Liberty seeks to define ID theft by creating lexicon

Standards body the Liberty Alliance Project believes it can contribute something currently missing from the ongoing debate on tackling identity theft -- a lexicon of terms defining exactly what constitutes ID theft. The alliance, which focuses on developing open standards for federated network identity, revealed its work on the lexicon Tuesday.

Liberty has been working on the lexicon since establishing an ID-Theft special interest group (SIG) in April in Dublin, according to Michael Barrett, vice president, Security Strategy and Architecture for American Express Co. and the former president of Liberty Alliance. Liberty announced Tuesday that it has rechristened the SIG the Identity Theft Protection Group. Barrett is the co-chair of the renamed group along with Alex Popowycz, a member of the Liberty Alliance management board and vice president for Fidelity Investments.

About a third of Liberty's 150 members are involved in the Identity Theft Protection Group. In addition to American Express and Fidelity Investments, those members willing to be named publicly are America Online Inc., Nokia Corp., Oracle Corp. and RSA Security Inc.

"There seems to be a lot of difficulty in understanding ID theft," Barrett said, explaining that many identity attacks have both an offline and an online component. He added that the phrase "identity theft" has become too much of a blanket term covering both the theft of a consumer's credit card number as well as the potentially much more serious theft of an individual's full credit data. In the first case, credit card companies bear the liability of the ID theft, so the impact on the consumer is often minimal, but the theft of full credit data -- an individual's home address, Social Security number, mortgage details -- presents an extreme risk to the consumer.

"There's no common set of terms that everyone agrees to," Barrett added. "We want to catalyze debate" on identity theft. He said it would probably take Liberty a few more months to complete the lexicon, though work might be finalized by the conclusion of the alliance's first Identity Theft Workshop due to held in Chicago on July 20.

Barrett said that having the lexicon might help in educating regulators on what constitutes identity theft and thereby assist them in determining what regulatory changes would best help. Liberty is also considering producing generic educational material on ID theft that its members could then customize and brand with their own corporate identities and distribute to other enterprises and consumers, he said. The alliance will later investigate if any additional technological component needs to be developed to help in combating ID theft.

The Liberty Alliance Project was set up in September 2001 by Sun Microsystems Inc. to create open technical standards for digital identity and to counter Microsoft Corp.'s rival Passport online authentication service. While Microsoft has yet to join the group, long-time hold-out IBM Corp. became a member of the alliance in October 2004.

"I would've loved it if we could've persuaded Microsoft to join," Barrett said. "But we've prospered without them." He doesn't believe that the quality of the lexicon will be compromised by Microsoft's absence. Should the alliance's investigations into identity theft point to the creation of some new technology, not having the software giant on board might be a potential problem, he admitted. However, "On a day-to-day level [not having Microsoft around] is not an issue," Barrett said.