[zAy0LfpBZLC8mAC]

> I see this as you being too strict with your definition of "identity".

> We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.

Which is not relevant here, as this is not about different sets of attributes pointing to the same body, but about the exact same set of attributes being claimed to only possibly be pointing to one body (hence they supposedly identify Alice) while it is claimed at the same time that they can be replicated by a "thief", which necessarily implies that they don't identify Alice, and hence are not an identity, therefore tautological impossibility.

For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body. Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.

[tripzilch]

Right, and this is the point where we, as computer system / information security / software (whatever, but) professionals switch to using the word "authentication", and stop being obtuse about the ambiguity in the multiple definitions of the word "identity".

> For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body.

And then we say that the stating the DoB authenticates anyone to make changes to Alice's account.

And then we say this is a terrible idea. And then we are in agreement.

And then we don't have to say completely unhelpful nonsense like the following:

> Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.

If these credit bureaus insist on conflating the word "identity" with "authentication" then it is up to us, computer / information / system / security professionals to correct this error and continue with more clarity.

Not not to start a one-sided (credit bureaus aren't listening) philosophical argument that nobody was really talking about in the first place. This isn't about ontology, and it never was.

(Ontology is the field of philosophy that asks the question what "is" is, a.k.a. "identity" and it's very interesting but also very much irrelevant to this incident and the problem it poses to badly designed authentication systems)

An important part of our jobs is being able to clearly explain such computer security and authentication concepts to a layman. That includes properly framing the question. Digging into a philosophical argument because you feel you can argue your way around a particular word that is used, only feeds pedantry.

[zAy0LfpBZLC8mAC]

> Right, and this is the point where we, as computer system / information security / software (whatever, but) professionals switch to using the word "authentication", and stop being obtuse about the ambiguity in the multiple definitions of the word "identity".

Except it's nonsensical to switch to "authentication" when the discussion is about how the term "identity theft" is misleading. It's not "authentication theft", it's "identity theft", and that is exactly why it is misleading.

[mfoy_]

The point is that it is NOT "identity theft", even if that's what people call it. It is more aptly "authentication theft/fraud".

The original point of this comment thread was that the credit reporting agencies want to keep it confusing so that it's not clear who exactly was the victim of the crime, so it's not obvious that the system sucks.

[zAy0LfpBZLC8mAC]

Yes, I agree, and I might have slightly misread what tripzilch wrote to mean that we should avoid the term here in this discussion, which I objected to. Towards the general public, it totally should be framed as an authentication failure, yes, I agree.

[tripzilch]

I think my point would be that, by discussing the minute semantic / philosophical points of the concept of "identity", you're still letting them frame the discussion that way. It's a word that they choose to describe something which it isn't. First is to just not go along with it, not to dig in and try to beat them on their own territory (if you succeed, you won nothing).

For the same reason I won't go into discussions about the finer moral points when stealing is wrong or not, if the topic is copyright. Especially not get carried into far-fetched analogies such that it is okay if a starving family steals the blueprint for a 3D printed load of bread or whatever.

In that sense, the term "intellectual property" is actually similarly problematic as "identity theft". While it evokes the connotation of "property", intellectual_property is actually just a legal term that stands on its own and derives nothing from the common concept of "property" except where explicitly defined as such.

Except that identity_theft is, afaik, not a legal term. I believe it stems from the idea of the loss of an interconnected number of (mostly electronic) credentials, an adversary could use to, in a sense "become you", and wreck one's life. This then became a serious fear, that was (in the public) not quite blamed on terrible security practices of powerful entities, but on the ever-growing interconnectedness and electronicification of all aspects of our life. In fact literally about the fear that the large amount of data about us in these computer databases, would some day mistaken to be us and identify, regardless of its truth in the real world. But identify_theft has always been painted as a sort of "curse of the modern age", our penance for living in an ever automated society, kind of typical Hollywood morality story.

Except these credit companies seem to be just focusing on the "wreck your life" part, twisting the definition around, that suddenly a security failure with their authentication/credential system gets to be blamed on the general societal menace of identity_theft, mainly because their error has the capability to wreck one's life.

I'm pretty sure Baudrillard or some other person in critical theory / semiotics has written some interesting stuff about this. Now that is a philosophical discussion on this topic that I would actually find worthwhile.

[ckastner]

> while it is claimed at the same time that they can be replicated by a "thief", which necessarily implies that they don't identify Alice, and hence are not an identity, therefore tautological impossibility.

Attributes can be replicated -> attributes don't identify Alice

Why do you consider this implication necessary? It sounds nonsensical.

Counterexample: to verify an identity, the verifier must possess a replication the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.

Note that we're speaking of identity in the context of a technical implementation.

[zAy0LfpBZLC8mAC]

> Why do you consider this implication necessary? It sounds nonsensical.

Because it is implied by the definition that is implied by the concept of "identity theft".

Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice. Using that definition in the context of identity theft would then lead to the following sort of justification: Alice is responsible for paying back this loan because the person that we gave this loan to was a human and we identified Alice by her attribute of being a human to be the person we gave this loan to.

That doesn't make much sense, does it?

The whole justification for calling it identity theft, and thus blaming the identified person, hinges on the implication that whatever attributes are being used to "identify" Alice do imply that it is in fact uniquely Alice who has those attributes. It only logically works if you can say "those attributes are the attributes of the person that we made the contract with, and they are unique to Alice, therefore Alice is the person we made the contract with", not if your claim is "those attributes are the attributes of the person that we made the contract with, which are shared by a whole bunch of people, therefore Alice is the person we made the contract with".

> Counterexample: to verify an identity, the verifier must have replicated the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.

Erm ... no? Just two obvious examples:

In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.

In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.

Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?

> Note that we're speaking of identity in the context of a technical implementation.

Actually, we kindof don't. We are really talking about a legal implementation, where there really is no requirement to do anything as a "technical implementation"!?

[ckastner]

The original parent posited that we have multiple identities, as in: multiple sets of attributes, each of which uniquely identify us within a certain context.

> Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice.

> That doesn't make much sense, does it?

If Alice is the last surviving human being in the universe, it does.

If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.

> In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.

You haven't checked that it's me, you've checked that it is someone who looks like me.

Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.

> In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.

Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.

> Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?

Do you believe this hypothetical example to be true? If not, what's your point?

[zAy0LfpBZLC8mAC]

> The original parent posited that we have multiple identities, as in: multiple sets of attributes, each of which uniquely identify us within a certain context.

In which case it's just not a refutation of the tautological impossibility at all. Either something uniquely identifies someone, or it does not. Uniquely identifying someone while at the same time being (trivially) being replicated by somebody else is just a contradiction.

> If Alice is the last surviving human being in the universe, it does.

Seriously?

> If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.

Which is exactly why "was able to tell us the DoB of Alice" as an identity is nonsensical, and hence any conclusion of the form "therefore, Alice's identity was stolen" is nonsensical as well, correct.

> You haven't checked that it's me, you've checked that it is someone who looks like me.

Which contradicts the claim that the verifier does not need a replica of you how exactly?

> Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.

Which still cannot be stolen. So?

> Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.

Which contradicts the claim that the verifier in a context where it is taken to be sufficient proof of identity does not need the private key how exactly?

> Do you believe this hypothetical example to be true? If not, what's your point?

My point is that I am responding to your argument that was about an implication from that hypothetical case.

[tripzilch]

> Let's assume we define "identity" to mean

... seriously, just stop.

[jdironman]

So the only way around this is to disregard information about a person other than information that 100% without a doubt identifies that person making a purchase is who they say they are? I am just genuinely curious.

[sowbug]

No. It's to accept liability when you make a mistake. If a criminal tricks a bank into giving away money and debiting some random account, the victim is the bank, not whoever happened to own the account.

[zAy0LfpBZLC8mAC]

Around what? The fact that the term "identity theft" is nonsensical? There is no way around that, it just is.

As for fraud: There probably is no easy way around it. But that doesn't mean it's not fraud.

[jdironman]

I was not saying either really. I was asking what sure fire way we have other than a number / name for identity.

[zAy0LfpBZLC8mAC]

Well, there is biometry, with the simplest form being a picture, if you want to somewhat reliably identify people.

[TheSpiceIsLife]

While I thoroughly agree with everything you've said on the subject thus far...

How does being in possession of a picture, or any other biometric data, help? These data are reproducible, like any other attribute that supposedly identifies only-Alice.

[zAy0LfpBZLC8mAC]

Checking the possession of a picture is not biometry (that would be possession-of-a-picture-metry). Making a picture is biometry (measuring the body, essentially).

The hard problem with biometry is proving to a third party that a certain identity is responsible for a contract, but identification with biometry (convincing yourself that the person before you is the same person that you enrolled earlier) at least works a lot better than asking for essentially public information.