Nov 232007
 

Today the UK’s Information Commissioner announced that today’s young (and in some cases not so young!) are putting their future careers at risk with some of their ‘riskier’ posts on social networking sites such as Facebook. In addition they pointed out that they were risking identity theft by putting so much personal information online.

It is worth mentioning that information can live online for a very long time … forever if the people behind Archive.Org have their way. This is not necessarily a bad thing although it can come as a nasty shock to realise just how shallow one was as a youth!

But do employers really care what people put on their Facebook profiles ? Well I dare say some do, but they probably should not. I’ve had more than my fair share of ‘youthful excesses’ in the distant past, but I’ve been a reasonably productive employee for all of that time. Now some more conservative companies may be worried about people making an association between their Facebook profile and the company they work for … fair enough. It seems perfectly reasonable to have a policy to say that one’s Facebook profile should not be linked to one’s place of work.

But not to employ someone because their Facebook profile looks a little wild ? That probably counts as cutting off one’s nose to spite your face! And quite possibly may count as age discrimination!

Now I come to identity theft. It is true that having too many personal details online may well make you more subject to identity theft which is a serious problem (although not a new one!). But is eliminating personal details online the right way of tackling the problem ? We have also seen this week that people can be subjected to the risk of identity theft through no fault of their own. Those who do not follow computer security news closely, may not realise that this is a story that is regularly repeated although not usually on such a scale.

Whilst being careful about putting personal details online is undoubtedly good practice (because no other solution is going to arrive quickly) we need to think about better ways of defending against identity theft other than hiding personal details. I have no ideal how this might be done in detail, although one obvious thing occurs … to have multiple ‘keys’ which serve different purposes … perhaps a government ‘key’, a financial ‘key’, a ‘social networking key’ (for things like Facebook and online forums), and a ‘key’ to be used for employer identity purposes. Seperating these ‘keys’ would limit the damage if a leak did occur … essentially you would need to steal multiple ‘keys’ to steal someone’s identity.

The problem of identity theft is only going to get worse unless we do something better in the future. Basing one’s identity on things like address, birth date, etc. is not going to be anywhere near like secure enough. It has always been possible to steal someone’s identity if you have these details, but the pervasiveness of IT systems makes it easier.

In the computer security world there is a truism that ‘security through obscurity is no security at all’, and what we are currently doing to protect our identity is attempting to practice security through obscurity.