A lot of people are afraid of identity theft or fraud. Others are afraid of having their true identity known when they engage in behavior that some may find objectionable, embarrassing, or shameful. For a plethora of reasons, people choose to hide their identity online; either by anonymity or using pseudonymous names. This is security by obscurity. Unfortunately, it doesn't work.
The entire concept of security by obscurity is that people can't break through your security if they don't know where to look, or it's not worth their time to look for something. That's a false sense of security because there is always someone with the time, desire, and means to locate something you value – including your identity.
I found three articles online today dealing with this concept.
First, Pamela Dingle wrote this article on her blog about how modern Internet tools make it not only easy, but likely, to correlate disparate data about a person's online habits.
As if to prove her point, Wired News posted this article today about pulling articles from an author who faked sources. The source existed, but told fact checkers he never spoke to the author. Upon investigation, Wired News learned that the author faked identities for use as a source and as a supporter on a Usenet group. Unfortunately, he wasn't smart enough to use different IP addresses. A senior editor at Wired correlated all these disparate sources to the same IP used by the author and came to the obvious conclusion.
If that wasn't enough of a coincidence, I found this on ZD's Digital Identity blog:
[box]Anonymity and identity by ZDNet's Eric Norlin — In the very near wake of a foiled terrorist plot, I find myself waking up, planning to write about the topic of anonymity and identity.[/box]
Eric Norlin makes the point that our identity exists in multiple states. You have a choice with regard to the way you present yourself, either online or in person. If we cross paths on a sidewalk, what is the state of our identity? It's no longer anonymous. Now I know you exist and I can identity certain attributes about you (approximate height, weight, age, hair color, gender, etc.). Perhaps I don't know your name, but you are no longer anonymous to me. Unless I have some interest in you based upon these attributes, I may not give you another thought.
However, what if I do have an interest? Suppose I meet an attractive girl at a social situation. What's the first thing I'm going to do? Say hello and ask for her name. Depending upon her interest (or lack thereof), she may respond with her name, a pseudonym, or decline the conversation entirely. Now I have more information about this person and her identity.
People online leave a trail of attributes all over the place; some willingly and some without even knowing it. The person who collects and correlates your attributes may discover your identity without even knowing he's looking for you. Call it data mining or data sifting, the intention is to take massive amounts of attributes and correlate common elements – like an IP address – until you find enough information to identify an individual.
Hiding your identity is a fool's option. Personally, I believe the best way to protect your identity is to assert it. Think of your identity like a car. Some of the most stolen vehicles are also the most common. They look alike and don't stand out. Fitting in with the crowd is a type of security by obscurity, or hiding in plain site. On the other hand, exotic cars are much more difficult for thieves. These high profile machines are instantly recognized and there's a limited market. Asserting your identity serves the same purpose. If people know who you are, then your identity is more difficult for an impostor to use.
This is why we need an identity infrastructure in common use. Digital certificates for signature and encryption are a reality, but few people use them to assert their identity. Few business web sites recognize and accept an individual's certificate to authenticate and authorize their access, despite the fact that it's in best interest of both sides. It's time for that to change.