Doctoral student speaks to U.S. Government about identity management
Bill Danielsen's job is to lead Enterprise Identity Services for Service Canada and Employment and Social Development Canada (ESDC). In a world still reacting to the COVID-19 pandemic, there has been an increased focus on digital services, and there has seen an accompanying increase in fraud activity.
The Royal Roads University Doctor of Business Administration student recently spoke to senior members of the U.S. government as an expert panelist on identity management at a conference organized by the General Accountability Office.
“A lot of coordinated identity theft and fraud is done by computers,” says Danielsen, who's spent the past 23 years working for the federal government after serving in the Royal Canadian Navy.
“We have to be more agile and more deliberate in how we approach digital identity and the changes that we're going to put in place to ensure the integrity of the systems, and, of course, to protect the identity of clients,” he adds.
Danielsen is responsible for digital identity and cyber authentication, which involves validating electronic credentials.
“I'm responsible for the digital identity of Canadians doing business and transactions with ESDC,” says Danielsen, who is 18 months into his four-year doctoral program at RRU. “Digital credential is more the rigour that it's the right person accessing the information so that I have confidence that you are indeed who you say you are.”
Validating who you are
Currently, validating digital identities and the issuance of digital credentials to access those benefits is done through a variety of methods that involve clients presenting “something they are, something they have, and something they know”.
“We look at identity markers that we can validate against authoritative sources,” he says. However, during the pandemic, his department has seen a significant increase in fraud attempts.
“We've certainly seen a significant increase in attempts to commit fraud. I think it's because through the COVID-19 pandemic, there was a lot more money available by way of social benefits, and the speed with which the government committed to get it out increased quite significantly as well, “says Danielsen, who's based in Ottawa.
During the pandemic, ESDC saw transactions grow from 130,000 a day to nearly a million.
“That's just people seeking access to social benefits and through logging into their My Service Canada Accounts.”
Danielsen, who also holds a Master of Business Administration from Royal Roads and a Bachelor of Arts in Social Sciences from the University of Victoria, said hundreds of billions of dollars are involved in digital identify fraud internationally each year.
“Because if you have the identity of the individual, and you can successfully spoof it, someone can apply for benefits on your behalf. I can seize your bank account,” he adds. “I can even go and buy a house in your name and then sell it, all remotely, just with that digital information, all from the basement of your own home. We need to add process changes to the registration and authentication of individuals to counteract this.”
Biometric authentication is part of these changes.
“If you use a fingerprint, or if you use facial recognition, that's biometric authentication,” he adds. “So that's some of the things we're exploring.”
Danielsen is looking at moving away from knowledge-based authentication questions.
“The technology we're using for knowledge-based authentication has to change,” he says, “so that I can put more rigorous processes in place.”
He'd like to see more facial recognition used, as government services in BC does already, with the electronic Medical Services Card comparing “selfies” against driver's license pictures.
An employee of the Province of Ontario, Danielsen says that during the pandemic someone in the computer science division of the provincial government created thousands of bank accounts and distributed $11 million in COVID-19 relief money to themselves. Those allegations haven't been proven in court but illustrate the problem.
Currently, action can only be taken after a fraud alert has been triggered. Danielsen is trying to develop an assessment tool that detects certain behaviours that could be employed as part of a hiring practice before a fraud attempt occurs.
“I'm trying to put in preventative measures up front.”
Such tools could help eliminate insider threats -- people who are within trusted entities and use their privileged access to commit various crimes or offences against an organization, such as an IT person making a copy of a corporate database and selling it.
“And since I'm talking in a Government of Canada context, I mean against the citizenry.”
Improving identity management
Danielsen was part of an intergovernmental group that was exploring with the United Kingdom, United States, and Australia, ways to improve identity management and validation. From that he was asked to speak at the conference in June 2021.
At the conference, he discussed the benefits of using authoritative databases.
“An authoritative database contains foundational information that leads us to believe you are you.”
Vital Statistics offices in each province have records of your birth, marriage, or death certificates.
But Danielsen thinks there's an inherent weakness in using just those sources.
At the conference, he suggested checking those identification sources against a social insurance registry is no longer enough.
“There's been too many data breaches,” he says. “We have to move beyond thinking that I can just validate tombstone information against a tombstone database. We can't do that anymore. We have to move to a place where we can capture the living identity of someone, so how they are dynamically living.”
A living database recognizes that someone with the birth name William commonly goes by Bill.
So that needs to change, he adds, but requires additional verification steps.
“It's more about leveraging a broad spectrum of sources that can help build an aggregate of your identity.”
That could mean partnerships with public and private entities, with elaborate terms and conditions.
Sharing your personal information through such entities, to ensure greater protection, would always be optional, Danielsen says.
“All the security is for the benefit of the individual.”