I’m always impressed at the low-tech nature of today’s most brazen hacking attacks and abuses of identity. It’s inevitable that someone will lie to get at your information, then leverage that information to get access to something valuable. In other words, people will lie to get access to your data. So here’s a thought: why not employ the same strategy to combat the problem?
If history is any indication, lying is certainly not a novel approach to getting things done, but it does go against most people’s idea of what it takes to preserve the social order. Certainly, there’s plenty to worry about: how can you do it and preserve some kind of personal integrity? How far do you go? Is it a slippery slope? And how much trouble can you get into? Even the thought of stretching the truth in an online form with a checkbox at the bottom makes us a little uncomfortable. And this, about the potential of voiding some implied warranty, or otherwise breaching the trust of a faceless organization whose spyware-laden shareware we’re about to unleash upon our unsuspecting computer.
Your parents were right: it is indeed bad to lie and cheat and steal. But what about the criminals, and the hackers and the script kiddies? And the government funded cyberattacks? And the spies, agents and undercover officers trolling the internet? Wait just a cotton pickin’ minute! If they can do it, surely you too!
Let’s be clear, we’re not talking about lying to the government about the identity on your passport. We’re not talking about falsifying your driver’s license. I am however suggesting that the cloud-based systems that have come to play a central part in our lives, from managing our communications to scheduling our time, may not be so good at handling our personal information even though they take every opportunity to ask for it.
And lord knows they pressure you into surrendering a lot of information! But not before making sure you understand the fact that they really want you to provide accurate data. Let me be clear: YOU are the custodian of your own personal information. For anyone to ask for the privilege of collecting and storing it, the burden of proof is on them to demonstrate:
1. Authority (who are they to expect the truth? If all they want is the ability to recognize that you’re the same person who set up the account, and that you’re reachable by email, then your identity, quite frankly, doesn’t matter)
2. Need – absolute need – not just an expression of their fetish for collecting diverse bits of interesting data they could at some point use to impress their advertisers.
3. The verifiable ability to protect it (“your data is secure with us” is not a good way to gain my trust, for instance)
4. An explicit promise to securely and verifiably dispose of it – all of it – when you no longer wish them to have it.
All that to say that when you’re online, you can absolutely determine what bits of your personal information – if any - a site is entitled to receive from you. And once it does, it is responsible for every shred of sensitive information you have now placed in their custody. So what information should you be surrendering? Well, none at all if you feel the site really can do without. If you want to use a pseudonym, a disposable email address or a false street address, there really isn’t anything that can be done to prevent you from doing it.
- Instinctive discomfort aside, the benefits of keeping control of your data are many:The more personal information you don’t share, the more you control. And that’s what identity theft is about: control over your information. If it’s not out there, it is a lot less likely to be stolen.
- By using fake information on different sites, if and when you eventually get an unsolicited password reset notice or any statement hinting that something’s fishy, it will be plainly obvious which of your online identities was compromised as long as you keep track of what you’ve submitted to each site (which you can easily do with your password database).
So there you have it. Fake information can enable real protection. Naturally you’ll have to use your best judgment to determine which sites are okay to fool and which ones genuinely do need your information. Naturally if Google needs your cell phone to verify your identity, let it have it. It won’t abuse it but it will give you a good way of identifying yourself in case of malicious activity. So go ahead: tell your family that it’s okay to not answer every question truthfully, including the security question in your profile. For once, you’ll pat yourself on the back for what may seem like a great deception. When the guilt dissipates, you’ll remember you’re taking identity theft seriously and doing what sites aren’t willing to do: have a plan to protect your most valuable asset.
Claudiu Popa, is the author of Managing Personal Information (www.PrivacyRisk.ca) and CEO of Toronto’s Informatica Corporation (www.InformaticaSecurity.com). Follow him at http://Twitter.ClaudiuPopa.com or http://subscribe.ClaudiuPopa.com to blog posts.