You might also want to review the credit reporting act, PIDEDA and PIPA to make sure you understand how your information is protected by law.

The purpose of online authentication and credit reporting is to benefit the consumer…Canada Post would not be able to offer such an online service which allows you to undertake a transacion for which you would normally have to travel to the store to complete. It is unlikely we would have the interest rates on Mortgages and credit cards that we do without credit reporting.

While I understand the concerns about the use of your personal information I would suggest taking issue with the legislators if you do not like how the information is being used rather than with corporations proviiding services that ultimately benefits consumers.

Best,

Gerald

Pam says: Hmm, that's an interesting idea – but I see several ways that your suggestion could be taken, some of which are probably out to lunch altogether :-) Are you suggesting that instead of supplying credit card & such to Equifax to trigger the identity verification, users could supply an iName? Or are you thinking that iNames and/or registries could be used by companies like Equifax to create the listed choices of identity providers? I would love to hear more about this!

Anyone can provide my address, name, and credit card number. That data can be found in my trash can, phished, or in some cases googled. The data that was provided to Equifax in no way guarantees that the person sitting behind the computer is the person who lives at that address or who legitimately owns that credit card.

The goal of the Equifax service is theoretically to challenge the online user with information that the owner of the credit card and *only* the owner of the credit card will know.

If the answer to that challenge is either discoverable or guessable, the veracity of the entire transaction is called into question.

That is really the most critical point about this service that needs to be made. That piece is not implementation detail — it is the meat. The rest of the questions – transparency, proper notification, consumer reaction, etc – are secondary.

(btw, my exact prediction for what you were going to respond to this blog entry was "suck it up Pam"… I feel that my prediction was dead on :) )

What *would* I do in Canada Post's place? That is a very good question. This idea of one-shot identity verification is very different from the work I do for most of my clients – I mostly deal in cases where the identity is provisioned by the Enterprise, or else self-registered. In either case, there is a more stateful relationship in place between the user and the website, which makes things a lot easier.

Trying to solve Canada Post's identity verification problems here is serious flame territory. If the answer were so easy that I could give one without knowing anything about what kind of parameters the designers were operating under – cost, minimum security requirements, consequences of failure – then there would hardly be a market for my high-falutin' services :) But as a partial attempt to answer, were I tasked to investigate this right now, I think I would start by investigating what kind of choices would aid in the identification and successful prosecution of abusers of the system — perhaps something like IVR? Study of what the root domain folks do would be not a bad choice too.

I hope that is a reasonable response to you.

Cheers,

Pam

I think we are still well within the class of ignorance and stupidity on this issue and not at malice – yet.

First of all let’s assume that Canada Post is a benevolent monopoly. It looks to me that Canada Post went to a reasonable amount of trouble in explaining to the consumer that they were going to pass on the data to Equifax and have them ask you some questions to confirm their identity. You did have to accept prima-facie that they were not going to pull your credit report and do something with it – I went through the first couple of steps of the process and you could hardly call the information message they give as “fine print”. Unfortunately, I do not believe you can complain about that they were going to do something without your knowledge. The fact that the questions are lame and could at worst be guessed at is a separate issue – implementation details I’m more of a big picture kind of guy. After a look around at the potential Equifax “products” that Canada Post would be using it looks like they are most likely using a version of the “eIDverifier” service.

“How it Works: eIDverifier works in three easy steps:
1. The user completes and submits an on-line application form. eIDverifier confirms key data fields against the content of multiple databases.
2. The Equifax authentication engine displays a multiple-choice questionnaire based on information specific to the consumer. The user then completes and submits this multiple-choice questionnaire on-line.
3. Based on the results of the questionnaire and the application information, Equifax assesses the likelihood that the person is who he or she claims to be.”

So Equifax already has a pretty good idea of who they think you are, and they have some process to decide if you are who you claim to be, they already have this information and without you going after them they will use that information for the benefit of their clients which is not *you* but Canada Post in this instance. This is a case of a company – Equifax using data, which *they* already “*own*” – credit reports, to create a new product “identity verification” by merely adding some indexes to a database.

OH THE HORROR….

Your first objection is that you did not provide data to confirm your identity. But you did, you told them your name, (probably even your cute middle name), your old address, your new address and finally your credit card number. With the exception of the credit card number you assumed that Canada Post would use this for the obvious address changing reasons but aha! That data is dual use – if one had access to your credit history they could find all of your car loans, mortgages, and missed credit card payments. Given that you had to tell Canada Post this information to change your address how could you get around the problem?

Your second objection is that someone else knows allot about you? Equifax knows when you’ve been sleeping and they know when you’re awake – you better get used to it. If someone uses that information without your knowledge or permission then back in my day it was called fraud, the new fangled term is Identity Theft, no?

Your third point I think misses the core of your horrified response, I think you were horrified about the fact that your identity, not just the data, does not belong to you – in this case it *belongs* to Equifax. Your suggestion that Canada Post goes off and develops a geographical identity management solution seems a little fanciful when there is an, admittedly lame, solution at hand?

I like cool-aid, and so does most big corporations. To my knowledge there are no “transparency” requirements that anyone must follow in Canada (or anywhere else) – this is only because I am completely ignorant of the law in this matter. If I wanted to find out about this I would ask someone like you what the requirements are for the “safe handling” of public but sensitive data? Are there any ?

WWTHEOD?

From what I know of InfoCard (from you) is that it would solve this problem nicely, but no one uses it yet. So my question for you is “what would the eternal optimist do?” You’re a high priced identity management consultant – convince the customer to do it the right way. Given the parameters of the problem here – let someone change their address over the interweb thingy – sketch out a practical, but based upon currently available systems and technology, solution that does not freak you out….

What about those of us that have been nude, speeding, dangerous, and drunk all at the same time, can you pick more than one?

Congratulations on the new place.

Don.