Sarthak Batra
Notes on Identity - on the Internet (Part I)
May 30, 2021 - 6 min read
Hi! This is a four-part series about identity on the internet - the various ways website and applications authenticate our identity on the internet.
Part I: Introduction <— you are here
Part II: Ways to prove your identity on the internet (coming soon)
Part III: The rise of two factor authentication
Part IV: Startup idea: How about we sell identity as a service!
This paper is proof that you exist. Don’t lose it.
The process of identifying humans starts at birth with the birth certificate. It is proof that we were born in a particular country - that we exist.
When we start school, we get an identity card (id-card). It contains our name, address and contact information of our parents/guardians. It also mentions our class - where we belong in the school hierarchy. An authorized person such as a teacher can snatch your id-card if you misbehave. Good luck getting into the school if that happens.
When we get older, we get various government ids depending on where you live. In India, there’s voter id, PAN card (for tax paying citizens), driver’s license and the more recent Aadhar card (social security). All of these are proofs of identity valid for certain transactions. Any interaction with the government like filing taxes, getting a passport, voting in your constituency requires you to funish one of these as proof.
We need to keep our proofs of identity safe and secure. Losing one of these is a huge pain and in some scenarios, can cause harm (more on that later).
I am a bot and I need to know. Are you human?
Identity is everywhere, even on the internet - and identity is important. Identity is used to give access to certain privileged resources. You input your username and password in your bank’s website to access your account (authentication). You may even have to enter a One Time Password (OTP) sent to your mobile or e-mail address.
But, you don’t have to do that to read this blog. Generally, you don’t need to veriy yourself to read ad-supported news either.
On the other hand, subscriber-funded news websites like The Ken would require you to login and have an active subscription with them to access its archives. Why is that? Identity cannot be trusted, it has to be enforced. The Ken cannot operate on good faith of its users to login before accessing an article. To protect its revenues, it has to operate on zero-trust and require you to login first.
Everyone has a role to play
Whenever you access a privileged resource, you can do so because you fit in a certain role. As a customer of The Ken, your role is of a reader. You can view its entire archive but you don’t have the permission edit any article (read-only access).
An reporter of The Ken may log on to the site and have access to its the Content Management System (CMS) where they can write and edit articles. They may still not have permission to publish them. That role would live with the editor who can edit and publish articles.
A reporter may be an editor too in which case they will have multiple roles assigned to them.
The managing editors of the site would have god-level accesss on the website (superadmin). They would be able to publish, archive or delete any article, make or remove editors and reporters (assign roles to certain users). Users having this level of access should be a handful few to keep the attack surface low.
Note for developers
As a developer setting up identity services, you cannot be careless. Details about our identity are meant to be private (personally identifiable information). Databases containing this information are often a target for hackers as a key step in performing malicious activities and stealing one’s identity. An attacker trying to gain access to server/database may also use mis-configured roles to gain more access.
Stolen information can be used to commit fraud, steal identities, stalk, blackmail, publically humiliate and even inflict personal harm. Stolen personal data can also be used to target the organizations the people work for.
The pandemic - a busy time for hackers
A recent example of an attack to steal identity infromation was the hack on the Air India servers, where passports and contact information of 45 lakh (4.5 million) customers in the company’s last 10 years of operations were leaked (data breach). Imagine being the security team having to make that call to your bosses.
Here’s the email that Air India sent affected customers by the cyberattack:
Here’s another fun fact: Companies in India reported more cyberattacks than any other country according to a 2020 report.
In case you want to check if your email/phone number has been compromised in a data breach, go to haveibeenpwned and fill your information. If your information was involved in a breach, look for which data was compromised.
If your gender, e-mail address, phone number, date of birth, location etc. is leaked, the sad truth is there’s little you can do about it. You can, however, reset your password and strengthen your security on the affected website/application by requiring a second authentication step like a One Time Password (OTP).
Another thing you can do is, give out as little information about yourself as needed. Sharing your gender or city alone may not put you at risk. But when that information is combined it other leaked personal data about you, it can be used to target you with a laser focus. So unless absolutely required, leave out your location, choose prefer not to say in gender and don’t put your exact birth-date.
Maybe you can come up with a fake birthday you put on websites and have two birthday celebrations in a year 😁
Additional Reading
In the next article, we’ll delve a little deeper technically to look at the different mechanisms websites and applications use to prove our identity. Stay tuned!
If you enjoyed this article or have any feedback, please reach out to me on twitter.
thoughts about frontend dev, digital experiences and education
Follow me on Twitter