in the United States, and regulations aimed to protect identity assets in the healthcare marketplace differ from those in financial services. Protections based on issuance and authentication settings (for example, country and marketplace) are complicated and doomed to fail in a digital, global society. Setting transparent identity currency value and liability calculations for specific identity assets – independent of country or market sector – will help to rationalise and simplify identity protections, and ultimately, increase the consistency and strength of these protections.
As mentioned earlier, both organisations and individuals require a greater understanding of the value of identity assets in order to make informed decisions about their use and protection. While identity assets are already commercialised both legally and on the black market, a quantifiable framework for their valuation is needed for both individuals and organisations to identify risks as well as security and privacy requirements. Individuals, for their part, are already using their identity as an asset, but they do so with very limited understanding of its value. People share identity assets, and organisations collect identity assets without an appreciation of their currency value, resulting in criminal identity theft, massive breaches or unscrupulous use of these current assets.
The Equifax breach brought attention to the fact that credit bureaus collect and monetise far greater amounts of personally identifiable information (PII) than most consumers are aware of. Other recent privacy-related data abuse scandals have also brought increased scrutiny to how organisations collect, share and monetise identity assets. For organisations, a more universally accepted valuation of PII could help direct greater investment in business practices, policy, and technology to secure and protect sensitive data from theft, fraud, and abuse. Currently, budgeting for cybersecurity and identity management and security policies, procedures, and technology is generally not based on a precise calculation of the net value of all sensitive data held by the organisation, much less a specific value for specific identity assets. For individuals, such a valuation would provide both a better understanding of the relative value of the different types of PII, and help inform decisions about what information to protect, how and when it is appropriate to share it, and what the potential consequences are when it is compromised. Furthermore, the increase in transparency that a generally accepted valuation framework for identity assets would bring could help to rebuild consumer confidence in organisations that collect, use and store identity currency.
- (2017). Breach at Equifax May Impact 143M Americans. https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/ [Accessed 23 October 2018].
Dr Suzanne Barber is the AT&T Endowed Professor in Engineering and founding director of the Center for Identity at the University of Texas. She also serves as a member of the US Department of Homeland Security’s Data Privacy and Integrity Advisory Committee.