When my phone rang recently with an unrecognised West Australian number I knew before I answered what to expect…
“This is eBay calling to inform you that you are going to be charged $299 dollars on your credit card. If you want to cancel this charge, press one now…”
I knew better than to fall for this – if I pressed “1”, I’d be transferred to an operator, who would take down my credit-card details, then use them fraudulently. But not everyone knows this, and that’s why this scam continues ad nauseam, along with countless others for “Amazon”, or “the ATO”, or whomever the scammers believe will whip up the right combination of fear and anger in the receiver’s brain, just to get them to give up those details.
When I receive these calls, I note that they never have any caller ID information. There’s no name, just a number. Yet our very sophisticated call systems allow for all sorts of metadata to be sent along with the call – the sort of metadata that can help sort out the real from the criminal.
Criminals hide behind the anonymity. It shields them from inspection by the caller and, presumably, the authorities. There’s been a bit of talk about why this sort of criminal misuse of the phone network continues to happen (and how much carriers profit from it, or could prevent it), but perhaps the most obvious defense against this sort of attack is simply being able to recognise the attacker.
We all have identities – how we are known to others; how we identify to others. These identities aren’t fixed. We may have the same given name, but how and where and why we choose to use it – first or last or both – depends on the situation. With close friends, we rarely even bother with names, except in a crowd. In a legal setting, last names dominate, and in every situation in between these, we pick and choose how we identify ourselves to others. We have agency – but so do our friends and colleagues. They can choose to gift us with a nickname, be stiffly formal, or sit somewhere in between. How others choose to identify us signals their feelings, their position, and their relationship with us.
Much of this breadth of identity came into the digital world. From the earliest days, people used ‘handles’ – self-crafted identities – in email correspondence and online chats. In some cases, the handle became more widely known than the person behind it. Where those handles lacked any direct connection to a real person, they became vehicles for mischief – both playful and malicious.
“On the internet, nobody knows you’re a dog,” goes a famed New Yorker cartoon. While that may be true, it never takes long before everyone on the internet knows that you’re a nasty piece of work.
Facebook landed squarely on the horns of this dilemma back in 2014. The social network let folks ‘find the others’ – people with shared interests, views and identities. But quite often those people could only share those identities with others online because of social sanctions against the expression of those identities in the real world – such as people with minority religious beliefs, or those in the LGBTIQ+ community. A handle represented freedom of expression and freedom from fear. But those handles also opened the door to the kinds of malicious harassment that characterise the darker corners of the online world. That, plus the fact that the large number of ‘fake’ accounts decreased the revenue-per-user targets Facebook needed to please its shareholders, led the social-media colossus to implement a strict ‘real names’ policy. You are your name on Facebook.
That’s a boon for marketers, but increases the peril for anyone in a marginalised community who is trying to maintain their footing in two realities – a real world that doesn’t accept them, and an online world that does.
Identity is potent, and letting anyone fix your identity – for their own purposes – skirts the boundaries of what we are prepared to accept as the price for membership within any organisation, including a global social network.
Yet we always have a need for authoritative identity, such as in our interactions with government, financial institutions, and medicine. We need to be able to identify who we are, unambiguously, because, from time to time, our lives, our livelihoods and our safety may depend upon it. Here, we can’t hide behind a handle. We have to be able to represent ourselves as who society has defined us to be.
That’s always been fraught. The entire question of ‘Papers, please?’ causes a chill to run down the spine of anyone who has been caught on the wrong side of a government or a border check. Control of identity means control over one’s comings and goings – perhaps even one’s right to exist. For that reason, it’s best managed carefully, sensitively and protectively.
Until a few years ago, our ‘official’ identity has always been paper-based: birth certificates, citizenship papers, passports and the like. And, for those of us who drive, the driving licence that nearly every one of us carries with us all the time. Or rather, did carry, before we all got smartphones and stopped carrying our wallets.
Enter the ‘digital wallet’, designed to hold your financial, medical and governmental documentation securely within your smartphone. Protected by the smartphone’s biometric or password security measures, we have the impression that these systems are as secure as paper documentation – perhaps even more so.
Last month we learned that it ain’t necessarily so. An extensive report published by a group of ‘white hat’ hackers – folks who try to break systems in order to alert their creators, who can then repair those flaws – exposed some deeply disturbing weaknesses in the Digital Drivers Licence (DDL) offered by New South Wales within its Service NSW smartphone app.
The report shows how a legitimate state-issued DDL can be tampered with, transformed into a new, fraudulent licence, which will present itself through the app just as a real one does. The app doesn’t check the license on the device against the ‘real’ licence at Service NSW, so the fraud is never detected, and thus never blocked. These DDLs have been in use for three years in NSW, and it’s probable that other folks figured out this hack some time ago – and have been exploiting it to create their own fake IDs.
Identity is more important today than ever before – we need it both in the real world and online, and it is the touchstone connecting our bodies and health with our society and our wealth. Where identity breaks down, it puts all of that at risk. Obviously, Service NSW will fix its problems, but what about all those fake IDs? Can they simply be erased or invalidated? Or will we never really know whether a DDL is the real deal? Like that unknown caller trying to defraud me, will these fraudulent government-issued credentials be used to defraud the public? Surely the answer is yes, even if it never affects many people directly. These questions of identity – who determines what we can say about who we are – will only grow more acute in the years to come. We need to think about how we can have a voice in that conversation, so that we retain some say in how we present ourselves to the world.