Future of Identity Protection

There’s a lot of alarm over who stands to lose their job to automation and artificial intelligence. From fast food workers to toll booth operators, no doubt there’ll be some losses in the coming decades. But when it comes to identity protection and AI, the question shouldn’t be, “Who’s going to lose their job to artificial intelligence?” The real question should be, “Who should lose their job to artificial intelligence?”

If AI could prevent identity theft better than certain cybersecurity specialists, it stands to reason those specialists should lose their jobs to AI. It’s impossible for AI to be “stupid” or to abdicate duties that are part of its algorithm.

Witness the words from chairman of the House energy and commerce committee, Greg Walden: “I don’t think we can pass a law that fixes stupid.” He is of course referring to the Equifax data breach, a giant loss of consumer identity data at the hands of unseen thieves. Equifax’s former CEO Richard Smith resigned after the company revealed the breach to the public. He blames the breach on “human error and technology errors.” What if human error wasn’t an option when it comes to protecting identity data? To the extent that it’s programmed correctly, artificial intelligence promises to do away with human error.

To our detriment, consumers have very few ways of protecting our identity information. The average case of identity theft results in a loss of $1,500 for the consumer. When it comes to protecting social security numbers, Consumer Protect, an activist network, recommends “Always keeping your social security number (SSN) secure. Do not keep your card in your wallet or write the number down on checks. You should only give someone this number when it is truly necessary.” But what if someone (such as Equifax) has this number without your permission?

Although the Government can’t draft a bill legislating the end of stupidity, it can pay attention to one of Mr. Smith’s recommendations. Smith thinks we should stop using social security numbers to verify identity.

“It is time to have identity verification procedures that match the technological age in which we live,” Smith said.

For example, a company like Apple knows facial recognition AI is now advanced enough to place it at the heart of the new iPhone X. Apple’s Face ID learns from its mistakes, adjusting its algorithm based on continuing iterations of a user’s facial features. If you keep looking at your phone, it keeps updating its knowledge of your face. Your facial data are encrypted on the device, instead of being stored in a centralized location where hackers can access them. Apple says the chances a random person could access an iPhone X by looking at it are one in a million.

If a person’s face is directly linked to their social security account and credit card accounts, and the facial data isn’t stored on a network that hackers can crack, hackers are going to have a much harder time stealing identities.

But Mr. Smith isn’t offering an entire picture of what a company like Equifax could and should do with AI, and he’s not really addressing Mr. Walden’s assertion that Equifax was simply being stupid by leaving the gate open to hackers.

Equifax’s IT personnel chose not to update Java web applications that were vulnerable because of a fault in Apache Struts, which is an open-source Java app framework. In turn, this left Equifax’s data vulnerable because outsiders could write in malicious code. Blue Matador’s Philip Volmar points out, “What companies like Equifax want is security, uptime, and automated remediation. Instead, monitoring tools give them data, query tools, and reporting.”

In other words, Equifax’s monitoring tools didn’t tell them the breaches were happening because they’re using an outdated, limited software stack. Moreover, with awareness of the Apache Struts weakness (which they did have because Apache immediately notified everyone using the framework when the weakness surfaced), they could have used automated remediation to seek out all instances in which the network runs Java web apps using the Apache framework. Then, they could have used Apache’s readily available solution to fix the problem.

In the future, expect AI to do what Equifax’s cybersecurity staff didn’t do: seek out flaws in apps and apply necessary patches, because this type of work doesn’t require critical or subjective thinking. Credit card companies, such as Mastercard, are already using Design Intelligence, an AI program, to identify fraudulent transactions and false declines. It’s not a long-shot to expect a company like Equifax to to use AI for its security purposes too.

By Daniel Matthews