company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.

1. Online Identity Theft:
Changing the Game
Protecting Personal Information on the Internet

2. The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of
Microsoft.
Microsoft may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter
in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights or other intellectual property.
Microsoft, CardSpace, Internet Explorer, Outlook and Windows are either registered trademarks or trademarks of Microsoft Corp. in
the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of
their respective owners.
Microsoft Corp. • One Microsoft Way • Redmond, WA 98052-6399 • USA
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT. © 2008 Microsoft Corp. All rights reserved

3. Contents
Executive Summary ...................................................................................................................................... 1
Introduction.................................................................................................................................................... 2
Stolen Data Fraud and the Rise of “Phishing” .............................................................................................. 3
Sophisticated Spoofs .................................................................................................................................... 3
Principles for Mitigating Identity Theft Now ................................................................................................... 5
Principle One: Use Two-Way Verification .................................................................................................... 5
Visual Cues ................................................................................................................................................... 6
Principle Two: Secure “Shared Secrets” ....................................................................................................... 6
Principle Three: Maintain Strong Control over Data ..................................................................................... 7
Changing the Game: Protecting Personal Information on the Internet ......................................................... 8
Information Cards .......................................................................................................................................... 9
Identity Verification ...................................................................................................................................... 10
Tackling “Inside Job” Identity Theft ............................................................................................................. 11
How Governments and Enterprises Can Help ............................................................................................ 11
Adopting the Technology ............................................................................................................................ 11
Striving for Maximum Consumer Convenience........................................................................................... 12
Conclusion................................................................................................................................................... 13

4. 1
Online Identity Theft
Executive Summary
Identity theft threatens the growth of e-commerce and the provision of financial and government services online. The
issue requires a more comprehensive approach to protecting personal information, including consumer education,
new technology tools, responsible business practices, a strong legislative framework, law enforcement engagement
and expanded victim assistance.
The ad hoc way in which online identities are managed today cannot withstand the increasing assaults from expert
criminal attackers. A new approach to securely managing online identity is essential—namely, a system that uses an
interoperable, vendor-neutral framework and gives end users more direct control over their digital identity. One key
component of this system is a new technology called an “Information Card,” which enables the creation of very
secure digital entities.
Equally important is our ability to lessen or preferably eliminate the value of personal information, thereby drastically
reducing the incentives to commit identity theft.
Microsoft is committed to partnering with governments, law enforcement, businesses and consumers to advance this
vision. The steps include three key elements:

Adopting advanced digital identities in government, enterprise and online service environments, along with
better data governance processes

Creating a secure digital identification system that allows convenient online transactions and enables higher
levels of security—based on real-world verified identities—when appropriate

Convening stakeholders to build broad support for the use of digital Information Cards as a basic tool to
reduce online identity theft and increase confidence in e-commerce and other online services
Trustworthy Computing  Microsoft Corporation

5. 2
Online Identity Theft
Introduction
Personally identifying information (PII) in digital form is the lifeblood of the Internet age. Because individuals,
organizations, businesses and governments have been willing to trust service providers with such PII, the past
decade has seen a tremendous variety of new uses for the Internet. Access to PII has helped fuel explosive growth in
e-commerce and e-government applications as well as various online communities. Online banking and investing
services, travel and shopping Web sites, and electronic filing of tax returns and license renewals are all examples of
how the Internet is enabling economic opportunity, efficiency and personal convenience in addition to offering
countless other benefits.
But along with the benefits, concerns about protecting PII are also escalating. Armed with personal information
1
2
gathered online and offline through phishing attacks, spyware, social engineering scams and other illicit methods,
identity thieves are stealing billions of dollars through unauthorized transactions and new lines of credit opened
fraudulently in the name of unwitting consumers. While financial losses from offline and online identity theft have
3
declined slightly, in 2007 they still totaled US$45 billion in the United States alone.
Online fraud is undermining confidence in the Internet and slowing the growth of online commerce and other services.
In 2006, 12 percent of EU residents aged 16 to 74 said they avoided online purchases because of security concerns.
In comparison, 57 percent said they had used the Internet and 30 percent said they shopped online in 2007.
4
Identity theft is not only a threat faced by consumers but also a significant concern for organizations as they handle
growing volumes of PII and use it in more diverse ways. Widely publicized leaks of sensitive data from custodians
such as financial institutions, credit bureaus and government agencies are eroding public trust in the Internet and
threatening to dampen online commerce and services.
This paper outlines a set of near-term tactics for mitigating online identity theft as well as a longer-range strategic
vision for fundamentally “changing the game” with regard to how people assert their identity on the Internet and how
such identity claims are verified by other parties during an online interaction or transaction. It also offers
recommended actions for government and industry leaders to help establish the infrastructure necessary for creating
a more trustworthy Internet.
5
1
Phishing: An act of Internet fraud in which the perpetrator seeks to trick people into providing personal financial information,
such as bank account or credit card information. This is often done by sending a fraudulent e-mail purporting to be from a bank,
Internet provider or other trusted source and asking for verification of an account number or password.
2
Spyware: Computer software that is installed surreptitiously on a personal computer in order to intercept data or take partial
control of the user's interaction with the computer, without the user’s informed consent.
3
Javelin Strategy & Research, 2007 Identity Fraud Survey Report, February 2008.
4
Eurostat news release, “One person in eight in the EU27 avoids e-shopping because of security concerns,” February 2008.
5
While a number of the principles described in this paper also apply to mitigating offline identity theft, our primary focus here
is on the online realm. These steps will not eradicate the risk, but they can reduce the amount of theft of personal information
online and limit the impact when it does occur.
Trustworthy Computing  Microsoft Corporation

6. 3
Online Identity Theft
Broadly, tackling identity theft more effectively will require a concerted investment in what Microsoft calls End to End
Trust—giving people more usable information about whom and what to trust online by building the infrastructure
6
required to help evaluate the people, devices, software and data that make up the Internet.
Stolen Data, Fraud and the Rise of “Phishing”
At the time it was designed, the Internet was primarily a medium for sharing information. E-commerce and online
banking, which are prevalent today, were not yet envisioned. As such, the Web was not built with robust identity and
authentication capabilities—a fact that has spawned a number of unwelcome experiences. Four key attributes of the
Internet that malicious attackers thrive on are its global connectivity, practical anonymity, lack of traceability and
valuable targets. It is also difficult for computer users to determine what programs are running on their machines,
what machines they are connecting to and with whom they are conducting transactions online. This paper offers
some ideas for changing these fundamental conditions in ways that continue to respect anonymity and privacy but
“change the game” with respect to Internet-based identity theft.
The current Internet environment has allowed identity thieves to proliferate. They have developed a variety of clever
methods to steal personal information and even resell it online. For example, in a May 2008 posting on the McAfee
Avert Labs Blog, one investigator described his discovery of a Web site that invites criminals to buy and sell credit
card numbers, bank account log-in passwords and other data that have been stolen from unsuspecting consumers in
7
different parts of the world.
Criminals previously relied on collecting information from lost or stolen laptops, using malicious software and
exploiting online services. As the technology community has enhanced software and hardware security, making
traditional exploits more difficult, these criminals have become highly adept at deceiving individuals into divulging
personal information through phishing and similar scams.
According to the Gartner research firm, “Phishing attacks in the United States soared in 2007 as $3.2 billion was lost
to these attacks.” A survey that the firm conducted in 2007 found that “3.6 million adults lost money in phishing
attacks in the 12 months ending in August 2007, as compared with the 2.3 million who did so the year before.”
8
Sophisticated Spoofs
As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows, which often
include official-looking logos of real organizations and other identifying information taken directly from legitimate Web
sites. In a typical phishing scam, the bogus Web site’s operator aims to trick consumers into providing personal data
such as their name, address, account number and password. If successful, the “phisher” can then access the
6
For more information, see “Establishing End to End Trust” at http://download.microsoft.com/download/7/2/3/723a663c652a-47ef-a2f5-91842417cab6/Establishing_End_to_End_Trust.pdf.
7
McAfee Avert Labs Blog, “You have to pay for quality,” May 7, 2008.
http://www.avertlabs.com/research/blog/index.php/2008/05/07/you-have-to-pay-for-quality/.
8
Gartner, Inc., “Gartner Survey Shows Phishing Attacks Escalated in 2007; More than $3 Billion Lost to These Attacks,” Dec. 17,
2007. http://www.gartner.com/it/page.jsp?id=565125.
Trustworthy Computing  Microsoft Corporation

7. 4
Online Identity Theft
consumer’s accounts and transfer money or, with enough information, open new lines of credit in the victim’s name,
using his or her good credit and assets as collateral. A fraudulent home equity loan, for example, could reap tens of
thousands of dollars for a criminal in a single transaction.
To make these phishing e-mail messages look legitimate, scam artists often place a link in them that appears to go to
the legitimate Web site but actually takes the user to a phony site or possibly a pop-up window that looks exactly like
the official site. These copycat sites are commonly called “spoofed” Web sites.
Here’s a picture of what a phishing scam e-mail message might look like:
Example of a phishing e-mail message, which includes a deceptive URL address that links to a scam Web site. The
sender has made the link in the mail appear to be from a legitimate bank by including ”Contoso Bank” throughout the
®
text, but the actual URL does not lead to the Contoso domain. In this example, Microsoft Office Outlook 2007 has
provided a warning that the e-mail looks suspicious.
Criminals also use a number of other techniques to gain access to personal information. For example, Web sites or email attachments may plant harmful software onto PCs to steal information directly. Such software may log
keystrokes or “scrape” the user’s screen—a technique in which one computer program extracts data from the display
output of another program—and send the data to the criminal for analysis. Another technique, “pharming,” involves
remotely changing Internet routing behaviors to redirect Web traffic to fraudulent but legitimate-looking destinations,
where ID thieves may be able to trick users into divulging personal data. Collectively, these types of fraud are a
serious threat to security on the Internet.
Trustworthy Computing  Microsoft Corporation

8. 5
Online Identity Theft
Principles for Mitigating Identity Theft Now
Later sections of this paper outline how the vision of End to End Trust can advance fundamental changes in how PII
is used. In the near term, consumers, governments and businesses can take important steps to help mitigate those
risks.
Consumer Tips for Avoiding Identity Theft




Be suspicious of any e-mail with urgent requests
for personal financial information. Phishers
typically include upsetting or exciting (but false)
statements in their e-mails to get people to react;
they might even address the recipient by name.
Valid messages from banks and online merchants
almost never ask users to reenter their login
credentials, update their records or reenter account
data.
Think before clicking links in e-mail, instant
messages or chat sessions. Avoid clicking on
such links to get to any Web page if you suspect
that the message might not be authentic or if you
don't know the sender. Instead, call the company on
the telephone or visit its Web site by typing the Web
address in your browser.
Install a Web browser toolbar. Look for one that
helps identify known fraudulent Web sites and alerts
the user if it finds a match. Internet Explorer 7
includes such a toolbar.
Request copies of your credit report at least
once a year. Check the report for suspicious
entries, such as accounts that have been opened
without your knowledge. Catching fraud early can
minimize the damage an identity thief can cause.
In addition to building anti-phishing, anti-spyware
9
and anti-malware features and other security
tools into its products, Microsoft works
collaboratively with governments, the IT industry,
business partners and customers to help reduce
identity theft. Based on this work, we’ve identified
some core principles for helping consumers
safeguard their identity from misuse, helping
organizations protect PII entrusted to them,
discouraging would-be criminals from attempting
identity theft and helping identity theft victims get
the relief they need.
Principle One: Use
Two-Way Verification
When authenticating users, online merchants and
financial institutions typically use a “challenge”—
such as asking for a username and password—to
make sure the user should be allowed to access
an account or conclude a transaction. However,
the reverse is typically not true: consumers don’t
have a means to require Web site providers to
For more information on spotting potential scams and
helping to keep personal information safe, visit these
Web sites:
prove who they are. While it is possible for a Web

Microsoft Security at Home
http://www.microsoft.com/protect/default.mspx
requires investigation of the site by a reputable

Anti-Phishing Working Group
http://www.apwg.org
gradual process of being adopted broadly.
site to prove its authenticity by obtaining an
Extended Validation (EV) certificate, which
certificate authority, EV certificates are still in the
Typically, the most that consumers can do is
visually inspect the site to see if it looks genuine,
but increasingly sophisticated thieves are creating
spoofed pages that appear virtually identical to
9
Malware is a term used to describe software or program code that is designed with malicious intent; for example, to infiltrate
or damage a computer system without the owner's informed consent.
Trustworthy Computing  Microsoft Corporation

9. 6
Online Identity Theft
those of an authentic Web site.
In the short term, consumers need better tools to identify signs of possible fraud.
Visual Cues
A Web site should ideally display its authenticity in a way that makes sense to a user. One such technique is the use
of an image-based identification challenge—also known as a “visual secret.” The site displays a visual cue when
asking for the person’s username and password. This visual cue—such as photo of a boat or a horse—will be one
that the user previously selected when creating the account. If, when the user begins the login process, the image is
missing or incorrect, it serves as a warning that the Web site might not be legitimate. It is worth noting that this kind of
an approach is successful only if the user knows and remembers to look for the visual secret.
Windows CardSpace™, a type of Information Card technology from Microsoft that is described in more detail later,
also provides visual cues for consumers. CardSpace does this by displaying certificate data associated with the Web
site as well as by delivering a different user experience for a new or “spoofed” site than it does for a trusted site that
the consumer has previously visited.
In addition, consumers can look for evidence of security safeguards deployed by a Web site. This includes a symbol
of a lock displayed in the address bar or at the lower edge of the Web site, which indicates that data exchanged on
the site is protected by Secure Sockets Layer (SSL) encryption. In the Windows® Internet Explorer® 7 browser, as
well as in other browsers, users can hover over this lock symbol with the cursor or click on it to view more detailed
information about the site’s certificate and the issuing authority, such as VeriSign.
Principle Two: Secure “Shared Secrets”
Most Web sites that manage access to private information use the “shared secret” technique to protect that access. A
shared secret is something that only the user and the Web site know, such as a username and password or
government-issued identification number. It can also be a private piece of data the user chooses to share with the
Web site, such as a credit card number or the name of a childhood pet. While this approach makes it convenient for
merchants, banks and government agencies to identify users, it also creates incentives and opportunities for identity
thieves. These secrets can be relatively easy to obtain through interception, deception or theft and then used to
impersonate the victim, steal assets, commit fraud and initiate more criminal activities.
Users can and should take steps to ensure these secrets aren’t acquired by criminals. One of the most basic steps
consumers can take is to avoid reusing passwords out of convenience and instead create different passwords to
access each individual Web site or online system. This approach will help prevent thieves from using one intercepted
piece of information to compromise multiple accounts.
Another helpful precaution is to create strong passwords that contain not just letters but also at least one numeral and
one symbol (such as &, *or @). This approach is not effective for warding off phishing attacks but is useful in other
situations.
Trustworthy Computing  Microsoft Corporation

10. 7
Online Identity Theft
Identity Theft Enforcement and Relief
Local, state and federal law enforcement agencies should
make identity theft a higher priority for investigation and
prosecution. This does not necessarily require new
legislation but rather dedicating the resources needed to
enforce existing laws against identity theft. Greater global
and interagency cooperation and intelligence sharing would
also help investigators to identify cyber criminals, build
stronger cases for prosecuting them and leave fewer places
for thieves to hide.
This collaboration must include at least three components:
better enforcement tools, explicit penalties and better
protections for consumers.
Law enforcement and corporate security personnel need
access to technologies and programs that aggregate
identity theft data (taking personal privacy protections into
account) to spot patterns, track down the big players and
build cases for prosecution. One example of this is the
Identity Theft Clearinghouse created by the U.S. Federal
Trade Commission (FTC), which contains millions of
consumer complaints about identity theft plus information
on victims’ experiences with identity thieves.
Stronger laws can also help boost prosecution of identity
thieves in cases that cross multiple jurisdictions. By
changing local legal codes, governments can close
loopholes that frustrate prosecutions in such cases and can
create stronger deterrents against identity theft.
Finally, jurisdictions can enact legal changes that better
empower victims of identity theft to mitigate losses, restore
their credit and correct public records. This includes
strengthening the rights of identity theft victims to obtain
records regarding misuse of their information and get
fraudulent accounts and transactions wiped off their credit
report. Financial creditors and merchants can help by
establishing dedicated resources, such as a telephone
hotline and Web portal, that enable people to quickly report
incidents of actual or suspected identity theft and take steps
to minimize the impacts.
Principle Three: Maintain Strong
Control over Data
Many identity theft incidents still occur through
offline methods such as “dumpster diving,”
10
robbery and deception.
This is a complex
problem that is best addressed collaboratively
by law enforcement, government, educational
and financial institutions, civic organizations,
businesses and the technology industry. It also
requires heightened consumer awareness,
responsible business practices, effective law
enforcement and appropriate legislation—along
with support from leading-edge technology
products.
Institutions that manage data must take steps to
keep it safe. The large databases of personal
data maintained by merchants, financial
institutions and information brokers are a
tempting target for identity thieves. Data leaks
can occur in a number of ways, including lost or
stolen computers, access to data under false
pretenses by a rogue client, a security breach
from the outside or an “inside job” by an
employee.
When a major data custodian experiences this
type of leak, the repercussions can be huge. For
example, in November 2007, the UK tax agency
Her Majesty’s Revenue and Customs disclosed
that it had lost computer disks containing the
records of 25 million UK residents—about 40
percent of the population—including confidential
information such as names and addresses
associated with birth dates and bank account
data. Preventing such an incident requires tight
controls over the collection, storage and use of
personal information. Successful data
10
Federal Trade Commission – 2006 Identity Theft Survey Report, pp. 27–31.
http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf.
Trustworthy Computing  Microsoft Corporation

11. 8
Online Identity Theft
governance demands that an organization’s policies, people, processes and technology be aligned at all levels
toward responsibly managing and strongly protecting PII.
An even more basic and effective means of safeguarding PII is to not collect it in the first place. Traditionally,
business leaders have simply collected a large set of PII with the view that it could provide some future business use.
This has resulted in organizations being obligated to safeguard information for which they may not have a direct
business use. Adopting a commitment to collect only the minimum information required in order to provide the
requested service—rather than all of the PII possible—is a more responsible way to manage the threat of identity
fraud.
Many businesses either do, or should, have basic legal obligations to protect some types of data, ensure fair credit
reporting and give consumers opportunities to correct information stored with the business. But businesses can also
benefit from guidance and education in these areas. As the example above indicates, governments are among the
large organizations that need to be especially conscious of effective and efficient data governance practices.
Government officials also play an important role in helping to evangelize such robust practices. By creating blueribbon panels or other advisory groups and by drawing on business management and privacy experts in both the
public and private sectors, government can help develop guidance. Other important roles for government include
raising awareness of responsible privacy protection practices through public education campaigns and incorporating
that guidance into programs that assist businesses or organizations that maintain data.
Changing the Game: Protecting Personal Information on the Internet
It is important to educate consumers and help them make informed judgments about disclosing private information, to
promote responsible data governance practices among organizations and to punish those who commit identity theft
crimes. But an even better approach to enhancing security and privacy is to reduce reliance on “shared secrets” such
as usernames, passwords, birthdates and government ID numbers to establish the right to do something online. In
addition to being relatively easy to steal, these shared secrets can be difficult to remember, update and manage.
We need to employ new identity practices online that are just as reliable but better protect against fraud and abuse—
ones that leverage technology to give end users more direct control over their digital identities. Instead of requiring
users to produce personal information to establish their identity, we should think of personal information as too
valuable to be shared directly.
Microsoft has analyzed this problem in depth, at both a policy level and a technical level. Kim Cameron, Microsoft’s
11
chief architect of Identity, has defined several Laws of Identity that help define ground rules for designing services of
all types to allow individuals to access those services while disclosing a limited amount of PII. To put it in technical
terms, we should enable a system whereby users—or electronic systems—can present not PII itself, but digital
identities containing only the minimum claims necessary to enable interactions and trust establishment online. This
type of system defines new identity practices for the Web.
11
See http://www.identityblog.com/stories/2004/12/09/thelaws.html. The Laws of Identity offer a framework for use by
systems of many types and purposes.
Trustworthy Computing  Microsoft Corporation

12. 9
Online Identity Theft
Think of how a check represents a right to claim certain assets of an individual or organization that are held at a bank
or other financial institution. Similarly, we can use technology to create a token that represents certain rights and
therefore serves as a medium of trade and exchange. As long as personal information is used for authentication on
the Web, the incentive to steal it is high. But if better practices provide no personal information and reveal no
information of value to anyone other than the holder, the incentives and opportunities for identity theft will be
drastically reduced.
To open a bank account on which checks can be written, or to cash a check, one needs to provide some form of
identification. Commerce and other online activities also require a form of identification. You have to show both that
you have the right to claim certain assets and that you are the person entitled to that right. To better secure this
aspect of online activity, Microsoft has worked with a variety of other organizations to create a system based on
Information Cards. Information Cards are intended to work within an interoperable, neutral framework. Microsoft’s
Information Card client software is called Windows CardSpace, but users of other software can also create
Information Cards. Information Cards complement other Internet identity architectures and are built on a commonly
accepted set of Web protocols. Interoperable Information Card technology is being deployed in, and works between,
12
a wide variety of systems supplied by different vendors.
Information Cards
Information Cards are not physical cards; rather, they are sets of data pointers that sit on a PC or a mobile phone.
They are analogous to tangible cards in a person’s wallet. In much the same way that a person might use a student
ID card to get free admission to a museum or a frequent-shopper card to get a discount on groceries, a digital
Information Card issued by one entity can be used to verify the card owner’s identity with another entity, as long as
the card includes the necessary data.
How does this work? The creation and use of Information Cards involves three parties. The first party is the entity that
issues the card. In the case of a card for use in sensitive interactions, the issuer might be a government, business or
nonprofit organization. For less sensitive uses, individuals might issue themselves a card. The second party, or
relying party, is whoever needs to accept the card during a transaction. The third party is the cardholder, who decides
which card to present in a given transaction.
How does the use of Information Cards reduce the risk of identity theft? For starters, the person’s username and
password aren’t transmitted when an Information Card is presented to a Web site, so they can’t be stolen. Information
Card technology also supports a range of robust encryption methods that help prevent tampering with the data on the
card or snooping to intercept it in transit. Information Cards also allow relying parties to request the minimum amount
of personal information needed to authenticate an identity in a given transaction. For example, a particular card might
have 10 fields—for name, address, birth date, credit card number, frequent flyer number and so on—but depending
on the situation, a relying party might need only two fields of information to complete the transaction (such as name
and birth date).
12
For a further description, see http://research.microsoft.com/~mbj/papers/CardSpace_One-Pager.pdf.
Trustworthy Computing  Microsoft Corporation

13. 10
Online Identity Theft
Information Cards are designed to prevent data that is shared in one context from being reused in a different context.
This is accomplished through creating a unique set of keys for each combination of Information Card and relying
party. Through the use of this security technique, the information used for transactions on one Web site is not
available to other Web sites. Finally, because Information Cards allow the user to supply additional authoritative
information (such as name and e-mail address) on demand to Web sites for authentication or other purposes, there is
less need for organizations to store this data in their systems for long periods of time—and thereby run the risk of it
13
being stolen.
To further advance the interoperability and adoption of this technology, Microsoft and an array of other prominent
companies recently formed the non-profit Information Card Foundation.
14
Members of this foundation—including
Equifax, Google, Novell, Oracle and PayPal—share Microsoft’s commitment to fostering a simpler, more secure and
more open digital identity on the Internet, increasing users’ control over their personal information, and enabling
mutually beneficial digital relationships between people and businesses.
Identity Verification
For uses such as e-commerce, online banking and online government services, it’s vital that the Information Card’s
contents be verifiable with a high degree of certainty. Indeed, the identity claims we typically use in sensitive
situations—such as name, driver’s license number and government ID number—are generally based on previous
verification when we were physically present. For example, hospitals issue birth certificates based on eyewitness
evidence of a newborn’s entry into the world. Later, when we’re older, we might use that birth certificate to get a
driver’s license or passport from a government agency. We might then take this other document to a bank to open an
account or to an airline counter to check in for a flight.
A safer Internet must support a variety of options for establishing confidence in digital identities. These options may
be based directly on, or be derived from, in-person verification by a reliable entity, guarantors, existing relationship
data, or companies that provide this type of reputation service. For example, merely entering a driver’s license
number on an online credit application does not carry the necessary degree of trustworthiness. The driver’s license
might be a stolen one, or the person using the number might be someone other than the person who was issued the
license.
A more trustworthy approach for the Internet would involve designating mechanisms and processes for establishing
validated digital identities. One such mechanism might involve places where people could go to present validated
physical identification based on in-person verification and then obtain a digital form of identification with similar
reliability. Depending on the country and required level of assurance, such designated locations might include post
offices, libraries or even licensed private enterprises such as notaries public, copy centers, banks or mobile phone
stores. Governments and private institutions could also strengthen their digital identities based on in-person
verification and embed them in Information Cards for use on the Web.
13
A more detailed overview of this technology can be found at http://www.identityblog.com/wpcontent/resources/Identity_Metasystem_EU_Privacy.pdf.
14
“Technology Community forms Information Card Foundation to Simplify Secure Online Digital Identity,” June 24, 2008.
http://informationcard.net/files/ICFPressRelease6-24-08.pdf.
Trustworthy Computing  Microsoft Corporation

14. 11
Online Identity Theft
It’s also important to recognize that digital identities go through a regular life cycle, from issuance to use and
ultimately to retirement. An identity system must take into account all aspects of this life cycle because a weak
process at any stage will reduce assurance of identity to the lowest level. For example, if an identity is issued based
on a high-assurance process but is inadequately safeguarded in its use, the assurance of that identity ultimately is
reduced.
Tackling “Inside Job” Identity Theft
Establishing a framework for issuing and using more trustworthy digital identities on the Web also requires
protections against “inside job” identity theft, whereby a person working inside a government or a bank—an institution
that creates identities in the first place—gains access to someone’s information associated with the Information Card
or creates fraudulent Information Cards.
Microsoft is working to tackle insider threats through a technology called U-Prove. U-Prove employs cryptography to
safeguard the data needed for a transaction while preventing systems from being able to pull together information
about users from various sources. Such linking of information across sources is a significant risk to privacy because
the more pieces of data a criminal has about an individual, the more easily the criminal can take control of that
person’s identity. The use of U-Prove can help reduce a criminal’s ability to steal identities by accruing various pieces
of information over time.
How Governments and Enterprises Can Help
Advanced technology such as Information Cards and U-Prove can do much to “change the game” with respect to
identity theft by helping to discourage criminals from gathering PII and minimizing the damage when security
breaches occur. But making this approach the standard practice for online commerce will require much more than
just rolling out the technology. To truly change the game requires a collective effort and changes not just to
technology but to information-handling practices, how technology is deployed, and the creation of both legal and
business infrastructure to support the use of digital identities, rather than personal information, to enable interactions
on the Web.
Microsoft has learned through past experience why important efforts sometimes fail. One reason is misalignment
between technology, social forces and policy values, and market dynamics. We believe that these important aspects
can be aligned in the effort to address digital identity on the Web, and we offer some suggestions on how they should
be aligned. In many respects, governments are well positioned to lead the effort to reduce identity theft because of
their role in passing laws, protecting market incentives and preserving social values.
Adopting the Technology
First, governments can advance this vision by adopting and supporting the Laws of Identity and beginning to deploy
advanced technologies such as Information Cards and other related identity technologies in their own operations.
This spans both internal systems, such as computer networks used by government employees, and e-government
Trustworthy Computing  Microsoft Corporation

15. 12
Online Identity Theft
systems, such as online services used by the public to obtain government benefits, pay license fees and contribute
comments to administrative proceedings.
These government enterprise systems are among the largest creators, consumers and processors of identity
information and therefore hold tremendous influence over how private and secure it can remain. As noted earlier, the
Information Card technology is intended to be deployed in an interoperable, vendor-neutral framework. It won’t matter
which vendor’s servers or software are deployed in an enterprise or government system, and most if not all systems
should be capable of making the system changes needed to handle identity-based transactions through an
Information Card approach.
Governments can also help encourage this transition by working with the technology and business community to
agree on approaches for data governance and the types of robust technology infrastructures needed to support those
processes. While governments use technology within their own operations to reduce the extent to which personal
information is exchanged, they can also drive change by encouraging other organizations to use tools that limit the
disclosure of PII and the unnecessary aggregation of data, which can lead to a host of security and privacy risks.
From there, governments and organizations can help build greater trust in the online realm by promoting, both
through legal and procedural means, the availability of easily obtained digital identities—the piece of software code
that makes identity assertions in order to authorize people’s online access to data and services. For example,
government agencies are logical avenues for providing in-person verification of identity claims at venues such as
government service desks.
As noted above, in-person verification of identity may serve as the basis for identity claims presented by Information
Cards. This offers a much stronger form of identity than is currently used online (e.g., a username and password
created by the user). However, we recognize that users and businesses will not want to sacrifice convenience and
ease of use when it comes to online identity methods. In that light, we suggest that governments help foster the
creation of additional means of obtaining verified digital certificates.
Striving for Maximum Consumer Convenience
To increase the adoption of more secure identity systems, consumers will need convenient opportunities to obtain
digital identification based on verification. Many enterprises—such as vendors that provide notary services, copying
centers and mobile phone retailers—may be inclined to offer this service as a logical extension of their existing
business. However, these private businesses could be vulnerable to litigation if they are victims of fraud—if, for
example, someone presents a fake passport or if an identity that the business issued is compromised.
To address this concern, legislators could develop frameworks to address the liability issues associated with the use
of digital identities in the context of business transactions, so that potential litigation does not unduly constrain this
opportunity for businesses and for consumers. For instance, if an Information Card somehow falls into the wrong
hands and is used to commit a crime, to what extent should the issuer, the relying party and the ID holder be held
accountable? This question could apply to governments as well, such as in the case of school-issued ID tokens being
stolen. It will be important to address these questions, and to think carefully about who is authorized to provide digital
identity credentials in this new system. We believe, however, that consumers, merchants and IT system managers
will want to minimize the disruption to their current services in the trade-off between security and convenience.
Trustworthy Computing  Microsoft Corporation

16. 13
Online Identity Theft
This is a bold proposal. To achieve these goals, it is important to address all of the complicated social, political,
economic and technical issues involved and to do so through open dialogue aimed at common objectives.
Governments can serve as crucial conveners in this regard, both locally and internationally. On a variety of other
issues that affect the public, governments have successfully created expert panels, convened discussion forums and
fostered opportunities for generating input from business and industry, academia and nongovernmental
organizations.
All of these interests and perspectives should be reflected in discussions about this approach to digital identity—
including how to implement the infrastructure needed to support digital identities and how best to incorporate these
identities into government systems that issue identities, process benefit claims or provide other services. Such a
dialogue will also be crucial to driving consensus on important policy decisions, such as how to effectively use digital
identities to replace PII and appropriately balance anonymity with accountability on the Internet. Governments can
play a key role as conveners of, and participants in, this dialogue.
Conclusion
Combating the complex problem of identity theft demands a holistic strategy that combines effective consumer
education programs, robust technology tools, responsible business practices, a strong legislative framework, law
enforcement engagement and expanded victim assistance.
Recommended starting points include:

Increasing consumer education about identity theft and its prevention

Implementing appropriate identity authentication mechanisms

Identifying and developing data governance policies and processes in support of digital identities

Ensuring high levels of privacy and security throughout the Internet technology infrastructure, while also
preserving social values and consumer expectations regarding anonymity on the Web

Adopting and advocating practices that limit the required disclosure of PII by consumers and limit its use by
governments and enterprises to the minimum necessary to fulfill a specific purpose

Educating consumers to disclose only the minimal PII needed when conducting a transaction or requesting a
service

Enacting and enforcing criminal penalties for identity theft and other online criminal activities

Ensuring that identity theft victims have ready access to assistance in reclaiming their identity and repairing
the damage to their financial standing
These actions are very important, but on their own they are not enough to prevent further costs to our society from
identity theft. The ad hoc way in which online identities are managed today cannot withstand the increasing assaults
from expert criminal attackers. Identity theft not only has serious implications for the individuals whose assets and
livelihoods are violated, but it also threatens the credibility of economic transactions at a time when advances in
broadband communications and online services should be driving greater acceptance of these transactions.
Trustworthy Computing  Microsoft Corporation

17. 14
Online Identity Theft
One of the keys to changing the game in identity protection is to establish an interoperable, vendor-neutral framework
that uses technology to give end users more direct control over their digital identity. This is crucial to the objective of
limiting the value of personal information as a key to online access and reducing the incentives to commit identity
theft.
The immediate steps toward this approach involve three key elements:

Adopting advanced digital identities in government, enterprise and online service environments, along with
better data governance processes

Creating a secure digital identification system that allows convenient online transactions, and also enables
higher levels of security—based on real-world verified identities—when appropriate

Convening stakeholders to help generate broad support for “changing the game” on identity theft and taking
steps to create business and consumer awareness and adoption of information cards, regardless of what
computing system or technology they may use
Collaboration across all of these fronts will improve our collective efforts to target the root causes of identity theft,
minimize the incentives to commit identity theft, reduce its impact and limit such opportunities for criminals in the
future.
Microsoft is committed to partnering with government, law enforcement, business partners and consumers to
advance this vision. We believe it is possible to make the Internet safer for consumers and families and therefore
more reliable for individuals, businesses and governments.
Trustworthy Computing  Microsoft Corporation