Issue 2 October 2005
Welcome

This month we are delighted to present an article on "Identity and Identification" by Ana Isabel D. Canhoto, lecturer in the Interdisciplinary Institute of Management at the LSE and researcher at the Information Systems Integrity Group.
 
 
An accomplished manager with extensive experince of working in telecommunications in both Portugal and the UK, Ana Isabel specialises in behavior profiling and money laundering detection systems.

..................................................
 
Upcoming Conferences and Events
 

Introduction to Employment Law

18th October, London

£490

24th October, London
Free
 
26th-28th October, Yorkshire
From £400 
 
2nd November, London
Free
 
9th November, London
Free
 
10th November, London
£495
 
10th November, London
Free (register with akelly@powerchex.co.uk)
..................................................
 
Articles of Interest
 
The price paid by UK retailers for hiring unreliable employees.
 
David Dearman, PKF's anti-fraud specialist, answers questions.
 
Sarah Brown explains what a legal background brings to her role as an HR director.
 
Analysis of a new phenomenon whereby multiple applications for a job are made by one person under various identities in the hope of encountering discrimination which may result in a generous pay-out.
 
..................................................

When Vetting Goes Wrong
Some current examples of employee fraud
 
- This month a 47-year old NHS manager was found guilty of stealing a total of £585,000 from the hospital where she worked over a period of four years.
 
Cable & Wireless has sued several former employees for £40.5 million, alleging a conspiracy to carry out 'major' fraud in its internal insurance business. 
 
..................................................
 
Classic CV fraudsters
 
- Godwin Onubogu was jailed for charges including indecent assault, wounding, obtaining by deception, supplying prescriptions and perverting the course of justice. Claiming on his CV that he was a doctor, he wrecked relationships with unfounded diagnoses of venereal disease, offering services to people facing court appearances at a considerable fee. In fact, he was a lab technician.
 
- Nic Leeson failed to disclose county court judgements in his application to Barings Bank, an omission which if noticed may have prevented his employment there.
 
..................................................
 
Did you know...?
A study of more than 3,000 CVs submitted by candidates during 2004 showed that 25% of CVs in the financial sector contained misleading or incorrect statements, with an average of three such statements in each falsified CV.

Identity and Identification:

suggestions for effective authentication
by Ana Isabel D. Canhoto

 

Earlier this year, the BBC reported that a quarter of UK adults have been affected by ID fraud, one of UK's fastest growing crimes[1]. Calls have emerged from all corners of society for stronger measures to fight this form of crime.

 

While those whose identities have been abused are not normally liable for losses, the emotional and financial costs of clarifying the situation can be enormous. And the financial losses for those who unknowingly trust the fraudster are not meaningless, either. The government puts the cost of this crime at a staggering £1.3bn a year, corporate scandals abound and a great deal of attention emerged in the media.

 

Naturally, organizations are concerned with avoiding financial losses caused by the fraudsters, heavy fines from the regulators and damage to reputation should a fraud or vulnerability become known.

 

Firms have been taking very clear, visible (and often expensive) steps to increase the reliability of their identity verification systems. But when faced with a battery of technological solutions and 'expert advice', how should the organization go about setting priorities for its security strategy? The article suggests that such firms should emphasize identification, not identity; and suggests some directions to improve the reliability of the authentication procedures.

 

Identity? Identification?

 

The terms 'identity' and 'identification' are sometimes used interchangeably. Yet, these two terms refer to different concepts, and such difference must be preserved and understood.

 

The document 'Inventory of topics and clusters', produced by the FIDIS network of excellence[2], for instance, states that the term 'identity' refers to a set of attributes that define a person, whereas the term 'identification' refers to the representation of such attributes. For our purposes, it is important to analyse the components of these two terms in order to shed light on the key components of a reliable authentication procedure.

 

A person may be defined by a variety of attributes, some permanent such as one's DNA and some temporary, such as one's employment status. Additionally, the attributes used to identify someone in a given context, say someone's legal identity, may be utterly irrelevant in another context, such as someone's biological identity. That is, identity is context-dependent and there are many possible sources of identity information.

 

It is also important to distinguish between the public and the private aspects of someone's identity. A distinction is sometimes made between the 'I' - the perspective accessible only by the individual self - and the 'Me' - referring to the social attributes. Additionally, the 'Me' can be further divided into an implicit and an explicit component, the former referring to how a person perceives herself and the later referring to how this same person is perceived and represented by others[3]. That is, identity is composed of a living person (the 'I') and her relation to the external environment (the 'explicit me'), the two being modulated by the (un)conscious perceptions a person has of herself (the 'implicit me').

 

The term 'identification'[4], in turn, refers to the representation of a person's identity. And because identity is context dependent and has a public and a private layer, it emerges that the representation of a person's identity, i.e., her identification, is bound to be limited to:

  • the 'explicit me'
  • a given set of attributes,
  • a given context.

 

How is identification done? The process of representing someone's identity is done by using artefacts, in an explicit or implicit way. In the explicit identification case, the person being identified is aware of the attempt to represent her and may even participate in the representation, though not always voluntarily. In the implicit identification case, the representation is done without the person being aware. See figure for examples.


 

Type of identification

Example of identification artefacts

Explicit but non participant

Someone's criminal records being checked prior to a job offer

Explicit and participant

Typing password in order to access a building

Implicit

Social cues profiling according to specific prejudices

Implicit identification relies on assumptions about the relationship between the observable attributes - e.g., financial transactions - and particular characteristics of the identity - e.g., financial crime. Therefore, there is an increased risk of the identification suffering from cultural or personal biases.

 

Again, the relevance or utility of particular artefacts depends on the context of the representation. Someone's financial transactions are irrelevant for the purpose of establishing the biological identity of a person, but may be critical in establishing that same person's criminal identity.

 

Finally, it is important to note that the identification can be done through a third party, in whom the person seeking the identification trusts, as is the case of a certification authority.

 

Identification plays a crucial role in social life, because it mediates access - to a building, to a social benefit, to privileged information - and it permits the monitoring of access to and use of resources. As a result, failures in identification carry risks for the person being identified, as well as the person or entity that seeks the identification.

 

In order to protect one's assets, it is essential to minimize the likelihood of being misled by deliberate misidentification. This involves an assessment of the quality of the identification processes in place, regardless of how and by whom the identification is done. Such assessment aims to clarify whether:

  • The identification artefacts relate to the relevant identity attributes
  • The identification artefacts accurately represent who the person is or what the person has[5]

 

We now turn our attention to the second objective, which is achieved through authentication procedures. Authentication is the process of certifying that the identification artefacts correctly represent the identity of the person. It is important to note that authentication applies to the representation of the identity, not the identity itself. And given that this representation - the identification - is done through artefacts, it follows that the quality of the authentication is directly influenced by the quality of the artefacts. In particular, which artefacts and attributes the organization uses to represent the identity of, for instance, a potential employee.

 

Reliable authentication must possess the following characteristics:

-Refer to attributes that are relevant for the context - e.g., psychometric tests may be a better predictor of a person's ability to cope under pressure than, for instance, that person's self-assessment

-Acknowledge that the attributes will not represent the whole of the person's identity - the identification will only represent a subset of the person's explicit 'me'

-Rely on explicit attributes - Implicit identification processes are charged with social and technical biases

-Use artefacts that are difficult to falsify - e.g., someone's professional skills are more reliably assessed by a test or that person's known past professional successes (if in a relevant area) than by an entry in the person's CV.

 

The choice between specific artefacts or attributes will, naturally, be determined by an assessment of the relative costs of each solution and the benefit derived from the protection granted by such solution against identification fraud. The solution requires from those involved a careful assessment of strengths and weaknesses of existing identification procedures, keeping in mind that the key for the problem is in the identification, not in the identity.


[3] For a more elaborate distinction between the terms please refer to  the report A?a??A?Identity management systems: identification and comparison studyA?a??? available at

 http://www.datenschutzzentrum.de/idmanage/study/ICPP_SNG_IMS-
Study.pdf

[4] Still according to the FIDIS deliverable ''Inventory of topics and clusters'
[5] E.g., a particular skill or a authority


 





Tower Bridge Business Centre 46-48 East Smithfield London E1W 1AW
tel: 0870 710 3000 / 0207 709 2058 email: info@powerchex.co.uk  click here to view map