As a matter of fact, you do not need a computer to have a digital identity. A digital identity is created for you when you apply for a driver's license, a credit card, a loan, a cellular plan, a household bill or any other common service. Ultimately, you may have a digital identity or presence even when you are entirely off the grid if, for example, one of your family members or friends tags a picture of you on social media. Yes, you are plugged into the Matrix, whether you plugged yourself into it, or someone else did it for you.
Because our digital selves live in the Matrix, discovering, containing and protecting our digital personas is a critical and daunting task, especially for those of us who have a large digital footprint, which often includes multiple digital representations of ourselves. Our digital personas thrive when we use Internet-based services. When we pay for these services, we expect our information to be adequately protected.
When we use free internet services such as Gmail, Facebook or Snapchat, we acknowledge in the fine print (that hardly anyone reads) that the service is provided for free because we are the product being sold. Yes, our information is the product as we entrust it to the companies running these services. How can we prevent or protect our information and therefore our digital personas from being stolen, thus forever affecting our earthly life?
First, it is important to understand that there is no such thing as identity-theft prevention. Your identity and mine have been breached multiple times already; thus, identity-theft prevention is a myth. The most recent and extensively media-covered breach is but a glimpse of how fragile identity protection is today. A colossal identity breach happened last September when Equifax announced that malicious actors had accessed approximately 145 million US customers’ records, including personally identifiable information and Social Security numbers. Shockingly, the very company whose primary business is to manage consumers’ information, provide credit monitoring and identity theft protection was the same company that failed to adequately protect that information.
Second, identity-theft protection is mostly credit monitoring and alerting, money and identity recovery, as well as insurance to cover various identity and money recovery expenses like paperwork and legal fees. It does not protect your identity from being used by a malicious actor over and over again. Unfortunately, when your identity is stolen the path to recovery is a long and painful one. Recovery typically involves trying to prove that it wasn’t you who went on a shopping spree or bought a new boat, even though every piece of digital evidence suggests otherwise. In fact, is it really you or your digital-self that secured the car you drive, or the house you bought or rent? Is it you or your digital-self paying for gas at the pump and food at the store? When we perform digital transactions, our digital identities are more important and valuable than our non-digital selves.
Modern businesses need data to operate, but they often collect more information than they need. They also like to retain information longer than they need it, thus increasing the risk of a data breach. For example, our family moved to Johnson City in December 2016. The first time I went to a local doctor’s office, I was asked to provide my health insurance ID and my Social Security number. Needless to say, I immediately entertained a healthy discussion about their need for my SSN, which involved calls to my health provider and extended my office visit longer than I had planned. In the end, I made my case, and the office agreed that my SSN was not needed to file insurance claims.
Are we just too late to the game? You and I are in charge of how we handle our information, but there is little we can do once that information is in someone else’s hands. Past events have shown that no amount of security controls will result in a bulletproof system. Systems will at times be vulnerable, and people will at times make mistakes; therefore, it is up to every one of us to limit what personal information we give to what’s minimally necessary. It is also up to us to question when someone asks for information that we feel may not be needed. How we disseminate and how we use our personal information is directly proportional to our risk exposure; thus, the less information we provide, the smaller our digital footprint and lower the risk.
Andrea Di Fabio is the associate chief information officer and chief information security officer for East Tennessee State University.