Identity = Reputation?

So does identity equal reputation? After all this is the claim made by some identity practitioners such as Dick Hardt (Hardt, 2006). The simple answer is no. Does it matter? And the answer is yes, it matters a lot.

Today in our digitised society your digital identity is quite simply an entry in a database, an object in duplicate, triplicate and much more, copied over numerous disparate directories scattered across the globe. Conversely your reputation is worth significant value to you but to others nothing, unless they use your reputation to add value to their own. To all intents and purposes your identity is worth a piece of gold to those motivated to collect, use and abuse identities. For your reputation, everything you publish online has most likely been copied and replicated to another server or indexed and cached by some search engine. For this reason your reputation has a persistence value that it did not have before.

Your digital identity and anything that links to you, including the digital residue you leave in your wake, is a gold mine for gold diggers. However your digital reputation is not worth stealing. Yet it is worth nurturing. In essence your online reputation can attain a value that may not reflect accurately the person sitting behind. It is by using your reputation that you can online create a type of personal branding. Once you have separated your reputation from your identity it becomes quite straightforward to take it and manage it. Your reputation could possibly, be divided into three phases: (1) what you did before, (2) what you are doing now and in your lifetime, and finally (3) what happens after you die. It takes skill to manage your digital reputation effectively.

Your identity needs to be protected and your reputation needs nurturing. What’s more is that your identity can make money for “gold diggers”, whereas your reputation is of no value except for what you make of it; and then its subjective value is of worth only to yourself.

But how can you protect your digital identity and nurture your digital reputation, if you do not own them, or even control them? I will be posting more on this in following weeks 😉

Turning the identity thing upside down

Haven’t you thought it as strange that your digital identity becomes weaker the more it is exposed? In fact is it an identity at all? After all it is only a record in a database, or an object comprised of attributes in an X.500 tree, or something written on a plastic ‘id card’. It is all of these, and replicated, maybe hundreds of instances, accurately and inaccurately all over the world.

In fact where is your digital identity? Is it real? If it is real then why do you have no control over it?

Why does your digital identity not reflect exactly how your physical identity works in the real physical world? When you are born you are referenced, i.e. probably starting with your parents declaring that you are their son/daughter and what your name is (your identity), relations and friends do the same… your identity strengthens. You start kindergarten and school, perhaps you have been assigned a national id number…. you are referenced, every reference to you strengthens your identity. The louder you shout, the more famous you become, the stronger your identity grows. In fact the President, Prime Minister, King, Queen, etc., probably have the strongest identities.

It is difficult to commit identity fraud on strong identities. So I return to my first question, why does it not work the same in the digital world?

2 million account credentials stolen!

More than 2 million passwords have been stolen from popular web services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc. All the popular press are reporting on this (here is something in English and Swedish).

Now what is interesting is the analysis on the stolen passwords by Trustwave. Trustwave did a similar study over 6 years ago on passwords exposed from MySpace, and this shows that nothing has changed, if anything password complexity is even weaker now than what it was in 2006. It seems that users are choosing simplicity over complexity.

So what’s so surprising? It is quite naive to assume that we will use complex passwords, especially across our social networking accounts. This is why we are increasingly accepting single sign-on using Facebook, LinkedIn, etc., to authenticate to other web services. The last Gartner conference on identity talked about needing to re-work how we do identity, i.e. make it ‘people-centric’, now where have I heard that one before 😉

Social identity

Social identity is becoming all the buzz today. But for me this is just another form of single signon using social media, e.g. Facebook as the linking identity.

This does not address the need for respect of personal privacy. It does not empower the identity holder. It is not scalable to 6bn people worldwide. Check my previous post for more on this.

Virtual RIP

New business is booming in the virtual online worlds, with new needs surfacing as the needs of the physical world are found to be lacking online in the virtual world. One of these is a demand for a third party to take care of a person’s online identity and reputation after they have died. There is a new start-up for example in Sweden called “webwill” that are specialised in cleaning up after death. Even though clearly this type of effort could be done by some person near and dear to the deceased, by using an objective third-party, one can leave effectively a ‘will’ on how one would be seen by their children, grand-children etc., in their online persona after they have moved on to the other not so physical or virtual world 🙂

Webwill offer you the opportunity to take control of your life after you die. So think about this, check it out, it is quite interesting. Website is in both Swedish and English.

Glad födelsdag – Happy Birthday – for your Swedish ID#

I was surprised when taking a coffee with one of my colleagues in the office. She received an SMS thanks from another of our colleagues her for the birthday greeting. When I asked her, how did she know, she said she found it online at http://www.birthday.se/kontakta-oss/Default.aspx. She then told me when my birthday was and even a map to where I lived (although they did get this wrong). Nevertheless surprise became horror. I had already removed my details from www.hitta.se only to find myself at another site. So I checked with a previous colleague of mine (Martin Da Fonseca) that studied security law in Sweden if this was in fact legal? And this was his response.

“It is legal. The service provided by Upplysning.se is regulated in Kreditupplysningslagen (credit information legislation) (1973:1173).

I believe the service provided by birthday.se is using (or exploiting) the fact that this information is considered “public information” (allmän handling), because it is stored at a goverment agency. As part of Tryckfrihetsförordningen (“freedom of press”, sort of) (1949:105) 2:1 it says that every Swedish citizen shall have the right to access to public documents. All documented information that a goverment agency has is to be considered public. This is also regulated by Sekretesslagen (official secrets legislation) (1980:100), which states when information is to be considered secret and not part of public documentation. Personuppgiftslagen (1998:204) is also in effect here; it is applied on the actual agencies storing the information. And perhaps to some extent on companies like Birthday.se, depending on what they do with the information (if they store it).”

Should I really be surprised? Not really, as mentioned it’s not the first time in Sweden I’ve needed to remove my personal information from some public register. And getting it removed is a pain, many phone calls, and then like magic it pops up again a year or two later! I believe that this is in direct contravention of the EU directive on Data Privacy. Am I wrong here? Surely I must be? Although Sweden is quite ‘transparent’ in how it operates, there there is much trust between the government and its citizens that makes Sweden quite unique. Transparency is a part of the EU directive, although we should give our consent to sharing personal data. Maybe i have done this automatically by becoming a resident of Sweden. The personal ID is not compulsory in Sweden but its just about imposssible to operate without it. Just try taking out a prescription at the chemist without this ID, you can when they realise that they have no choice, like what happened when I lost my ID, but it takes time and is very annoying if you end up with someone that insists on following the rules. This ID is shared everywhere and is really easy to get hold of. It is composed of date-of-birth (which you can find on http://www.birthday.se) yymmdd-xxxx and four digits, that are even if you are female and odd if you are mail.

There are cases in the U.S. whereby the addresses of car drivers were public until some celebrity was murdered due to the availability of this information. This is evidence that placing this type of information in public domain is dangerous! Does this mean that Sweden has worse data privacy for their citizens than what is found in the U.S.? Is this possible for a country of the EU?