When identity is a data product: – Laura Noren – Medium

Equifax, a credit monitoring company that holds detailed financial records on many Americans and Canadians, has been hacked. As many as 143m people may be impacted. CNN is reporting that the hackers obtained, “names, Social Security numbers, birth dates, addresses, and the numbers of some driver’s licenses…additionally, credit card numbers for about 209,000 people were exposed”.

The company is currently offering one year of free credit monitoring to impacted individuals. Is a year of credit monitoring an appropriate response for a breach that impacts half the US population? Is a year of protection that *requires individuals to forgo pursuing a class action suit against Equifax* a fair and just response? That may depend on how it came to pass that 143 million people could have their identities stolen from a trusted financial institution in the first place.

How did it happen that we collectively consented to the notion that our identities could be represented by a small set of inputs like birth date, social security number, name, and address? This is a far cry from philosophies of complex, developmental self-hood, kaleidoscopic personality, and meaningful embodiment which underpin sociological and psychological versions of identity. This reduction in the complexity of identity eased commercial transactions for most individuals (those who have access to credit, which is not everyone) and it allowed for financial institutions to begin building larger datasets for each one of us by storing our transaction history in a repository keyed to our identifying data. This, in turn, allowed them to assess creditworthiness on a person-to-person basis, which helped guide their loan-making decisions.

In other words, reducing complex human identity to a small data product reduced all sorts of commercial friction and allowed financial institutions to assess individual credit risk. Equifax is one of the three major companies performing credit risk assessments for individuals. As such, they hold financial details for the majority of Americans. As a part of the consumer financial infrastructure we may rightfully assume Equifax should be interested in protecting access to the data they hold. Their business model rests on that data. They are also interested in keeping data small — or at least were, back when storing, transmitting, and running computational analyses were much more costly. Even though computation and storage has gotten much more affordable, once a particular data standard is adopted, it is stubbornly impervious to change, building up additional inertia as time passes. [Ask yourself: was it your centuries-old bank or your decades-old email provider that first offered you two-factor authentication to the identification process?]

There are broad questions present about holding many large companies in the credit industry, including but not limited to Equifax, responsible for protecting the commercial economy from widespread identity theft/misinformation. Trusting them means believing they can understand when default assumptions and organizational inertia are downright dangerous without external prompting. This leak is an example of external prompting. Another example is regulation. A third might be a financial upstart, competing to offer credit ratings. The third option is highly unlikely due to the institutional isomorphism in the financial industry around the standards for identity-as-data. Banks, credit reporting firms, retailers, car dealers finance auto loans, and credit card companies experience the greatest efficiency when they all use the same standards for defining a person’s identity. It would be extremely difficult for an upstart company to work within this consumer finance world with a different set of criteria for establishing identity.

It is fair to say, then, that the assumption so many of us tacitly accept when we participate in credit markets is that names, birth dates, and social security numbers are a good proxy for a person’s (financial) identity. If that set of data about a person can be so easily passed off as a valid indicator of parsimonious identification when it is no longer so tightly coupled with a single human wandering the planet because people on the dark web are selling databases full of this type of information all the time — we are all agreeing to bask in the delights transactional ease even as the hellish nightmare of identity thievery puts more of us into hellish months and years of identity recovery. Identity theft and credit-use fraud is neither isolated nor rare; it will impact all of us eventually.

Data products and meaningful identity

Our digital financial identities are data entities that proliferate because, from a technological standpoint, they can be copied easily, replicated perfectly, stored indefinitely, and easily combined with other, richer information about us, like our buying, watching, listening, and mobility behaviors. These data products develop a life of their own separate from the intentions, knowledge, and desire of the individuals they are assumed to reflect. Only in a very reductive way does our financial identity reflect our actual identities. The data product representing identity is now a product almost fully separate from the embodied, desiring, striving, idiosyncratic human from whom they were derived. This is both a problem and an opportunity. It is problematic because a hacker can open a line of credit in my name which does not reflect my wishes or intentions at all. But the gap between financial identities represented in data products like name+birth date+SSN+address slim bundles and our much more complex, richly woven embodied identities leaves ample scope to add nuance to authentication practices. Could we increase financial security of all sorts if authentication relinked the financial data product (poorly) signifying our identity to the embodied, agentic humans? Our many-featured, lived, embodied identities should be linked to our identities as represented in data products.

I imagine there is a way to incorporate gait analysis, spontaneous elicitations of which books, news articles, and music person would prefer to read from a list of 20, keystroke mapping (we each have relatively unique rhythms in our typing patterns), and a host of ever-changing cultural and biological authentication strategies. These types of practices will add friction to transactions. Some of them may not even work, but we need to try something.

What about tw0-factor authentication

In some sense, two-factor authentication makes a ham-fisted attempt to reattach the human to their identity which has been wrapped in a data product. Inviting the humans to pick up a phone and type in a code requires embodiment — typing — and human temporality. I am not an expert at two-factor authentication, but I know that SMS two-factor authentication can be gamed. Authentication strategies that require a changing set of embodied traits — from fingerprints to gait to vocal pitch to facial expression recognition — can add human friction to current small, clean, digital, nearly frictionless identity data products. No matter what strategy we adopt now, no solution will work forever despite — or because of — the object demand of databases to maintain continuity with past data structures. Whatever we gather and store acts as a point of departure for those who want to reverse engineer their way into an exploitable loophole.

Identity theft is an oxymoron

It should not be possible to steal the identity of 143 million people. Until we accepted the idea that identity could be wrapped in a data product and sent around, it would have been an oxymoron (or a science fiction/telenovela plot) to assert that one’s identity could be stolen. How can we gain insights from the previous tight-coupling of identity to individual to inform the way we produce and protect identities-in-data going forward?

Stronger cybersecurity is possible. Right now, there is no single company or governmental entity that can demand change, so macro-level change is slow or inadequately radical (e.g. chip-based cards are not that much more secure anymore; two-factor authentication using SMS relies primarily on digital inputs in a predictable pattern so can be gamed). Stripping consumers of their rights as a class as part of their recompense is a way to dampen the likelihood of meaningful change. Some consumers will not be silenced.

https://medium.com/@laura.noren/when-identity-is-a-data-product-5f7418692307