Identity in Cyberspace

I have a colleague – and this not me myself – who has recently become victim of several identity thefts in a row. The goal of the thefts was to severely damage his life and to get into his footsteps, assignments, and contracts in business. According to popular assumptions the whole case is impossible: Money or other direct benefits were not the goal of the thief. Real world communities and activities were involved but this did not protect the victim. There is also no evidence that some unusually careless behavior took place. Following the German poet Christian Morgenstern, we could conclude that there were no identity thefts:

Und er kommt zu dem Ergebnis:
»Nur ein Traum war das Erlebnis.
Weil«, so schließt er messerscharf,
»nicht sein kann, was nicht sein darf.«

Still the impact of the identity thefts is very real. So why could it happen? The key problem was that out of very little evidence (coming from the thief owning a copy of the victim’s passport) a convincing chain of trust could emerge, because in the online world identity is usually not scrutinized. If for the involved transactions a legal electronic identity (eID) – that is an online equivalent to a passport in the physical world, whose data a guaranteed by a national state – would be mandatory, the thief would have needed significantly more criminal energy and higher technical skills to pursue his goals. In addition, he would face now a significantly higher likelihood for a significantly higher punishment by Justice. Therefore, it is fair to assume that the enforcement to use legal eIDs and other trust services for critical online transactions and the enforcement to validate identities in critical organizational processes would have saved my colleague from becoming a victim – and it would help in many similar scenarios for identity theft, too.

Two types of problems

The sketched case is one where things went wrong because in many settings people do not care about the evidence for another’s identity. The more real and digital worlds become inseparably entangled the more such cases we shall see. On the contrary, many transactions do not take place on the Internet and services are either not offered or hardly used when they are offered just because people and the lawmakers are aware of the risks. Both, the misuse and the non-use, hinder the digital transformation of economy and society significantly.

Trust services are must-haves

Relying on insurances for payments is not enough to make the Internet a trustworthy place. If we want to establish a sustainable digital transformation then we urgently need

  1. Universally usable trust services providing capabilities for trustworthy authentication, time stamping, digital signing, and certifications of properties – for individuals, organizations, and also for Websites and machines
  2. Enforcement to use these services in all contexts where an identity theft could realistically take place

The role of government

Like in the physical world in case of passports, at least authentication and the certification of basic attributes should be provided by the government. Outsourcing this to private industry or NGOs puts up the question whether we need a state in the future at all. In this context, countries like Denmark and Austria have decided to re-nationalize their so far half-private legal eIDs.

Also the cross-border usability requires government involvement. The EU has paved the way through its Large Scale Pilots from the STORK family and the eIDAS regulation, which is based on mutual recognition of notified national legal eIDs through an interoperability infrastructure.

Self-managed privacy

Trust services like those depicted above also contribute to the protection of privacy. On the one hand trustworthy attributes reduce the amount of information needed for trust management. On the other hand the ultimate goal of privacy protection is to give concerned citizens control over how others store data about them. Practically feasible and user-friendly solutions are much easier to design and implement, when the concerned citizens own universally usable legal eIDs.