Devangshu Datta: Identity thefts: the way out

TECHNO BEAT

If you think about it, entertainment professionals were the first group to realise the utility of user-names; screen-names, which clearly identify actors, while being "detachable" from their off-stage personas.

The same considerations of privacy and convenience have led to the adoption of electronic user-names and handles. But this has proliferated to the point where it is insecure and places a burden on memory.

Banks, credit-card issuers, the income tax department, US Social Security, the Securities and Exchange Board of India (Sebi) assign random alphanumeric IDs to clients and citizens.

Everyone must memorise these long IDs and passwords and live with the fact that bits and pieces of personal data are scattered around cyberspace.

Bank records, PAN numbers, IT records, credit-card details, phone numbers "" even if you've never logged on to the Net, your data is out there.

Much of this is insecure and accessible without the owner's knowledge or permission. Most of it can be linked to the owner, by matching user-names, passwords, DNS (domain name server) numbers, telephone numbers, and so on.

Keeping it secure is tedious, losing it disastrous. If this data could be held more conveniently and securely, cyberlife would be easier.

It all boils down to identity. Your bank account might change, you might emigrate and relinquish PAN, swap tele-services, change e-mails, legally alter your name itself.

But if your personal information can be linked to you and dynamically updated as it changes, why not cut out the multiple passwords?

Identity is now a bleeding-edge IT issue. Let us suppose some entity, call it an "i-registrar", could make compacts with clients (body corporates, non-governmental organisations, individuals): an i-registrar it would validate identities and allow only screened, consensual, data-sharing?

The i-registrar can assign a single unique identifier called an "i-name" to each client, and link data to that.

That i-name would be like a super-url, protected with a very strong password. Data linked to the i-name would be inaccessible "" except with the consent of the client and the i-registrar.

For instance, Ram Kumar signs up with an i-registrar and picks the i-name "=randomuser". (In this system, individuals are assigned i-names beginning "=", while organisational i-names start with "@"). "Randomuser" need never reveal his e-mail id, his credit card number, or anything else, online again.

He signs onto websites as =Randomuser. His network of contacts is automatically updated and synchronised when there are changes in personal data and the i-registrar can selectively block or allow access requests.

When "Randomuser" buys something on eBay, he transacts through his i-name and eBay reverts to the i-registrar, which confirms that (a) "Randomuser" has credit, and (b) passes on the transaction request to Kumar's credit-card issuer.

The transaction occurs "veronymously", verifiably but anonymously, from the vendor-perspective.

A cracker must break into both the i-registrar and the credit-card issuer's database (the i-registrar does not hold the credit card details) to get hold of credit card details.

If a Nigerian wants to offer "Randomuser" a share in his ill-gotten gains, he must make a request to the i-registrar who can filter it out. But a schoolmate can get in touch by asking i-registrars to find alumni, whom the i-registrar can track regardless of changes in their contact data.

For an i-name-based system of universal private addresses to work at all, a lot of nifty software is required. Also, i-registrars must inspire universal trust, just as credit-card issuers do.

The software industry is betting that a combination of universally-agreed standards (XRI or "extensible resource identifiers" and XDI or "extensible data interchange") created through consensus by the Organisation for the Advancement of Structured Information Standards (OASIS), and coupled to free open-source software (FOSS), and decentralised registration will work.

Anybody might become an i-registrar (2idi and Identity Commons are two of the majors) by adhering to certain standards (Cordance and Neustar are the registry operators).

You can even broker your own data (and some bright sparks have started selling their own records!). Unlike MS Passport, i-brokering is not proprietary and the data is decentralised. Of course, there's scope for abuse "" but it may be a big improvement on the current situation.