Business Tech: Identity

Recently, Syd and I were victims of Identity Theft. In the process of straightening it out — we are still in the process of straightening it out — we've had time to think about how people use and misuse identity.

Who Are You

The primary identifier we all have in common is a name. They are required for birth certificates, driver's licenses, all sorts of documentation. From a tech standpoint, this is a really bad design. I'm sure you've all noticed the lack of uniqueness in names.

In the US, the Social Security Administration tracks baby names. According to the SSA, in 2013, these were the most popular baby names: Noah, Sophia, Liam, Emma, Jacob, and Olivia. You can do your own research on other years here: . What does this mean? It means that if you have a common last name, the odds are that your darling little Liam is going to have a non-unique name.

I'm lucky, in the United States, I have only found one other Charles Barouch. He died in Baltimore, Maryland, in 1928. My father, on the other hand, wasn't even the only person in his family with the same name. His first cousin, who he ended up in business with, had the same first and last. Neither had a middle name.

Despite this, we issue credit cards, security clearance cards, passports… all manner of ID which fully or partially rely on name. As data professionals, what is our obligation toward this type of imprecise information? If our employers have timesheets, non-corporate customers, or mailing lists — just a few examples — we have this sort of data to manage.

Bank On It

Since we had a bank account compromised, let's talk about account security. Typically, a bank handles ID in two key ways: internally we become numbers and externally... we'll get to that in a minute. The bank doesn't see me by name, it sees me as one or more account numbers. So long as I never interact with the money, this is a perfect arrangement.

Once I want to deposit, withdraw, or check balances, they have to get back to names. The bank can manage my identity in a few ways. First, they have an address for me — either physical or e-mail — and they feel free to send confidential information to that address without any other controls. I might be the five thousandth "Mike J. Smith" doing business with them, but I'm the only "mikey " on record. E-mail address are unique, right?

That works for one-way data. They can't trust the return address on an envelope as proof of identity. They can't trust e-mail completely either. So, when we want to interact, we usually have two options. One is ID card (bank card) and password (PIN). The other is challenge-response.

This is where public information can be dangerous. What's your first school? I might be able to look that up. What's your favorite color? That might be more secure, although there are only a few common answers.

Pro tip: Lie! I never give a real pet's name or a real mother's maiden name. The problem with lying is that you have to remember which answers you gave to which institutions. That's the other pro tip: don't use the same lies with everyone. Otherwise, one compromise can lead to another.

You are Perfectly You

Are these challenge-response methods perfect? I have personal proof they aren't. Are the ID/password methods perfect? No. What's that leave? Biometrics? Sadly, that's only a little better. Here's the gigantic hole in biometrics: once you scan that eyeball, or fingerprint, or face, once you take that blood sample or skin flake, it becomes data. Quick show of hands: raise your hand if you know how to change data in a computer system. While our bodies are unique, even in twins, triplets, etc., once the data becomes data, it becomes suspect.

What does that leave us? Best efforts.

A Different Angle

Let's take Identity from a different angle, something simpler: deduping. How do we make sure that we capture each unique person exactly once? I tell "Mike J. Smith" from "Mike J. Smith" by looking at their e-mail addresses, for example. Oh, wait. I can't. might also use for work. Mismatched addresses do not necessarily assure me that I have two different people.

Then we have variant names: Is Peggy Ng also Margaret Chen? They share an e-mail address and Peggy is short for Margaret, but perhaps Peggy is Margaret`s daughter? Score card so far: E-mail, no good. Physical address, no good for the same reasons e-mail is suspect. Real name, not even close. Between nicknames, married names, other legal name changes, duplicate names... It's a mess.


Charles Barouch is the CTO of HDWP, Inc. He is also a regular contributor to International Spectrum Magazine, a former Associate Editor for both Database Trends and for Gateways Magazine, a former distance learning Instructor for CALC. He is presently the Past President of the U2UG. Mr. Barouch has presented technology and business topics in front of hundreds of companies, in a wide range of product and service categories. He is available for on-site speaking and consulting engagements in and out of the United States.

View more articles


Jul/Aug 2014