The organisation and management of a country’s national identity infrastructure and of identity information by companies and institutions requires the constant attention of both the public and the private sector. New types of fraud and the availability of new technologies make constant vigilance and investment in upgrading the identity infrastructure crucial. Regular assessment of the effectiveness of the various elements of the identity infrastructure is essential, both independently and in the context of the identity chain as a whole. The Center for Identity at the University of Texas, established in 2010, serves as a centre of excellence for identity management, privacy and security, as Fons Knopjes explains.
Identity management requires a deliberate policy, good control and a robust identity infrastructure that allows good interoperability across registrations, documents (tokens), processes and expertise. Practice shows that not all parties have the right knowledge, resources and experience, meaning that the integrity of the identity domain is insufficiently safeguarded and fraud occurs. The establishment of the Center for Identity at the University of Texas at Austin in 2010 was a major step towards professionalising management of the identity infrastructure. This professionalisation is necessary for the responsible management of the growing complexity and to combat the increasing incidence of fraud.
The mission of the Center is to deliver the highest-quality discoveries, applications, education, and outreach for excellence in identity management, privacy, and security. The Center fullﬁls its mission by:
- leading the world in forecasting threats and delivering best practices and solutions that uniquely deﬁne and protect identity in physical and online environments;
- educating students, government, businesses, and the public concerning threats, best practices and solutions for identity management, security and privacy for individuals and organisations;
- working as a community leader and service provider by researching problems that affect people everywhere, making the University of Texas a ‘go to’ resource for managing and protecting personal identifiable information (PII) and anticipating and mitigating identity threats;
- partnering with the corporations, state government, federal government, and law enforcement to understand today’s challenges and deliver tomorrow’s solutions.
The Center believes that a multidisciplinary and multisectoral partnership is fundamental to solving identity issues. In light of this it developed its ID360 approach, which involves studying identity issues from various perspectives by bringing together all the contributing disciplines (law, policy, business, technology, society and communications) to partner with leaders from impacted market sectors from corporations, government and law enforcement. This is also why the Center has a Board of Advisors with representatives from the public and private sectors.
The Center has a Visualization Laboratory where simulation models can be created to visualise what impact measures will have. Testing proposed anti-fraud measures or policy changes in simulation models and using the results to adapt the plans leads to much better results in practice.
Research projects and products
The Center uses many different sources for its research, including law enforcement sources. Once gathered, the information is analysed and the results processed and published in reports.
In addition the Center has developed the Identity Threat Assessment and Prediction risk assessment tool (ITAP). It is a national analytical knowledge repository of threats and countermeasures for people, organisations and devices across multiple market sectors, including but not limited to the 16 critical infrastructure sectors defined by the Department of Homeland Security.
The critical infrastructure for the United States is set out in Presidential Policy Directive 21 (PPD-21). It identifies 16 critical infrastructure sectors whose assets, systems, and networks are considered so vital to the US that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. One of these is the transportation systems sector and in particular aviation.
The analysis results give organisations and citizens a better grasp of what causes risk, what the implications and damage can be and what can be done to prevent it. The Center for Identity compiles periodical ITAP reports which over time present a clear picture of the various developments and trends for each sector. Based on these reports measures can be taken to mitigate risks and set out and implement policy changes.
The findings of the analyses are also used to provide targeted education, for example through the children’s education programmes developed by the Center. The programmes use technology in creative ways to educate children about the value of identity information and the risks caused by the abuse of such information. The Center provides online tools to teach children to manage their own privacy and explains the potential consequences of visiting certain websites and online sharing of personal details. In addition, the Center has developed programmes for parents, older adults and small businesses.
ID Recovery Toolkit
Practice shows that victims of identity fraud often do not know how to regain control over their identity and that recovery from a fraud situation can be complex and time-consuming. The ID Recovery Toolkit developed by the Center is a practical tool providing victims with instructions for taking back control of their identity as soon as possible.
As well as creating products aimed at specific target groups the Center undertakes research and shares the results in clearly worded publications. In the course of its research the Center uses ID360 Scorecards, a standardised tool for measuring how effectively an organisation manages identity information. The Center has released reports on privacy, risks for specific age groups, machine learning for fraud detection, and facial recognition and identity perception following (cosmetic) surgery. The reports are compiled by the Center in collaboration with authorities in the respective fields.
An entire industry has developed – the personal data industry – that is focused on gathering and enriching identity information and then offering it on the market. As there is great concern with regard to the quality of the data sold by private parties, the Center for Identity investigated the quality in the personal data industry and found around 15% of the data to be incorrect. There is barely any regulation of this growth industry. Consumers are often unaware that their identity information has been gathered and sold, meaning that they have not given permission for this. If permission is given for their identity information to be sold, consumers believe they should receive a percentage of the proceeds from the vendor.
Decisions regarding the storage and management of identity information are often based on privacy checks rather than security checks, which regularly leads to data being lost or stolen. In many cases employers who manage identity information (for example multinationals) and parties that manage the identity information of their clients do not destroy that information when the relationship with the employee or client is terminated. Setting up facilities to destroy data is expensive and storage capacity for large volumes of data has become very affordable. Directors of large companies are insufficiently aware of the value of identity information and in many cases there is no clear policy on how such information should be managed within the organisation. A number of scandals in the US led to regulations being developed under which directors are held responsible in the event of mismanagement and hefty fines can be imposed.
Courses at the Center
The Center for Identity offers education and courses, ranging from education programmes for children to a Master of Science in Identity Management and Security (MSIMS).
The two-year MSIMS degree programme includes course topics such as Identity in Society and Community, Identity and Public Policy, Identity Communication, Identity Security, and Identity Information Management and Repositories. The degree programme is also available online.
In addition to the Masters course the Center offers an Identity Leadership Certificate Program, which covers topics including Identity Risk Assessment, Management, Compliance and Response, and Strategic Planning and Leadership. The programme is aimed at executives, managers and professionals who are responsible for identity assets at organisations. Case studies are used to highlight each topic.
Children’s education programmes
As mentioned earlier, the Center has also developed programmes aimed at educating children about online safety. Attention is focused on online developments to help children understand the value of identity information and teach them how to protect themselves against risks. They learn how to manage privacy settings and about the dangers of putting personal information online.
ICAO TRIP Strategy
There is a degree of overlap between the focus areas of the Center for Identity and the responsibilities of the International Civil Aviation Organization (ICAO). In 2013 ICAO launched the Traveller Identification Programme (ICAO TRIP Strategy). This extended ICAO’s remit from technical standards for travel documents to also encompass evidence of identity, document issuance and control, inspection systems and tools, and interoperable applications. Although this has so far not resulted in a partnership between the Center and ICAO it would seem an attractive prospect to explore.
The establishment of the Center for Identity at the University of Texas was a major step towards professionalising the active contribution that science makes to tackling identity issues. The identity domain is growing rapidly and existing structures such as electronic and biometric identification are gaining new dimensions. Studies by the Center show that both the public and the private sectors are responsible for managing at times large volumes of identity information and that in some cases the level of knowledge within these sectors is inadequate. Science has an important contribution to make in plugging the gap, whereby the focus already being placed on educating children is an excellent first step. Future successes will be dependent on active collaboration between the various actors in the identity domain, with science being a crucial partner.
1 The White House. (2013). Presidential Policy Directive – Critical Infrastructure Security and Resilience.