The Precursor: Identity Theft

Consider this lament from someone whose purse got stolen:

My purse was stolen in December 1990. In February 1991, I started getting notices of bounced checks. About a year later, I received information that someone using my identity had defaulted on a number of lease agreements and bought a car. In 1997, I learned that someone had been working under my Social Security number for a number of years. A man had been arrested and used my SSN on his arrest sheet. There's a hit in the FBI computers for my SSN with a different name and gender. I can't get credit because of this situation. I was denied a mortgage loan, employment, credit cards, and medical care for my children. I've even had auto insurance denied, medical insurance and tuition assistance denied
(From a consumer complaint to the FTC, January 2, 2001)

There are many instances of similar travails, the major risk areas have already been identified, and there is an 'Identity Theft Risk Assessment Quiz' available from Rutgers University. The introduction to the quiz informs us that in 2003, about ten million people suffered from identity theft. There is help and advice available if you are a victim, including an on line affidavit, along with what preventive measures you can take. One estimation (a little old, now) of the amount of money involved is available here.

Identity theft deals more with cases of fraud, electronic (ATM/Credit Cards, especially), or otherwise (Social Security Numbers/ Credit Assessment/ Landline or cell phones etc).

What about the Internet, then, one wants to ask. Naturally most of the above kinds of thefts are possible on the Internet too, and users need to know the risks. There are malicious hackers, crackers, freakers, and all manner of programmers are capable of stealing something from one's computer, and using it. What if someone is masquerading me, reading my mail, talking to my friends, using my office account?

Identity Management: Corporations Get Interested

The word 'identity' here is brought down to Personal Identification, what ID Cards are in the real world, your identity is in the world of computers, naturally. Wherever there is access control (not only do companies need to control people coming in, they also need to prevent protected, sensitive information from going out); some management of identity would is involved. For a long time, this was done at the level of monitoring of individuals, or left to individual discretion: if you chose to write down your password and carry it in your diary, it was risky behavior. Naturally there was need to manage this. Moreover, an individual might have several logins for various reasons, and it would be cumbersome to remember all the logins and passwords.

It is not surprising then, that most of the major players have shown considerable interest in solving the problems associated with personal identification. Consider the latest news: Microsoft, IBM, Sun, and the Department of Defense, USA in partnership with others have either announced, released, or are working on 'federated identity management': a revamped and improved version of earlier attempts at 'single password for everything'. Other vendors are joining Microsoft as well, in some of these. Novell too is changing things in this area. Business news is good in this area. Plumtree is to resell the Oblix COREid and SHAREid, meant for large-scale access to portals, as well as inter-organizational access. Courion is establishing a partnership with Computacenter, a major European provider of IT infrastructure. SCO has released a new identity management suite.

Lest we forget: identity management software is also access control software.
Many companies are back to a presumably better, improved version of the older paradigm of single sign on. Federated Identity Management programmes are being improved, tested, and implemented. Access control may no longer be a constant nag to employees, they may not have to remember several passwords, or keep changing passwords etc., and these processes are taken care of automatically.

What is interesting in this domain is that companies otherwise known for unstructured data management and content management are entering: Autonomy (Autonomy's Intellectual Asset-Protection System) and Plumtree (reselling and integrating Oblix COREid and SHAREid into its content management platform) are good examples of this. What is worth watching is their performance. The larger domain of security, otherwise completely dominated by encryption algorithms, seems to be opening up a little for information and content management, and perhaps to unstructured data management as well.