Many identity theft incidents still occur through offline methods such as dumpster diving, robbery and deception. This is a complex problem that is best addressed collaboratively by law enforcement, government, educational and financial institutions, civic organizations, businesses and the technology industry. It also requires heightened consumer awareness, responsible business practices, effective law enforcement and appropriate legislation, along with support from leading edge technology products.

Many identity theft incidents still occur through offline methods such as dumpster diving, robbery and deception. This is a complex problem that is best addressed collaboratively by law enforcement, government, educational and financial institutions, civic organizations, businesses and the technology industry. It also requires heightened consumer awareness, responsible business practices, effective law enforcement and appropriate legislation, along with support from leading edge technology products.

The large databases of personal information maintained by merchants, financial institutions and information brokers are a tempting target for identity thieves. Data leaks can occur in a number of ways, including lost or stolen computers, access to data under false pretenses by a rogue client, a security breach from outside or an insiders job.

Protecting Personal Information

It is important to educate consumers and help them make informed judgments about disclosing private information, to promote responsible data governance practices among organizations and to punish those who commit identity theft crimes. But an even better approach to enhancing security and privacy is to reduce reliance on shared secrets such as usernames, passwords and government ID numbers to establish the right to do something online. In addition, to being relatively easy to steal, these can be difficult to remember, update and manage. We need to employ new identity practices online that are just as reliable but better protect against fraud and abuse, ones that leverage technology to give end users more direct control over their digital identities. Instead of requiring users to produce personal information to establish their identity, we should think of personal information as too valuable to be shared directly.

We need to analyze this problem in depth, at both a policy level and a technical level. Also, we should enable a system whereby users or electronic systems can present not PII itself, but digital identities containing only the minimum claims necessary to enable interactions and trust establishment online. This type of system defines new identity practices for the web.
Tackling Insider Job
Establishing a framework for issuing and using more trustworthy digital identities on the web also requires protections against inside job identity theft, whereby a person working inside a government or a bank, creates identities in the first place, gains access to someones information associated with the Information Card or creates fraudulent Information Cards. Microsoft is working to tackle insider threats through a technology called U-Prove. U-Prove employs cryptography to safeguard the data needed for a transaction while preventing systems from being able to pull together information about users from various sources. Such linking of information across sources is a significant risk to privacy because the more pieces of data a criminal has about an individual, the more easily the criminal can take control of that persons identity. The use of U-Prove can help reduce a criminals ability to steal identities by accruing various pieces of information over time. It is possible to make the internet safer for consumers and families, and therefore, make reliable for individuals, businesses and governments.

(The author is chief security officer, Microsoft)