Imagine that some stranger in a shady corner of the Web comes across your name and a few details of your life and puts together an online presence uncomfortably reminiscent of you. Hard to know what to think at first. It could be anything from coincidence to a con or something else altogether. But this feels more ominous than the theft of a credit card number. We can cancel the plastic, but we can't cancel our identities. I was involved in such a case recently, and while I cannot discuss the specifics, it introduced me to ideas involving the broader significance of online identity, which is perhaps not discussed widely enough in our professional community.
Your identity consists not of the impersonal strings of numbers assigned to your name by business and government, but of the combination of attributes that fundamentally make you, you. It is a kind of quicksilver that can be hard to grasp but ultimately is crucial to how you relate to others and how they relate to you. It is the sum of our personal histories, personalities, relationships, beliefs, biology, the patterns of our lives and activities, our habits, and more. It is our interface to the world and the internal code that drives us.
Both actively and passively, we create an ever more detailed digital self-portrait. We may be the original content providers, but we are unable to know what material will be viewed and how it will be used now and in the future. From blogging to swiping a card at the supermarket, the behavioral patterns of our daily lives are captured in data streams; they create new representations of ourselves. The resulting depictions are dependent on how the data is crunched by algorithms and also by the various kinds of people who interact with it. Sure, that sounds a little abstract and distant. It's difficult to imagine anyone doing anything problematic with your stuff. But that's part of the problem; it can be entirely and reasonably unimaginable. Until it isn't. Our personal identities may be appropriated for simple, direct theft or for more elaborate and nuanced forms of "social engineering" misdeeds such as pretexing. While the idea of using someone else's name or information for all kinds of underhanded purposes is certainly as old as human society, the impostors have powerful and rapidly evolving new sets of tools.
For many of us, our online presence is becoming an important part of our external identities and has a growing sway over our professional and personal lives. Digital media can capture and present sides and angles of ourselves that we may not have known were there. Our virtual presence can have lasting influences on real-life interactions. Facebook, MySpace, Twitter, LinkedIn, and Match.com, not to mention the Google search results of our names, can sometimes make up the sole representation of our identities to someone interested in learning about us. We are numerical strings, user names, and template profiles. Accurate or not, such data can be someone's primary means of forming an impression of who we are. We are entering into a kind of open source experiment in identity. Who knows how much the things we choose to present about ourselves online may influence our self-perception. Do we start to believe our own hype? There may be identity feedback dynamics that we have yet to recognize and understand.
It would be hard for many of us to conceive not having the search results at our disposal. The results provide us with instant résumés and context about others. In the past, if we really wanted to learn about someone, we had to rely on talking to people. Now we can get insights and information about others almost instantly without the input of anyone else. For a Web 2.0 spin on Descartes, consider that "SEO ergo sum" may be more appropriate these days than Cogito ergo sum. The catch is that much of this process is mediated by algorithms rather than people. This means that a system that can often be a powerful proxy of our identities can also be easily manipulated. We can SEO (search engine optimization) ourselves, but the question is, what do we stand for? What are our true keywords? Some businesses work hard to improve their meta-identities, but in the great leveling ground of the Web, individuals may sooner or later want to consider these issues for themselves. In a media-saturated culture, it seems like the word "brand" is far more fitting than "identity." This is true for celebrities, but in a world of Web-enabled micro-celebrity, will brand attributes become a greater concern than character traits for some people?
Perhaps one analogy to help in thinking about our online identities is open source software development. It has unlocked floodgates of creative participation and, for the most part, brings out the best in people. However, there are also a few bad actors who will do a malicious hack of a program for pure sport. Put another way, imagine your online presence as a wiki entrythe "Wiki You." Perhaps you are the main author, but the content is malleable and only partially controllable. The content of a wiki entry is subject to the vicissitudes of inaccuracies, inconsistencies, agendas, and sometimes zealous partiality or malice.
If safeguarding our strings of numerical identifiers is important, what is the value of managing our online identitiesthe information, stories, and images that portray us, on the Web? Just as computing power has enabled a massive trade in our numeric identifiers, so will evolving technology make possible the traffic in more personal forms of information, the uses of which we cannot yet fully imagine. The idea of trying to manage a swirling cloud of digital data seems impossible. Perhaps it is. But that does not mean there's no chance to put some stakes in the ground for ourselves and others.
People in the user experience field, in one way or another, have been in the thick of it. They have helped create the entrances into the online arena for people who would not have otherwise ventured there. This has enabled them to project themselves on a stage with the capacity for a massive audience. Working in front of a computer can feel like such a personal and intimate experience that it is difficult to remember it is more like a great stage with crowds milling in and out of the auditorium. Like an actor on a stage who can barely see the spectators, our glowing screens show us a limited view of our audience. Some of our viewers are visible and some are not, many invited but many others not. User experience professionals have empowered people to step onto a vast stage and tell their story, both factual and otherwise, to the world. The audience often has to decipher fact, fiction, or some combination of the two. As we help them ascend the stage, what role can, or should, we play in this unfolding dramaset designer, stagehand, fellow actor, audience member, all of the above?
There is a new opportunity to think about what identity means to ourselves and everyone else. Perhaps a first step is increasing our understanding of the meaning, value, and potential vulnerabilities of our cyber-identities. It is, after all, a hard-won and unique collection of information, experience, and perspective. The life you have lived shaped this collected knowledge and set it apart from any otherthe happy and painful moments, the things you have learned, the mistakes you have made and the victories. Like so many things in life, we pay attention to things of value only after they are threatened. It is only after a more direct encounter with online identity infiltration, fortunately with a successful resolution, that I see this issue in a new light.
Finally, after a long time in the waiting room, a nurse calls your name. As you walk over to her, you notice another person also approaching. Both announce yourselves to the nurse by the same name. The quizzical look on the nurse's face soon turns to irritation as you and your counterfeit debate who should get the exam. While that scenario may seem fanciful, in fact there are instances of people who are taking on stolen identities to get medical treatments covered by the legitimate person's health care plan. This situation points to one consequence of commodifying our identities. If the fraudster were dealing with a longtime family doctor, it would be unimaginable to assume a false identity to get medical treatment. However, in a less personalized environment, in which the physician has never before and will likely not see you again, ID theft is all too plausible. In the midst of depersonalizing health care and other services, we are becoming more like numbers and less like individuals. People may be hard to manage; numbers are all too easy to rig.
While the discussion of identity theft is often framed in the context of privacy, paradoxically, privacy may also be part of the problem. Consider a jammed road in a large city center. Drivers converge in close proximity in a fluid public space. The sense of privacy in interacting with others, give some license, so to speak, to act in ways they would not if they knew the other individuals involved or were more exposed themselves. On the whole, the system works. But as we all know, the semi-anonymous interactions bring out problematic behaviors in a small percentage, although it may often seem small enough to not present a serious problem. That may be the case, but if you bear the brunt of someone's road rage, it suddenly can be very significant. On the Internet, we mingle with some people known to us and many more who are not. We are visible, but only partially so. This environment makes it easier for others to mimic traces of our identity, and gives them the ability to hide the sources of the information.
Perhaps a key to identity protection is not just about increasing privacy, but also about building real community. The case I was involved in was solved by a range of people with different skills and interests who came together. It was also about good friends and colleagues watching out for each other in this environment.
Here are some of the other lessons I learned in my exploration of identity theft.
- Look closely. A cheap imitation of an expensive watch, at a distance, may look like the real thing. Setting up a false, but superficially plausible, identity online requires very little time and effort.
- Be imaginative. We are becoming increasingly aware of protecting our identities, but should start thinking more imaginatively about how to safeguard them. Can we imagine scenarios for how our identities and autobiographies may be used and misused in the future?
- Include irrationality. For some of us, it can be difficult to understand or accept that people will do bad things for no practical or rational reason.
- Find strength in community. There is no substitute for strengthening ties online and in the real world to people we know and trust.
- Create anti-counterfeiting measures. What are the possibilities of "watermarking" our Web presences?
- Balance risk and reward. How can we strengthen and protect our online identities without stifling self-expression? Can online identity protection be taken too far and be overly engineered?
- Pursue justice 2.0. Our legal system is behind our technology. What can be done to update legislation to prevent abuse?
- Don't be complacent. We need to pay attention to our online identities and those of the people we care about.
Hunter Whitney is an interaction designer who has worked for clients ranging from Microsoft, Intel, and Yahoo to the Monterey Bay Aquarium and National Cancer Institute. He s also a journalist, who has covered topics ranging from health and medicine to adventure travel for publications including Time, the Los Angeles Times, the San Jose Mercury News, Variety, and Omni. He is principal of Hunter Whitney & Associates, Inc. Visit him at www.hunterwhitney.com.
Identity Theft: Stealing someone else's personal information or impersonating them for purposes ranging from financial theft to obtaining services to concealment of other criminal activities.
Social Engineering: Using various forms of deception and psychological manipulation to acquire confidential information and/or gain unauthorized access to data or systems or to get unwitting sources to perform or assist in illicit activities.
Pretexting: A type of social engineering in which a perpetrator creates a scenario, frequently using a false identity, to extract information or for other illegal activities.
Spoofing: Impersonating a person or organization in a faked email, IP address or other communication source for fraudulent purposes.
Prevent Identity Theft in Your Business and also Identity Fraud Investigations both by Judith Collins, Ph.D., adjunct associate professor, School of Criminal Justice, Michigan State University (both published by John Wiley & Sons, Inc.)
The Truth About Identity Theft by Jim Stickley (published by FT Press)
Stealing Your Life The Ultimate Identity Theft Prevention Plan by Frank W. Abagnale (published by Broaway Books)
Schneier On Security by Bruce Schneier (published by Wiley Publishing)
Googling Security by Greg Conti (published by Addison-Wesley)
©2009 ACM 1072-5220/09/0300 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.