Do not use your real name, or your real date of birth.
Andy Smith, the Cabinet Office
To lie or to identify that is the question
When asked about identity theft, Andy Smith, PSTSA Security Manager for the Cabinet Office recently stated at the Parliament and Internet Conference 2012 that it was perfectly acceptable, indeed sensible to provide false information online. His comments have caused a storm in the media (see this BBC article on the matter ) and led to much criticism, with some people implying that he was encouraging false identities used by cyber-bullies and criminal elements.
(If you are interested, here is a recording of the conference http://new.livestream.com/Pictfor/piconf12/videos/5297455 so you can hear for yourself what was actually said. Fast forward to 1:32:40 to get to the interesting part.)
There are a number of interpretations of Andy’s comments on the Internet, and some gross exaggerations by the media. Having listened to what he said in context we believe that Andy’s underlying principle is valid. Our stance is definitely worth some clarification.
It all depends on the type of information
When it comes to your online identity it’s important to realise that there are different types of information at play. Certain types are more critical than others and those should be guarded with extreme care so your details don’t fall into the wrong hands.
Before we look again at what Andy actually said, let’s look at this in more detail. When it comes to online identity there are three distinct types of information:
- Personally Identifiable Information
- Security Information
- Profile Information
1. Personally Identifiable Information (PII)
Personally Identifiable Information (PII), as used in information security, is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. Wikipedia
Personally Identifiable Information is the corner stone on which your identity, especially your online identity, is based. It takes time and effort to build up your PII and this building process needs to be backed up with evidence that you provide over time. For example, to set up a bank account and get a credit card, you need to “prove” your identity. This is normally done by showing some other form of identity, such as a driving licence and/or utility bills that show the name and address as you have provided it to the bank.
Government agencies will need your name, address, date of birth (DoB) as well as your National Insurance number (NINO). They will check the name, addresses and DoB held against your NINO and if they match this will be sufficient for them to start dealing with you as the person you claim to be.
As you can see, establishing your PII can be a slow process and involves additional checks by those that are providing you with a service. This is why identity theft is big business. If someone can steal your PII, they can effectively become you, especially on-line without having to go through the “proving” process. They can then make false claims, steal money from bank accounts, set new accounts up for money laundering or just put out malicious material pretending to be you. All of this does damage to you!
So, Personally Identifiable Information is very important and should only be given to others when you trust them to keep it safe and you believe there is a valid reason for them having it.
2. Security Information
If you forget a password to a website, that site will want to confirm that they are providing a service to the stated account holder. To do this, they collect additional security-related information from you so that it can be checked at a later date as a means of confirming your identity with them. The questions they ask may be personal to you e.g. DoB, favourite colour, first school you went to, pet’s name, favourite teacher etc. but because they are security questions, the information is not considered to be PII in this context. Therefore, you do not have to be truthful in your responses. As long as you provide the right answer for the same question each time, it does not matter.
The table below provides some examples of responses to security questions. Trust me, none of it is factual and does not identify me personally in any way. This security information can be provided without any fear of it creating or implying any false identity:
|Security Question||Web Site A Response||Web Site B Response||Web Site C Response|
|Favourite teacher?||Quantum Physics||Rolls Royce||Kiu&anf21|
|Date of birth?||15 March 2008||21 April 1904||18 February 1983|
|Pets name?||Frank||Apricot Jam||F2nemsR3|
As long as you remember that this is the information that has been provided to the different websites then there is not a problem with using “false” information. The information is really a security exchange and not for general consumption. Of course, this gives the added burden of “remembering” lots of different responses to the same security question depending on which website is being visited. Dont be afraid to write your security information down as long as you keep it safe. Create a password book at home or use a security application to keep your information safe. The minor inconvenience is worth the effort to keep your online identity secure.
When PII gets confused with Security Information
The reason that organisations have historically asked for information such as DoB and mother’s maiden name as security questions, is that this is information you are likely to remember without too much trouble. The trouble is that your real DoB, and actual mother’s maiden name are considered PII so all of a sudden there is a mix of PII and security information. The way around this is not to provide real PII in response to security questions.
3. Profile Information
There is a big difference between the relationship you have with an online service provider and the image that you then portray to the rest of the world by using an online service. For example, when using a Playstation, your online ID i.e. that is available to the rest of the online Playstation community can be anything you like – it does not have to be, and in the majority of cases is not your real name. The important thing is that it corresponds to a real ID that was provided when the original account with PlayStation was set up. This is likely to have included some PII as payment details for online games etc. needed to be provided. The important point here is that PlayStation takes steps to protect your PII, but they can publish your Profile Information which you have agreed can be made public.
Social media sites such as Facebook and Twitter also make the distinction between PII and profile information. Although they may protect your PII, they can with your implied approval publish your Profile Information such as username, location, biography and mobile phone number.
A word of warning
The danger with social media sites is that there are some people who deliberately want to portray themselves to be something they are not. An example would be a 37-year-old male pretending (through their profile information) to be a 14-year-old girl! There could be sinister intentions here, such as sexual grooming. This is why sites such as Facebook have a published policy that Facebook users provide their real names and information. However, this is often abused and has led to incidents of cyber-stalking and bullying.
What was Andy’s point again?
Do not use your real name, your real date of birth. If you’re putting information on social networking sites don’t put real combinations of information. Obviously, if you’re dealing with government or other organisations you know are going to protect your information then use the right stuff.
Andy Smith, The Cabinet Office
We believe that Andy Smith is really making the point that factually correct information about you (your Personally Identifiable Information) should only be given to those organisations that you trust to look after it and then only when you believe there is a need for them to hold that information.
To support this, we advise that when it is not necessary to give out your PII you should not do so. Instead, provide other unique information that enables you to obtain the service you require without contravening any laws or misguiding others.
So, for setting up an account on Facebook you would provide your real name and address as this is in accordance with their terms and conditions. However, there are online services where your real identity is not important. An example would be setting up an account with an online service such as Dropbox. This is a service where the only interaction is between you and the service provider i.e. Dropbox for the online storage of files and photographs. There is no reason why you should provide any Personally Identifiable Information in this case. You could invent a whole new set of information. As long as it is unique to you there is no need for any Personally Identifiable Information to be disclosed.
Keep safe online
When it comes to your online identity, there is a difference between Personally Identifiable Information, Security Information and Profile Information:
- Personally Identifiable information identifies you as who you claim to be;
- Security information – is unique between you and the online service provider;
- Profile information – is often made public.
Personally Identifiable Information is very important so keep it safe and only give it out when you need to and then only when you trust that it is going to be kept safe.
Security-related information is not the same as Personally Identifiable Information and you should never mix the two. With Security-related information, your response can be anything you like – as long as you remember it.
If you follow this simple message, you will be taking a good approach to maintaining your online identity and preventing it from falling into the hands of others.
Managing the Risk From Online Social Networking – A Busy Reader Guide from CESG
Article by Paddy Keating, Director/Government Service Manager at Ascentor.