The other day, I applied to have the post office temporarily redirect my mail. I've moved, and I want to make sure that even if I forget to update my address somewhere, my mail will still arrive at my new house.
Canada Post charges $33 to perform this service for me, and it is possible to procure this service online. The seven step process was very straightforward – until I hit the last step. Step 6 was for me to enter my credit card information. Step 7 was this screen:
My credit history was being displayed to me over the internet, looked up in real time and parroted back to me as a multiple-choice exam question.
I was horrified. Absolutely horrified.
I believe that this incarnation of identity authentication is very very wrong, and I'm going to do my best to define and discuss what significance I think that this particular kind of transaction has.
You are using my credit card # for WHAT?!?
It turns out that I didn't read the fine print. Here are the details on what Canada Post is doing, it is an interesting read. Canada Post did try to tell me on this page that by entering into the transaction, I was agreeing to having Canada Post pass my credit information to Equifax for the purposes of verifying my identity. It also says that Canada Post isn't privy to any of the credit file information.
Use of Identity Information not of my Choosing
The first and most obvious problem with using information that I myself did not supply in order to prove who I am is that I may not know or remember the answer. Imagine anyone with a complicated financial portfolio trying to answer these questions.
The second problem with using information that I did not supply, is that somebody else discovered that information in order to present it to me. If that entity can discover the information, it only seems logical that other entities could too. In this case, it seems to me that anyone who gets hold of my credit file can answer my identity authentication questions. Sadly, I'm pretty sure that such a thing is not that difficult.
In this particular case, I'd have to say that there is a third problem – the answer to the particular question I was asked is pretty obvious, to Canadians at least, and probably to anyone with access to Google. Given that this website is run by CANADA POST, it can't be hard to use a process of elimination based on geography.
The Juicier the Secret the Better the Identification
Think about how this kind of identity verification would scale. I'm sure Equifax would just love it if everyone were using their service – but the more clients you offer the service to, the more questions you would need. And the only data that works is "secret" data. How will they find that data, and what is the incentive to respect anything about your privacy?
Take that thought to the extreme, and then imagine these questions next time you try and do something online:
In early 2004, you were diagnosed with a condition. Was it:
c) Genital Warts
d) Athlete's foot
Or how about this one:
At the age of 17, you were arrested for a crime. Was it:
a) Driving under the Influence
b) Dangerous Driving
d) Public Nudity
It Doesn't Have to be Illegal to Piss People Off
My mother has always said to me that our family financial affairs are not to be discussed. To her, it is just plain bad manners to discuss things, even if they are publicly discoverable. That is how I feel about having my credit history thrown in my face. Can Canada Post legally do it? Apparently. Can they do it without making me feel like they have put their noses into my business? No, they cannot. It is entirely subjective, perhaps other people have no problem answering these kinds of questions, but aside from any logical or technical opinion I have about this kind of identity authentication — that question creeped me out. As vague and pointless and stupid as that question was, it still referenced information that I consider to be mine. Yes, I know, logically I understand that this isn't my data to control, but to have the public nature of my private affairs rubbed in my nose was unpleasant, it ticked me off, and in general, it has resulted in a poor consumer experience. If even a small percentage of people feel that it's creepy to have the Post Office breach the sacrosanct nature of their personal finances, even if that sanctity is an illusion, there are going to be complaints.
Where's the Transparency?
If we really drink the cool-aid, if we really believe that federation of data can be done securely and safely, we have to convince the entities passing the data that it matters to us what methods they use to sling our personal identity data back and forth. Canada Post sent my personal information, including my credit card number and (had I been dumb enough to provide it) my social insurance number to a third party. How did they send it? What are the policies surrounding the retention of that data? Why was I not given the ability to choose which Identity Provider vetted my identity, if it had to happen? How do I know how much data was sent to Equifax? Seems to me that this is a bloody gold mine for them, I imagine that they get the address update information before practically anybody else, they are getting paid to make their own databases even more accurate…
So, as far as I'm concerned, Canada Post has decided to endorse an insecure identity verification mechanism that is more easily answered by the person who has stolen your credit file than by you. Who knows, if my one single experience is any measure, it might be possible for ANYONE to guess the answer. As an added bonus, they also manage to piss people off, or at least to piss ME off. And all of this to change a postal address!
Never assume malice when ignorance will do.
If ignorance does not explain it – assume stupidity.
If stupidity or ignorance does not explain it assume malice.
I think we are still well within the class of ignorance and stupidity on this issue and not at malice – yet.
First of all letâ€™s assume that Canada Post is a benevolent monopoly. It looks to me that Canada Post went to a reasonable amount of trouble in explaining to the consumer that they were going to pass on the data to Equifax and have them ask you some questions to confirm their identity. You did have to accept prima-facie that they were not going to pull your credit report and do something with it – I went through the first couple of steps of the process and you could hardly call the information message they give as â€œfine printâ€. Unfortunately, I do not believe you can complain about that they were going to do something without your knowledge. The fact that the questions are lame and could at worst be guessed at is a separate issue â€“ implementation details Iâ€™m more of a big picture kind of guy. After a look around at the potential Equifax â€œproductsâ€ that Canada Post would be using it looks like they are most likely using a version of the â€œeIDverifierâ€ service.
â€œHow it Works: eIDverifier works in three easy steps:
1. The user completes and submits an on-line application form. eIDverifier confirms key data fields against the content of multiple databases.
2. The Equifax authentication engine displays a multiple-choice questionnaire based on information specific to the consumer. The user then completes and submits this multiple-choice questionnaire on-line.
3. Based on the results of the questionnaire and the application information, Equifax assesses the likelihood that the person is who he or she claims to be.â€
So Equifax already has a pretty good idea of who they think you are, and they have some process to decide if you are who you claim to be, they already have this information and without you going after them they will use that information for the benefit of their clients which is not *you* but Canada Post in this instance. This is a case of a company â€“ Equifax using data, which *they* already â€œ*own*â€ â€“ credit reports, to create a new product â€œidentity verificationâ€ by merely adding some indexes to a database.
OH THE HORRORâ€¦.
Your first objection is that you did not provide data to confirm your identity. But you did, you told them your name, (probably even your cute middle name), your old address, your new address and finally your credit card number. With the exception of the credit card number you assumed that Canada Post would use this for the obvious address changing reasons but aha! That data is dual use â€“ if one had access to your credit history they could find all of your car loans, mortgages, and missed credit card payments. Given that you had to tell Canada Post this information to change your address how could you get around the problem?
Your second objection is that someone else knows allot about you? Equifax knows when youâ€™ve been sleeping and they know when youâ€™re awake â€“ you better get used to it. If someone uses that information without your knowledge or permission then back in my day it was called fraud, the new fangled term is Identity Theft, no?
Your third point I think misses the core of your horrified response, I think you were horrified about the fact that your identity, not just the data, does not belong to you â€“ in this case it *belongs* to Equifax. Your suggestion that Canada Post goes off and develops a geographical identity management solution seems a little fanciful when there is an, admittedly lame, solution at hand?
I like cool-aid, and so does most big corporations. To my knowledge there are no â€œtransparencyâ€ requirements that anyone must follow in Canada (or anywhere else) – this is only because I am completely ignorant of the law in this matter. If I wanted to find out about this I would ask someone like you what the requirements are for the â€œsafe handlingâ€ of public but sensitive data? Are there any ?
From what I know of InfoCard (from you) is that it would solve this problem nicely, but no one uses it yet. So my question for you is â€œwhat would the eternal optimist do?â€ Youâ€™re a high priced identity management consultant â€“ convince the customer to do it the right way. Given the parameters of the problem here â€“ let someone change their address over the interweb thingy â€“ sketch out a practical, but based upon currently available systems and technology, solution that does not freak you outâ€¦.
What about those of us that have been nude, speeding, dangerous, and drunk all at the same time, can you pick more than one?
Congratulations on the new place.
Anyone can provide my address, name, and credit card number. That data can be found in my trash can, phished, or in some cases googled. The data that was provided to Equifax in no way guarantees that the person sitting behind the computer is the person who lives at that address or who legitimately owns that credit card.
The goal of the Equifax service is theoretically to challenge the online user with information that the owner of the credit card and *only* the owner of the credit card will know.
If the answer to that challenge is either discoverable or guessable, the veracity of the entire transaction is called into question.
That is really the most critical point about this service that needs to be made. That piece is not implementation detail — it is the meat. The rest of the questions – transparency, proper notification, consumer reaction, etc – are secondary.
(btw, my exact prediction for what you were going to respond to this blog entry was "suck it up Pam"… I feel that my prediction was dead on :) )
What *would* I do in Canada Post's place? That is a very good question. This idea of one-shot identity verification is very different from the work I do for most of my clients – I mostly deal in cases where the identity is provisioned by the Enterprise, or else self-registered. In either case, there is a more stateful relationship in place between the user and the website, which makes things a lot easier.
Trying to solve Canada Post's identity verification problems here is serious flame territory. If the answer were so easy that I could give one without knowing anything about what kind of parameters the designers were operating under – cost, minimum security requirements, consequences of failure – then there would hardly be a market for my high-falutin' services :) But as a partial attempt to answer, were I tasked to investigate this right now, I think I would start by investigating what kind of choices would aid in the identification and successful prosecution of abusers of the system — perhaps something like IVR? Study of what the root domain folks do would be not a bad choice too.
I hope that is a reasonable response to you.
Pam – some of the issues that you see might be solvable through the XDI registries and i-names, by trusting identity brokers with your identity information.
Pam says: Hmm, that's an interesting idea – but I see several ways that your suggestion could be taken, some of which are probably out to lunch altogether :-) Are you suggesting that instead of supplying credit card & such to Equifax to trigger the identity verification, users could supply an iName? Or are you thinking that iNames and/or registries could be used by companies like Equifax to create the listed choices of identity providers? I would love to hear more about this!
Don, from someone that knows the system I advise that you contact Equifax to receive a free copy of your credit file, that way you will have ALL the information the company holds on you. You will realise how this is not as far reaching as you suggest.
You might also want to review the credit reporting act, PIDEDA and PIPA to make sure you understand how your information is protected by law.
The purpose of online authentication and credit reporting is to benefit the consumer…Canada Post would not be able to offer such an online service which allows you to undertake a transacion for which you would normally have to travel to the store to complete. It is unlikely we would have the interest rates on Mortgages and credit cards that we do without credit reporting.
While I understand the concerns about the use of your personal information I would suggest taking issue with the legislators if you do not like how the information is being used rather than with corporations proviiding services that ultimately benefits consumers.