Infosec (or Information Security Europe to use its proper name) is the number one information security event in Europe and when you go there you can see why. We have to give credit to everyone working on the stands for even surviving the full on cacophony; I suspect there was more than one packet of headache tablets in the cupboard on the BCS stand. Vendors are trying to attract your attention to promote their wares and woo you with ever more ingenious freebies - I'm not convinced the combination of giving away Swiss army knives and free booze is wise... think of a North African market, with less colourful outfits in central London and you'll get the picture of what I'm talking about.
So on to the critical issues; it’s not all about sales. For the last couple of years, BCS has had a very active working group focused on identity assurance who run workshops at European and International events and publish their findings and recommendations annually. Our workshop is part of the Education Programme of Infosec, and raises some really important questions that all individuals, not just businesses, should consider under the heading 'Are your users and customers who they claim to be? Preventing identity theft in the Digital Age'. The focus is on employee and customer identity, specifically ensuring that anyone who works for or interacts with an organisation and deals with sensitive information or financial transactions really is who they claim to be.
The concept of identity assurance is vitally important as the government progresses with the Digital by Default agenda, meaning that all government services will essentially be offered online. And herein lies the key. It's not just a case of establishing whether someone is entitled to receive benefits, but also making sure it is the right person who actually receives those payments. You may not think this affects you, but it does, and on a fundamental level.
Human resource departments now have to provide real time information about you and your circumstances to HMRC; and I’m guessing you've all heard stories of stolen identity. So what if someone else claims to be you? How does HMRC decide which one of the two 'yous' really is you?
It is relatively easy to obtain a new identity - remember John Darwin aka 'canoe man' who faked his own death and disappeared to Panama on a fake passport whilst waiting for his wife to pick up the life insurance cash?
You may only have snippets of your personal information attributed to each of your online personas (Facebook, Twitter, LinkedIn, multiple email addresses, Paypal details.... I could go on). Think about your Facebook profile, does it have your date of birth on it for all to see? And what is one of those annoying security questions you have to answer when you call your bank or insurance provider - is it ‘what's your date of birth?’ by any chance? With a bit of time and big data research on all your online personas, someone can build up a good picture of you, your life and who you really are…
Essentially your identity is now currency, it has value; have you ever put a business card in a pot in the hope of winning an iPad? In doing that, you're using your identity in exchange for goods (especially if you actually win the iPad!) and you usually then have the pleasure of a flood of unsolicited emails landing in your inbox that are somehow impossible to unsubscribe from. Got some free storage space in the cloud? You definitely didn't pay hard cash for it, but you probably gave them some information about yourself in exchange....
Everyone should protect their own identity, (but how do you protect the naive and vulnerable from themselves?); and businesses and government departments have to be able to verify your identity using key attributes.
But where in all this, is the balance between the security of your ID, your privacy and the right to remain anonymous? Why shouldn't you be able to enter the iPad competition without getting the emails? What are the legal and commercial frameworks for using identity online where the environment is far more complex (dare I say hostile)? No one owns the internet, there are no boundaries of jurisdiction, once the information is out there you can't delete it (as Paris Brown found out at the expense of her job as Kent Youth PCC...), and the players are far more sophisticated with links to organised crime. We're not just talking about the simple business card in the prize pot, it's a far wider and deeper issue.
Starting to feel uneasy yet?
Karen Tuck, Policy Manager BCS
N.B. The title of this blog comes from a cartoon.