The other day, I applied to have the post office temporarily redirect my mail. I've moved, and I want to make sure that even if I forget to update my address somewhere, my mail will still arrive at my new house.
Canada Post charges $33 to perform this service for me, and it is possible to procure this service online. The seven step process was very straightforward – until I hit the last step. Step 6 was for me to enter my credit card information. Step 7 was this screen:
My credit history was being displayed to me over the internet, looked up in real time and parroted back to me as a multiple-choice exam question.
I was horrified. Absolutely horrified.
I believe that this incarnation of identity authentication is very very wrong, and I'm going to do my best to define and discuss what significance I think that this particular kind of transaction has.
You are using my credit card # for WHAT?!?
It turns out that I didn't read the fine print. Here are the details on what Canada Post is doing, it is an interesting read. Canada Post did try to tell me on this page that by entering into the transaction, I was agreeing to having Canada Post pass my credit information to Equifax for the purposes of verifying my identity. It also says that Canada Post isn't privy to any of the credit file information.
Use of Identity Information not of my Choosing
The first and most obvious problem with using information that I myself did not supply in order to prove who I am is that I may not know or remember the answer. Imagine anyone with a complicated financial portfolio trying to answer these questions.
The second problem with using information that I did not supply, is that somebody else discovered that information in order to present it to me. If that entity can discover the information, it only seems logical that other entities could too. In this case, it seems to me that anyone who gets hold of my credit file can answer my identity authentication questions. Sadly, I'm pretty sure that such a thing is not that difficult.
In this particular case, I'd have to say that there is a third problem – the answer to the particular question I was asked is pretty obvious, to Canadians at least, and probably to anyone with access to Google. Given that this website is run by CANADA POST, it can't be hard to use a process of elimination based on geography.
The Juicier the Secret the Better the Identification
Think about how this kind of identity verification would scale. I'm sure Equifax would just love it if everyone were using their service – but the more clients you offer the service to, the more questions you would need. And the only data that works is "secret" data. How will they find that data, and what is the incentive to respect anything about your privacy?
Take that thought to the extreme, and then imagine these questions next time you try and do something online:
In early 2004, you were diagnosed with a condition. Was it:
c) Genital Warts
d) Athlete's foot
Or how about this one:
At the age of 17, you were arrested for a crime. Was it:
a) Driving under the Influence
b) Dangerous Driving
d) Public Nudity
It Doesn't Have to be Illegal to Piss People Off
My mother has always said to me that our family financial affairs are not to be discussed. To her, it is just plain bad manners to discuss things, even if they are publicly discoverable. That is how I feel about having my credit history thrown in my face. Can Canada Post legally do it? Apparently. Can they do it without making me feel like they have put their noses into my business? No, they cannot. It is entirely subjective, perhaps other people have no problem answering these kinds of questions, but aside from any logical or technical opinion I have about this kind of identity authentication — that question creeped me out. As vague and pointless and stupid as that question was, it still referenced information that I consider to be mine. Yes, I know, logically I understand that this isn't my data to control, but to have the public nature of my private affairs rubbed in my nose was unpleasant, it ticked me off, and in general, it has resulted in a poor consumer experience. If even a small percentage of people feel that it's creepy to have the Post Office breach the sacrosanct nature of their personal finances, even if that sanctity is an illusion, there are going to be complaints.
Where's the Transparency?
If we really drink the cool-aid, if we really believe that federation of data can be done securely and safely, we have to convince the entities passing the data that it matters to us what methods they use to sling our personal identity data back and forth. Canada Post sent my personal information, including my credit card number and (had I been dumb enough to provide it) my social insurance number to a third party. How did they send it? What are the policies surrounding the retention of that data? Why was I not given the ability to choose which Identity Provider vetted my identity, if it had to happen? How do I know how much data was sent to Equifax? Seems to me that this is a bloody gold mine for them, I imagine that they get the address update information before practically anybody else, they are getting paid to make their own databases even more accurate…
So, as far as I'm concerned, Canada Post has decided to endorse an insecure identity verification mechanism that is more easily answered by the person who has stolen your credit file than by you. Who knows, if my one single experience is any measure, it might be possible for ANYONE to guess the answer. As an added bonus, they also manage to piss people off, or at least to piss ME off. And all of this to change a postal address!