The Internet has shown that reputations are important but don't have to be tied to specific real individuals. The entire banking system is built on top of the idea of reputation, but tries hard to tie them to real identities. The problem of identity theft is likely to break this connection. We will see a greater disconnect between individuals and their reputations.
Identity theft has been a big hit with the purveyors of fear in recent years. We all now live in terror of waking up one morning and finding that someone has stolen our identity, and we can’t even remember who we are.
Well, maybe not. But identity theft is a real problem. If someone manages to construct a copy of your identity, you don’t stop being you, you just stop being the owner of all of your money (unless you can persuade your bank it’s their fault). You might get back from vacation to find that your house has been stolen...
Identity is closely tied to the concept of reputation. We are now trying to apply ideas from villages of a few hundred people to a global scale and (not surprisingly) finding that they don’t quite work.
In a small community, everyone knows—or knows of—everyone else. Reputations are very important. If you want to borrow something from a neighbour, or ask them for a favour, then you will have some idea of how much you trust them.
When banks started, they would use this sort of model. They would be willing to lend you money based on letters of recommendation from people they trusted, or based on their prior dealings.
Now banks have grown so big that they use a much less personal system, but still deal in the idea of reputations.
The Social Security Scam
Some time ago, the UK and the U.S. governments introduced the concept of a Social Security number (SSN). This was a unique identifier assigned to every taxpaying citizen, allowing their tax records to be connected together.
Having a unique identifier for people was useful to a lot of institutions. It’s pretty hard to know whether you can trust John Smith, but it’s much easier to find out information about a specific John Smith.
The problem began when people started regarding knowing someone’s Social Security number as proof (or, at least, strong evidence) that you were that person.
This attitude isn’t limited to SSNs, by the way. One of my banks has an ultra-secure login where, in addition to my password, they also require that I tell them the following information:
- My mother’s maiden name
- My house number
- My date of birth
All these responses are public knowledge and can be looked up by anyone who wanted to find them out.
The most surreal experience I’ve had with a bank was one based in the United States. I phoned them to try to set up Internet banking. The conversation went something like this:
Me: Hi, I’d like to know my password for Internet banking, please.
Them: Certainly. We just need to confirm your identity. Can you tell me the size of the last transaction in your account, please?
Me: No, I want to log into Internet banking to look that up.
Them: Oh, we can tell you that over the phone.
Me: Thanks. The answer to your question is £n.
Them: Oh, I can’t ask you things I’ve just told you as a security question.
Me: Well, that’s sensible.
Them: Let me transfer you to someone who can.
The next person I talked to asked me for the number that the first representative had given me, and was then happy to pass on my Internet banking password.
The illusion of security seems very popular with banks at the moment.
Reputation versus Identity
Part of the problem with this system is that it associates your reputation with your identity. If you are going to buy a house and are looking for a mortgage, then it is not unreasonable for a potential lender to want to know about the house you are thinking of buying, your current income, earning potential, outstanding debts, and so on.
If, on the other hand, you are looking to take out a credit card with a £1,000 credit limit, the only thing they need to know is whether you can service a debt of £1,000.
Either do you have £1,000 in liquid assets, or do you have enough disposable income to service interest payments at the horrendous rates that credit card companies charge?
Unfortunately, the way the system is set up at the moment, there is no fine-grained control. Someone who uses a £1,000 credit card application to steal your identity gets enough to take out a £500,000 mortgage backed by your reputation.
A bigger problem is what to do after your identity has been stolen. Fingerprint locks are pretty cheap now, but most people still prefer to use pass codes. The reason is, if someone steals a pass code, you can change it.
If someone steals a copy of your fingerprint, it’s very difficult to grow a new finger. The current situation with identities is similar to the fingerprint lock. So much of the information associated with your virtual identity is tied to the real you that building a new one that the thief does not have access to is very hard.
One solution to this problem would be to have multiple virtual identities. This is already quite common outside of financial circles.
I have an account on Slashdot, for example, where I post under a pseudonym. Someone who cared enough could probably link that virtual identity to me fairly easily, but most of the time it can be treated as a separate persona. It has an independent reputation, based on Slashdot’s karma system.
Since I post more informative comments than troll posts (or, at least, most of my attempts at trolling go unnoticed), that persona has a good reputation. That reputation, however, is in no way related to the reputation I have as a result of writings published in other places.
The idea of multiple personalities would make sense for financial markets, too. Going back to the earlier example, if I wanted to apply for a credit card, then I would not have to use my real identity to do so. I could create a new identity and have my real identity guarantee it up to a certain limit that would be sensible for the credit application.
From the credit card company’s perspective, the identity would have a fixed income of some proportion of my income and a fixed capital of some proportion of my capital. They would be isolated from my real identity and only see the subset of my assets that were required to construct an identity that was a safe risk for lending money to.
This kind of game isn’t particularly new. Corporations do it all the time. They set up shell companies, spin-offs, or joint ventures for a variety of purposes. Some have to do with combining resources from different companies; some have to do with shielding the parent organization from liability.
Both of these would be useful for individuals. Couples sharing a house, for example, might want to create a phantom shared identity rather than having individual responsibility for various payments. Limiting liability is the more important one, however.
The concept of limited liability has to do with limiting the amount of money you can lose. In simple terms, if a limited liability company goes bust, the investors don’t lose any money beyond that which they had invested already. Banks know this, and will not take the investors’ assets into account when assessing the risk involved with lending the limited company money.
Putting this in terms of identity theft, someone who could pose as the limited company would be able to do only a small amount of damage to the investors.
This kind of structure would be ideal for limiting the effects of identity theft. When applying for small loans, you could create a limited liability identity, and an identity thief who took it would not gain any more than a thief who took a credit card.
Fluidity of Identity
The Internet has shown time and time again that reputations are important, but don’t have to be tied to specific real individuals. The entire banking system is built on top of the idea of reputation, but tries hard to tie them to real identities.
The problem of identity theft is likely to break this connection. We will see a greater disconnect between individuals and their reputations.
Corporations already do this with different branding for different market segments, and it’s only a matter of time before the facilities become more widely available.
The designers of the Secure Internet Live Chat (SILC) protocol realized this some years ago. SILC does not provide a mechanism for tying an online personality to a real person (although you can do this out of band).
Instead, it provides something more valuable; a way of telling whether a particular online identity corresponds to the same person today as it did yesterday. This is valuable in an online chat setting, because the only contact you are likely to have with a particular person in an Internet chat room is via that chat room. The reputation is based entirely on their behaviour in that context.
The same is true in many other contexts; the behaviour of individuals in a specific context is important and their actions in others are misleading.