A New Year’s Resolution? Don’t forget ID Management, Mutual Authentication and the ruthless power of social engineering!

| December 31, 2008

May you all have a Happy New Year that is also safe online and offline and where you, not others, control what happens to the personal information about you and about what you are doing.

It’s New Year’s Day tomorrow & so we all look forward to a bright New Year.

Identity management and how easy it is to mislead people, sometimes for mischievous intent, sometimes for profit & sometimes with very evil intent, will remain a major issue for us in Australia & worldwide in 2009.  This issue is only mentioned in passing in the Consultation Paper that was released in December calling for input to a major Future directions paper for the digital economy that was announced in September by the Minister for Broadcasting, Communications & the Digital Economy.  But it will emerge as a leading issue if we are to create the trust and confidence necessary to realise the potential contribution that the digital economy can make to the Australian economy.

So here is an interesting example that has just come to light in the USA.  It is interesting not because it has led to anything very nasty.  Yet.  But just as the first viruses were often little more than a nuisance but foreshadowed today’s identity theft & bot net crime wave, so this latest development has portents of the future about it.

It is most relevant to anybody seeking to provide identity management or protection to a vulnerable group – young children. 

And the example is:  “Separating Real From Fake on the Internet”, a Bits Blog at the New York Times, as at 24 Dec 2008. 

After reading the article, it is particularly worth clicking through one of the links it mentions, where Brad Ward, a communications coordinator at Butler University, outlined how he unearthed the problem in a blog post titled “There’s Something Going Down on Facebook”.  It is a fascinating, minute by minute expose of how he uncovered what was going on.

Brad’s blog shows first that he was able to resolve what was going on by some sharp detective work + collaboration via Google & Twitter etc & that it took him only a few intensive hours to get there – the wonderful power of the internet and the “power of us”. 

But it also shows how easy it is to fool people into thinking that there is a genuine school or alumni basis behind creating a Facebook style group or network.  Importantly, it shows that identity management & authentication of all parties (schools, alumni groups, other supposedly ‘trusted’ parties etc) is at least as important as the identity management of the children (& parents) who might be offered these services.  This need for mutual authentication is something often missed by organisations that offer “trusted” services.

Given that people are being fooled by social engineering, not by any tricks of technology, the resolution of the problem has to be visible, obvious & genuinely trustworthy to groups of susceptible people (the not-net-savvy).

It also shows that at least some of the risk of social networking comes not from the offeror of the platform (Facebook or the children’s equivalent) but from the users of the platform.  This bears out the observations in a very thoughtful article called “Facebook and the social dynamics of privacy” by James Grimmelmann, Associate Professor of Law, New York Law School (draft as at 25 August 2008).

Facebook initiated an investigation as soon as the company was alerted to presence of the problem and closed down the misleading new groups that had been created to sucker in new college students in the US.  But is the Facebook response in such circumstances of “close down the scam rapidly ex post” sufficient?  It is the same approach as other commercial websites take – show us a problem & we will fix it but other than that it’s caveat emptor….

All food for thought & warnings of traps for the unwary, but I haven’t thought it through beyond that yet.  The insights by James Grimmelmann in “Facebook and the social dynamics of privacy” however do offer some insight on where to start.

Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a globally connected company that works with public sector and private sector organisations to help them build customer trust through respect for the customer and their personal information.