Shostack + Friends Blog Archive


An Odd IDology

So over at the “ID Space,” jdancu (who I assume is John) writes some responses to questions I posted to Kim Cameron’s blog. The article is “Knowledge Verification In Practice…” Kim also has a response, “Law of Minimal Disclosure or Norlin’s Maxim?

Since this is part of a continuing conversation, let me summarize by stating that I don’t think any of my questions have been clearly answered, and I think John’s use of language is substantially divorced from mine, and, I think, from general usage.

I’ll start with consent. I wrote: “[These systems] are non-consensual for the consumer. Companies such as IDology make deals with other companies, such as my bank, and then I’m forced to use the system.”

First, because we (the consumers) have voluntarily submitted our information with the intention of entering into a business transaction, we have given our consent for the business to verify the information we’ve presented.

That’s an odd definition of consent. I’ve submitted information which I hope will be used to fulfill a transaction. I have not consented* to transferring that data to a third party for ‘verification’ or analysis. I’ve consented to the reasonable and predictable uses of that data, which don’t, in my professional and personal opinions, include grubbing through other databases. What if I don’t consent to having the data verified?

Let me tell you, having just moved, my data doesn’t “verify.” The databases are wrong, out of date, and confused. I am forced to feed them a pack of lies in order to get anything done.

More after the break.

Which leads me to my next point, which is that’s an odd definition of “verify.”

It is built on the idea that the databases that this company queries are more correct than I am. Which is odd, because when you look at the data, like Bob Sullivan does in “Fraud Alert System broken, study says:”

In 2004, the Public Research Interest Group found 54 percent of credit reports had some errors. In 2003, the Federal Reserve released a study which indicated that 70 percent of reports had some error.

That’s verification? Worse, the databases are secret. At least they seem secret today, insofar as I can’t find a list, and despite my baiting, John doesn’t tell us. So if I fail to match the data in a set of databases out there, then what do I do? I don’t even get to find out which questions the system thinks I got wrong.

“Once the system processes the results (which is all real-time processing), it simply shares how many questions were answered right or wrong so that the business can determine how to handle the transaction further. The answers are not given within the transaction processing (protecting the consumer and the business from employees misusing data)”

Which is an odd definition of “wrong.” Do I have rights of access and correction? How can those work if I don’t know what questions some database thinks I got “wrong?”

So what happens if KBA is unable to verify you? A business would handle the exception transaction as they do now – probably asking for us to contact their call center, which may or may not be something I’m willing to do as a consumer.

Great, so after I go through the process and fail, we’re back to what? Talking some customer rep into believing that I’m me. How are they going to do that? SSN, Date of birth, etc.

So it seems to me that questions of the meaning of consent, verification, fair information practices, and security are all up in the air.

* Finally, for clarity, I explicitly deny all these systems the right to infer consent from my purchase attempts or activity. My consent is conditional on all parties compliance with EU or Canadian data protection law, which include, but are not limited to, the aforementioned rights of notification, access, and correction.