Schneier on Security

Yes - When and if you ever get AUDITED (I know its not happening as much as it used to but hey you *never* know.)

__________________________________
Lewis Donofrio 734-355-0592
Sr. Windows / Unix Systems Administrator

This scheme might actually work in the US (and has most probably been used one way or another by any number of foreign intelligence agencies). In many European countries such as Germany, France and, since recently, The Netherlands, this will not work. You have to appear in person to apply for an ID card, to register after moving, to open a bank or credit card account, and more. And your identity data have to reside in the right databases or you will be caught by border control or by police checking the ID card online.

However, for any better intelligence agency, it is certainly not impossible to create fake IDs. All they need is some agents of theirs in the right public offices who fill in the right paperwork for them and get the fake IDs into the right databases. The Stasi had those, the Russian secret service does, and the CIA most definitely also.
--
Ulrich Boche

People in major cities (such as NYC) and the surrounding area also don't necessarily all get their driver's licenses at the same age. Some people don't have a need for a driver's license until they're in their 30s. Some people never get passports until late in life as well.

Ghost identities have certainly been used to tweak elections - there are numerous reports of "dead people voting" in elections and manipulation of the military absentee ballot as well.

It still easy to get fake IDs without cooperators.....

You only need a few of the 3rd world countries to not check there databases properly or to not have them in the first place. Then there is a easy source of valid passports. This method was used with Russian spy's a bit during the cold war.

So what happens when the biometrics are rolled out? Say Iris scans. these have been shown to have the required properties for a DB of 6 billion. Will they check just the country you claim to come from. Or will they pool the results from all databases....

This sort of activity has been previously described in spy novels as being performed by government services who have departments who maintain identities for use by spies.

I don't know if it's easier or harder now.

Wait...Highlander fan fiction?

I've always wondered what Bruce did in his spare time...

Interesting that Really ID has started making death rattles in its own demise.

Kind of sounds like an online game of Spore (the new Will Wright sim) ... if you go online, data about your own creations can be copied into another player's game. They then live separate lives and histories apart from what you may do in your own instance of the game.

This reminded me of an old news story from the 1980's where an Iowa farmer had registered several baby piglets with Social Security, obtained numbers for each, and proceeded to claim them as dependants on his 1040 form for a few years. He eventually "fessed up" (voluntarily) and paid a penalty, but was amazed at the ease of which he could pull off such a ruse.

"Our data shadows can live a perfectly normal life without us," suggesting that perhaps the converse is also true, or, even better, that we grow ourselves a new data shadow and use it for as much as possible/everything, leaving the real us to carry on as we please. Just a thought.

"It seems to me that our data shadows are becoming increasingly distinct from us, almost with a life of their own. What's important now is our shadows; we're secondary. And as our society relies more and more on these shadows, we might even become unnecessary."

Important point - how "processes" can take a life of their own, independent of individuals, and often with coercive power on real individuals.

If folks just understood this...

There was good story from Texas where a hispanic guy has been trying to prove he was actually born in US.

There is no hospital record of his birth. He claims he was born at home; midwives are still frequently used in certain areas/communities.

There are too many procedural problems with this; you will have to make a lot of people lie and forge a lot a documents but getting into the system will still be difficult.

Now if you had an accomplice in county/state office of registrar of birth and deaths --- boy you will be in pig heaven.

Registering birth's and deaths has been english common law for a LONG time and is hard to corrupt --- except in India/Pakistan/Bangladesh etc. ... who adopted the system but ignored the fatal flaw -- (in)corruptability of the officers in-charge -- for a small bribe you can get a real birth certificate from any of those countries (if you are so interesed) .. or a death certificate for your wife if you are interested in raising some cash from insurance company.

For this reason alone; it's almost impossible for Pakistani's to get insurance for their wives :-) was covered in WSJ about 10 years ago

Lastly - the Day of Jackal plan will still work --- for many years till the birth and death registers are combined .. right now they are separate -- somehow there is natural abhorrence of mixing the two !

Our son was born in the US in 2001, but we also registered him as a UK citizen, with its bits and bobs. It turns out the people who cared about his existence where our local (national health service) doctors, who were pretty concerned they had a child that had never been in for vaccinations or any other checkup. They were more worried about child abuse/health than anything else. If we hadn't actually registered him with our local doctors back in the UK, I don't think anyone would have noticed.

Now we are back in the UK, all we have to do to maintain his US-ness is bring a child in to a US embassy every 5 years for a US passport

So: the easiest way to grow an identity is to grow it offshore -outsourced, with a meeting with the passport providers every 5 years. That's it. Even if the US govt wanted to know about schooling and medical issues, that data would be in the EU, so mostly out of reach.

Interesting....might be useful for the mafia since they will have a lasting presence.

Just read the article you linked to, titled "Our Data, Ourselves".

We already have a law, the 4th Amendment to the U.S. Constitution.

What we need to start doing is following our existing laws, not creating new ones.

The idea of this online data entity living a life of its own is intriguing. How would someone track this data entity? Maybe via a Google search to RSS converter? Or credit monitoring and the tools we use to detect identity theft? To what extent would the monitoring effort be hobbled by security measures designed to ensure that "I'm" the only one with access to "my" information if my online identity, my data shadow, doesn't match what I believe my own identity to be? If my data shadow is living a separate life, it seems like I should expect its transaction history to cast a data shadow of its own, but is it one I could monitor?

Someone's remark, above, had me thinking:

ORLY-D

The "Data Shadow" is our virtual self-- kind of like Tron, I guess-- but seems to have rather more reality than the real.

As we become more and more dependent upon server-resident data that we have to stay "in sync" with, the key means of doing damage is to gently corrupt the database(s) for a broad number of people to cause a loss of sync... which is one thing that "identity theft" seems to do at a retail level. Doing this wholesale, especially with no effort to profit from it monetarily, can *hurt* a broad number of people and disrupt the ability to trust each other.

"It might have been worth it to the KGB -- although perhaps harder to justify after the Soviet Union broke up in 1991 -- and might be an attractive option to existing intelligence adversaries like China."

And chances are that the USA thought of and did the same thing in those countries, too. :)

"...Do you actually have to show up for any part of your life?..."

When you get drafted?

as i've mentioned before, the concept of "updates" to passports with embedded technology would make the answer a definite "yes".

the cost of updating identity cards is probably what prohibits the state today from short life-cycles. but technology (and the related vulnerabilities from ill-conceived deployments) could change that to the point where the state would intend for you to check in with them far more regularly.

incidentally, celebrities have led the field of identity farming for many years. it is only just taking off for the general population because it is so easy to have so many "public" interface points with others. i do not know a single person under 30 who does not have at least a dozen identities that they actively manage.

This is eerily reminiscent of a story I heard as a child. A reclusive man thought of his shadow as a companion, sat up chatting with it, sang with it, boasted of his friendship with it. Then he began to neglect it, mistreat it, speak of it unkindly ("behind its back"?) One night when he lit his lamp-- it was gone.

He searched high and low, he became sad and morose, people noted how drawn and quiet he had become, how little they saw him.

One night there was a knock at his door. It was his shadow, looking more solid than ever, well dressed and with a lot of money. "As you can see, I've done quite well for myself on my own, but I feel that something's missing. If you're interested, I can offer you good money to come with me and be my shadow."

I was working on an identity card project with a state government in Mexico. Because of incredibly lax proof of identity requirements I told them that anyone who wanted to could sign up for and receive multiple identities and that the government would not be able to distinguish between them after the fact. People could immediately get multiple sets of benefits, or use a particular identity to commit fraud and then discard it.

I also suggested methods that could be taken to prevent or detect such activity.

The government people looked at me like I was crazy. It was clear that they had understood despite my poor Spanish. Either they simply couldn't imagine why someone might want multiple identities (despite the fact that I listed several reasons) or they simple couldn't imagine expending the effort to prevent such a scheme.

I was not invited back.

William Gibson's novels explore ideas like data shadows. See, e.g., Idoru.

"It might have been worth it to the KGB -- although perhaps harder to justify after the Soviet Union broke up in 1991"

On the contrary: there is ample evidence that the FSB as successor of the KGB actually has stepped up its activities.

Speaking of shadows that do not have lives of their own,

1, Mobile phones,
2, Travel Cards,
3, Credit Cards,
4, Store loyalty Cards,
5, Items with RFiDs in,
6, Online entertainment,
7, Anti-theft systems.

To name but a few.

Not having atleast four of the above is sucpicious in of it's self.

Do as they are planing to do in the U.K. and agrigate this information (Identity and Passport Office) and your job of maintaining another you becomes difficult in the extream.

As Bruce once pointed out obtaining multiple low security documents is a lot lot harder than obtaining one high security document (ID Card).

To very slightly miss quote a couple of old sayings,

The devil will always be in the details, and God watches while the devil dances

The idea of immortals staying hidden this way hardly started with Highlander fans; it's been familiar to sf and fantasy readers for a long time.

In the past, ID farming was the basis of some of the most successful insurance frauds, perpetrated by insiders (such as brokers). In these schemes, the fraudsters spent years creating whole portfolios of fake insurance owners, using actuarial tables to "age" the owner files so that they had a statistically plausible number of life events (death, accidents, etc), in order to deflect audits.

Of course, this is only one of the ingredients, the fraudsters had to be able to manipulate the insurance company systems in order to create these fake portfolios.

In the schemes I read about, the IDs were entirely fake, no real persons' ID was "stolen". Not sure it could succeed nowadays.

Bruce: We need to evolve away from reliance on data identifiers like names, Social Security Numbers and credit card numbers. We need to evolve toward reliance on patterns of behavior recorded over time. When an authority makes a decision whether to trust a person, the critical issue should not be whether the identity matches with vulnerable little data elements like name, birthdate, SSN, IP Address, etc. The critical issue should be whether trust is warranted with respect to the person's complex pattern of behavior recorded over an extended period of time. A person's "complex pattern of recorded behavior" includes (this is just one example out of millions) the fact that one of the 6 credit cards associated with the pattern of behavior in question was used to make a $5.98 purchase at McDonalds, 101 Main Street, 6:14pm, 3/4/07. --Ben http://hack-igations.blogspot.com/2007/08/recorded-behavior-as-authentication.html

Isn't there a pill you can take to merge yourself with your shadow?

Lewis, if you're referring to an IRS audit, you don't have to show up. In fact, most advisors will tell you not to, let your accountant handle it. People talk too much.

25 years is nothing in the new game of everything on radar, and the new emerging cold war.
In Japan, 100 year business plan is nothing new, patience.
New power worlds are the game now, so 25 years is just the endgame.

Farming of information and manipulation of who, what,... is more powerful and useful. Hum, google seems well suited here.

@John Harrison:
"The government people looked at me like I was crazy... Either they simply couldn't imagine why someone might want multiple identities (despite the fact that I listed several reasons) or they simple couldn't imagine expending the effort to prevent such a scheme. I was not invited back."

Some cultures understand better than others the idea of something which everyone knows but nobody says out loud. My god man, you didn't even solicit a bribe to keep quiet.

Bruce,

I am a data shadow. I was made accidentally when my creator chose not to take her husband's surname. She had an established professional career, is was a second marriage for both of them. Over the years, banks and other companies put her first name with his last name. I have a "little brother" where his first name goes with her last name - but he's pretty puny. I have excellent credit, my own credit cards, and accounts at eBay and Paypal. I live in my Post Office box, where nice government people bring me presents every day.

Please don't lump me in with sci-fi nut cases. I'm as real as you are, well almost, I haven't written any books, yet. I love your blog.

@Clive Robinson: I must be highly suspicious then, since I have only one item on your list (a mobile phone)

Even if you have to show up personally to get ID cards and such, what is going to keep someone from having a child, and managing two identities for it?

But than again, why go through al that trouble if you can just get a passport in some corrupt country, probably for a (to us, not to them) rather trivial amount of money?

There is a song, unfortunately for you, in dutch, "het regent zonnestralen" (it's raining sunrays) about a man who sells his car, when the new owner is killed in an accident, and the car burns out completely. The man sees his own name in the obituaries, and decides that this is his seconds chance; he is free to do anything, he doesn't have any obligations, because he doesn't exist anymore. He has been freed from his data identity.

@ Sparky,

"what is going to keep someone from having a child, and managing two identities for it?"

Asside from registring the birth twice, children grow up and start to have friends an relationships. In the U.K. a very significant number of pre-teens now have mobile phones and by sixteen it is the exception that does not have a phone.

"if you can just get a passport in some corrupt country"

Well I don't know which country you are from but most of the more affluent countries have imigration controls and visas. In the U.K. you would find it extreamly difficult currently to get residency status, you get fairly well checked out.

With regards your lyrical Dutchman, how did he survive beyond the money in his pocket?

PT people use different identities all the time. It's justa matter of money. Not that I know anything about that.....

@Sparky
"...the car burns out completely. The man sees his own name in the obituaries, and decides that this is his seconds chance."

I remember reading an estimate that a few dozen people may have done this when the World Trade Center was destroyed.

@ Beta,

"I remember reading an estimate that a few dozen people may have done this when the World Trade Center was destroyed."

Has anybody surfaced that did that?

I can't help thinking that it takes a very resourcefull person to just walk away in what they are wearing with just the small amount of money they would have had in their pockets.

Normaly when one plans to disappear it involves a lot of forward planning to establish an identity and place to walk into. Even with a support network very few serious criminals ever stay realy hidden.

Even with significant help it has been known for those in the equivalent of "witness protection" to be seen.

In the U.K. you would find it difficult to start out again. Gone are the days when you could just start a job without the appropriate previous employers paperwork. The only way I can think of would be to use an existing support network for "street people" but eventualy you are going to run into the ID for employment / finance / housing problem. For instance European's and Antipidean's who have a right to work in the U.K. have real difficulties opening a bank account even if they have planed in advance.

I do not wish to take hope from those who have not had closure but I find it extrodinary that a dozen or so people would have droped out of there old lives without any kind of pre-planning and not one of them surface.

This reminds me of the conspiracy ideas that I read about years ago. Check out the difference between your capitalized name and you. Example: JAMES H. HERBERT and the real person James Herman Herbert.

Great thoughts, Thanks

These shadowy data characters are synthesized every day to deal with the TSA no fly list, and remain in the databases of the airlines:

http://www.latimes.com/news/opinion/la-oe-schneier28-2008aug28,0,3099808.story

@Beta,

Excellent point, but that wasn't the vibe that I got.

@bob
"When you get drafted?"

There are ways around that, like being female, a Quaker, Amish, having a physical disability (asthma is always good), and so on.

Also, some countries (e.g. USA) don't have a draft. That can change, but for now it's draftless.

I can also see creating fake doctors etc. who sign off on the health or non-health of these fake identities. It's not like the medical system can't be spoofed.

Also, if you think about the lives of recluses, shut-ins, agoraphobes, and other physically isolated real people, it should be pretty clear that one can create a fairly full data shadow without having much real-world presence.

When will we have people selling shadow identities that they have "raised" from "birth". This could be a way for "welfare" mothers to make money. Sell the clean identities that they have "raised".

The Shawshank Redemption

Not just the immortals of the HIGHLANDER series, but other long-lived as well. Heinlein never mentioned techniques specifically, but it sounds like something he'd have Lazarus Long and other members of the Howard Families doing. And of course, in FRIDAY lots of fresh-start, new identities were created for people "born" in Seattle "before" its destruction.

sad reality is there are news reports about people that passed away long ago but set up automatic bill payments etc -
for months and years nobody noticed their 'nonexistence', not even neighbors!

@Clive Robinson: The song doesn't really say. The babelfish translation is as terrible as always:

http://66.163.168.225/babelfish/translate_url_content?doit=done&tt=url&intl=1&trurl=http%3A%2F%2Fwww.mp3lyrics.org%2Fa%2Facda-en-de-munnik%2Fhet-regent-zonnestralen%2Fprint.htm&lp=nl_en&.intl=nl

A week after the incident, he's at the bench in the park again. He's nothing nowhere nobody any more, and he's got more freedom than he bargained for, and he doesn't know what to do. At the end, he says that he got a second chance that he didn't deserve, but he decides to make the best of it.

I've thought about this before. You don't have to pay taxes, and you don't have to pay your traffic violations. But you also can't have a job, a bank account, or buy or rent a house.

The biggest problem is where you are going to get money to live from. You can never get sick, because you can't go to a doctor. Don't get caught speeding either, because if the police officer checks your ID, you will get busted.

From time to time someone suggests that in the UK, everyone should be added to the national DNA registry at birth.

Originally only criminals were added. Now anyone who is arrested can be added, and the record retained even if they are not charged, or found not guilty. It seems inevitable that the creep will continue.

However, the purpose of the registry isn't to establish identity, since on-the-spot DNA biometric testing isn't currently practical. The purpose of the registry is to identify criminals from crime-scene forensics. It doesn't matter much for those purposes if a small number of people are missing - most criminals would be unable to stay off. It matters a lot for Bruce's scenario, since someone manufacturing an identity can be careful to manufacture a reason not to appear in the database.

So if I ever see Bruce's scenario used by a government minister as a "justification" for universal DNA-sampling at birth, then I'll know who to blame...

A few students demonstrated in Utrecht that the first step (registering a baby) is indeed quite feasible. Unfortunately, they abandonned the case after two weeks. Changing diapers probably was too much effort for them. http://sannejongbloed.blogspot.com/2008/08/de-bureaucratische-baby.html
(note: blog is in dutch)

The scheme would probably fall down if someone Googled the name and noticed that a person who was born in 1983 had absolutely no Web footprint - not a single blog comment!

You'd probably have to populate that as well; set up a my/face/linked/whatever profile, scatter a few scurrilous forum posts about. Probably best to be deliberately embarrassing ones.

@Alex: you're not posting using your full name here, so thing post can't really be traced to you personally just by a google search. I guess most people don't use their real, full names.

If you were to google my full name, you would find my Hyves page (dutch facebook something), something about my student club, maybe our little motorcycle club, and that's about it. I'd think most people under 30 or something would have a web presence, but most of it is very hard to find.

@Alex: that would only cause the scheme to "fall down" in the sense that if the person were already under suspicion, it would place them under even more suspicion.

I don't know what this hypothetical fake identity is actually for, other than generally to allow someone to operate as a US citizen. But whatever they're using the ID for - bank accounts, credit, travel, taking the bar - are the relevant authorities really going to do a Google search, and reject the application (or alert law-enforcement) if they don't find anything?

Even if they do that search, a smart or lucky identity-faker might have chosen a relatively common name. You'll get a load of hits for "John Williams", and it's going to be difficult to be sure without a lot of work that none of them are for *this* John Williams. When the CIA create false identities, I'm guessing they don't typically call them "Aspidistra Obasanjo-Nakamura". Although they should.

The real problem with an identity of this kind is that Bruce's "data shadow" *does* touch the real world from time to time. If you go for the bar, you'll be asked for your educational record. You might be asked for references, which might even be checked. It's possible, but difficult, to arrange for someone to impersonate a professor so as to pass that check.

So the answer to the question, "when would the fake ID require a real person to show up", is anything where humans will be asked whether they remember the person. Academic qualifications and job history can be faked, especially by claiming it was all overseas, but it's possible to detect the fake.

Such an ID would be good to travel around, probably to rent, get credit and a job, put a wanted criminal on a "trusted traveller" list, etc. It might not be good enough to run for office...

If you've got the resources and forethought to do the identity-farming thing in the first place, you've almost certainly got the resources to arrange for people who can serve to give references or claim to be friends or whatever. If someone were suspicious, they might notice that the same people/institutions served as references for a bunch of otherwise-invisible identities, but you'd need the suspicion first. In addition, you can use a lot of transaction where no picture ID is required (or where it's not checked) to build up the record using whatever physical people you have on hand.

I can't find a URL, but there was a case in the UK about 10 years ago, I think in the Brighton
area, about a "cardigan and slippers" supercriminal who created (say) 200 fake identities, waited for them to be offered loans
and credit cards, said yes to all of them, and shuffled money around to keep all the plates spinning until he had about 700 thousand pounds. I seem to recall he took lots of driving
tests under assumed names, rented multiple flats, and had some of his identities claim
others were their employers, etc., but
it was a long time ago.

What Dan said, September 9, 2008 8:46 AM:
>"Our data shadows can live a perfectly normal life without us," suggesting that
>perhaps the converse is also true, or, even better, that we grow ourselves a
>new data shadow and use it for as much as possible/everything, leaving the
>real us to carry on as we please.

So, once our data shadow becomes pervasive and takes on more reality than our real selves, we'll get our privacy back. It's no longer a matter of tracking what we do, but what our data shadow does.

--Bob.

@Sparky:

The biggest problem is where you are going to get money to live from. You can never get sick, because you can't go to a doctor. Don't get caught speeding either, because if the police officer checks your ID, you will get busted.

Busted for what? Allowing the police to jump to the conclusion that you are dead? It's not as though you had told them so!

For years as a security pro I've pondered the nature of identity and how malleable and tenuous the connection between an actual physical person and proof of that person's identity really is. Paper documents like birth certificates can be easily forged, digital identity data can too. People change names, nationalities, get radical plastic surgery. Sure, biometric parameters such as iris patterns, fingerprints, hand geometry, even entire genome can be used to ID a specific human, but then you still have a tenuous data linkage to that human's real name and other data like DOB, SSN, etc. Consider, too, the recent news that DNA identification isn't as reliable as we have assumed. Until we start tattooing birth names on babies (no, I am not advocating this, but I was amused by the barcodes tattooed on the assassins' heads in the movie Hitman) or implanting encrypted RFID chips at birth, we can never be totally sure someone is who they say they are. And probably not even then.

So I continue to wonder what the full implications of this are.

I live in the UK and a few years ago a Nigerian illegal immigrant ‘cloned’ my identity but obtaining a copy of my birth certificate from official sources. He apparently claimed he had been born in the UK, and his parents had returned to Nigeria without him. He had lived rough on the proceeds of begging and gambling until his early thirties when he decided to settle down. The birth certificate was issued and he used it to get my national insurance number, open bank accounts and create a completely duplicate life. He even registered my name as the father of his child.
I only suspected something was wrong when I received a warrant to attend court on various driving charges. When I arrived at court I had found that I had been convicted at a previous court hearing in my absence and was about to have a fine and my licence taken away. Luckily I had spoken to the police beforehand and been told that the guy originally arrested was 5 feet 6” and Black (I am 6 feet and white!). However this did not seem relevant to the court official. I was only allowed to leave a free man by convincing the magistrates that I had never lived at the address that the arrested guy had given and so not received the original warrants.
To cut a long story short, he was eventually caught after being arrested for assaulting another driver after an accident. However the good old British justice system was going to let him go because they could not prove he was not who he said he was. I was asked to confront him but decided that it was not a good idea. I got my MP involved who took the matter to the Home Secretary. Things then moved quite quickly and he was deported.
To my amazement, I found that there are no checks carried out when someone is claiming benefits and the “same” person is in full time employment and paying taxes. The court did not care that I did not resemble the perpetrator of the crimes, and worst of all, the system would rather let a guilty man go that spend a few pounds proving what they already knew, the guy they had was a fraud.
So why create false identities when it is so easy to assume someone else’s. Just make sure you learn how to drive!!