Maria Kutar, Marie Griffiths and Gordon Fletcher look at how we can secure the increasing problem of multiple digital identities.

Remember the old adage, ‘On the internet, no one knows you are a dog’? The statement had meaning when there appeared to be a clear line between ‘real’ life and being online. Fast forward to the start of 2015 and there are over three billion global internet users (Internet World stats) - that is a lot of identities and they can’t all be of the canine variety.

Our online identity can be defined as the assemblage of electronic information that differentiates us as an individual, but unlike the majority of components that form our physical identities, many online identities are ephemeral in nature, leaving behind a trail of digital footprints in virtual spaces.

It is at this juncture we face a quandary. Our public identity impinges on our personal privacy. You can’t have one without impacting on the other and with digital activities part of ‘real’ life we are now in the realms where the two entities have become blurred beyond any sensible form of separation. Our reality has become ever-more complex.

A typical person is likely to have a range of social networking profiles and sometimes multiple ones; professional and educational profiles; digitally-enabled and accessible accounts through a diverse range of service providers including banks, utility companies, government and ecommerce sites and different cloud providers.

All of this is consumed through a range of screens depending on opportunity, time of the day and location. The three billion current internet users could easily amount to over 30 billion aspects of online identities (a very conservative guess).

Almost every one of these aspects of online identity contains some sensitive personal information, and with the growing sharing culture that comes with social networking, this makes every identity potentially vulnerable to a security threat.

The most common threats - and unsurprisingly not generally well recognised by everyday consumers - are described as man in the middle (MITM), man in the browser (MITB) or now, more commonly, man in the mobile (MITM). These forms of malware are eavesdropping attacks that allow attackers to intercept, send and receive data not meant for them.

A further sophistication is Zeus-in-the-mobile (ZITMO), one of the most popular botnets responsible for hacking into thousands of online banking accounts. Keylogging is also a common threat, which is the act of covertly capturing, and recording the keys struck on a keyboard. These types of threats have one universal goal and that is to steal aspects of a person’s identity.

So how does the individual manage the assemblage of personas and accounts that make up their online identity? On the one hand there is encouragement from the social networking sites to not only use their social network services, but also to take up the offer of easy to use and consistent sign-ins so that your Facebook, Twitter or Google+ accounts become the gateway to other services on the internet.

Many users are unaware that the price they pay for this service is to release ever greater amounts of their data. Common log-in systems offer the prospect of enabling the tech behemoths to track activity across the web. The result is a further erosion of privacy and even greater overlapping of the supposedly different personas an individual may have at different social media sites.

The rapid explosion of wearables and health-related apps shows that the need for individuals to take control of and secure their personal data is increasingly important. When one health insurer has pushed the use of a Facebook-owned app onto its customers as the price for them retaining existing benefits it is clear that individuals cannot trust every organisation they interact with to keep their personal data private.

Retaining control

What then, for the user who wants to retain control? How do we encourage young people who only know a world of sharing to take control of their data? There are some encouraging signs. iRights contexualises young people’s rights for the digital world.

Two of these rights - the right to know who is holding their information and the right to remove personal information - go a long way to putting individual users back in control of their identity. The proposed EU data protection reforms are likely to include some form of ‘right to be forgotten’, but these in themselves do not help users manage their data on a day to day basis.

A number of companies offer tools to help manage personal information. At the simplest level, password managers help users manage strong passwords across multiple accounts - but with the downside that they introduce a single point of failure.

Other companies have more extensive offerings. Some of these, such as Data Patrol from Garlik, monitor the internet and offline for signs that your personal identity has been compromised. Other products, such as Freedome from f-secure, focus on the control of key digital activities including secure Wi-Fi and tracker blocking.

There are also a plethora of browser-based tools that help users navigate the web whilst maintaining their privacy. The aim of these products is to improve security, such as https-everywhere, which uses web encryption where possible. Others aim to empower users - such as trackmenot which issues randomised searches to popular search engines so that the users’ own searches may be hidden within a much larger cloud of additional but irrelevant data.

A different approach is taken by Terms of service; didn’t read (tosdr.org) which rates websites’ terms and privacy policies in a review system more familiar to many web users.

Can these tools help an individual secure their digital identities? In short, no. A single tool cannot bring this power. The challenge and onus being placed on consumers is huge. In order to manage online personal identities each consumer needs to know:

  • The composition of their online digital identity - what accounts do they have, what is the extent of their digital footprint?
  • The degree of control they have over their identity data and information at different digital locations;
  • How their navigation habits influence their safety online.

Individual online identity is not fixed. It is constantly shifting and evolving - like dunes in the sand but, unlike footprints, online identity is much harder to erase. Users must understand what individual elements of identity they have made public.

But when, for instance, PayPal’s terms of service are longer than the lines in Hamlet few users are able to do this effectively. The rapid change in consumer use of digital technology challenges users who may not know whether their data resides in the cloud, on their computer or somewhere else.

Education is paramount in helping users understand these issues and assist them in safely navigating the digital landscape without compromising their personal data. As consumers we cannot rely on organisations, who may be lured by the temptations of big data, to act responsibly. As researchers we need to better understand the extent of our online identity and digital footprints.

The authors have undertaken the first steps in this project by attempting to capture an individual’s digital footprint.

Our ongoing study ‘A Day in the Digital Life’ aims to create a lightweight, repeatable methodology to quantify the digital footprint of an individual using a broad range of technologies; GPS tracks, phone logs, key-logging software and video technology, in order to interrogate all of a single person’s online activity in one day.

The development of such a methodology will enable the quantification of individual’s digital footprints at various points in time that will enable comparisons and more detailed analysis. There is a mounting need for the development of effective personal information management services which may one day be seen as an essential utility in our daily digital existence.