Publications

Personally Identifiable Information (PII) is often called the “currency of Internet” as identity assets are collected, shared, sold, and used for almost every transaction on the Internet. PII is used for all types of applications from access control to credit score calculations to targeted advertising. Every market sector relies on PII to know and authenticate their customers and their employees. With so many businesses and government agencies relying on PII to make important decisions and so many people being asked to share personal data, it is critical to better understand the fundamentals of identity to protect it and responsibly use it. Previously developed comprehensive Identity Ecosystem utilizes graphs to model PII assets and their relationships and is powered by empirical data from almost 6,000 real-world identity theft and fraud news reports to populate the UT CID Identity Ecosystem. We obtained UT CID Identity Ecosystem from its authors to analyze using graph theory. We report numerous novel statistics using identity asset content, structure, value, accessibility, and impact. Our work sheds light on how identity is used and paves the way for improving identity

Access Publication: Download PDF of Report

This paper presents a novel research model of identity and the use of this model to answer some interesting research questions. Information travels in the cyber world, not only bringing us convenience and prosperity but also jeopardy. Protecting this information has been a commonly discussed issue in recent years. One type of this information is Personally Identifiable Information (PII), often used to perform personal authentication. People often give PIIs to organizations, e.g., when applying for a new job or filling out a new application on a website. While the use of such PII might be necessary for authentication, giving PII increases the risk of its exposure to criminals. We introduce two innovative approaches based on our model of identity to help evaluate and find an optimal set of PIIs that satisfy authentication purposes but minimize risk of exposure. Our model paves the way for more informed selection of PIIs by organizations that collect them as well as by users who offer PIIs to these organizations.

Access Publication: Download PDF of Report

The Internet of Things has become an integral part of our daily life. Its combination of network and emerging technology interlaced with each other results in a complicated environment that is left to us to understand and interact with. Information travels in the cyber world, not only bringing us convenience and prosperity but also jeopardy. Protecting this information has been an issue and commonly discussed in recent years. One type of this information is Personally Identifiable Information (PII), often used to perform personal authentication. With total cost of more than $40 billion since 2006, several reports of theft and fraudulent use of PII have been released. An all-embracing technique and system is needed in order to protect users from identity theft. In this paper, we present the Identity Ecosystem, a comprehensive identity framework that contains a mathematical representation of a model of Personally Identifiable Information attributes for people, and two novel models, devices and organizations, that have strong connections with the PII model of people. This research aims to combine the above three models and leads to better prevention against identity theft and fraudsters.

Access Publication: Download PDF of Report

In this paper, we extend the mathematical representation and implementation model of the UT CID Identity Ecosystem representing PII attributes and relationships to incorporate international PII. Previously, the UT CID Identity Ecosystem model has been primarily populated using data about US theft and fraud cases to include PII attributes used to transact crime as well as accidental exposure of PII attributes. Statistics are also calculated and associated with respective PII attributes such as the frequency of exposure occurrences for respective PII attributes, monetization value of PII (i.e. financial consequences of the crime), and strength of relationships between PII attributes. This research describes how the content of the UT CID Identity Ecosystem and resulting analysis change when PII attributes from international identity theft and fraud cases are incorporated. Not only are the PII attributes different in an international UT CID Identity Ecosystem, the relationships between PII attributes change, the monetization value of PII attributes change, and the risk of exposure change when worldwide identity theft and fraud cases are considered.

Access Publication: Download PDF of Report

The use of Internet data sources, in particular social media, for biosurveillance has gained attention and credibility in recent years. Finding related and reliable posts on social media is key to performing successful biosurveillance utilizing social media data. While researchers have implemented various approaches to filter and rank social media posts, the fact that these posts are inherently related by the credibility of the poster (i.e., social media user) remains overlooked. We propose six trust filters to filter and rank trustworthy social media users, as opposed to concentrating on isolated posts. We present a novel biosurveillance ap-plication that gathers social media data related to a bio-event, processes the data to find the most trustworthy users and hence their trustworthy posts, and feeds these posts to other biosurveillance applications, includ-ing our own. We further present preliminary experiments to evaluate the effectiveness of the proposed filters and discuss future improvements. Our work paves the way for collecting more reliable social media data to improve biosurveillance applications.

Access Publication: Download PDF of Report

Identity theft and related threats are increasingly common occurrences in today’s world. Developing tools to help understand and counter these threats is vitally important. This paper discusses some noteworthy results obtained by our Identity Threat Assessment and Prediction (ITAP) project. We use news stories to gather raw data about incidents of identity theft, fraud, abuse, and exposure. Through these news stories, we seek to determine the methods and resources actually used to carry out these crimes; the vulnerabilities that were exploited; as well as the consequences of these incidents for the individual victims, for the organizations affected, and for the perpetrators themselves. The ITAP Model is a large and continually growing, structured repository of such information. There are currently more than 5,000 incidents captured in the model. To this body of information we apply a variety of analytical tools, collectively known as the ITAP Dashboard, that enable us to show and compare threats, losses, and trends in the identity landscape. From this analysis, we discovered notable and sometimes surprising results. A goal of this project is to be able to predict future threats, and to provide some concrete guidance for consumers, businesses, and government agencies on how to avoid them or lessen their impact.

Access Publication: Download PDF of Report

The Identity Threat Assessment and Prediction (ITAP) model provides unique, research-based insights into the habits and methods of identity threats, and to the various factors associated with higher levels of risk for PII compromise and abuse. ITAP uncovers the identity attributes most vulnerable to theft, assesses their importance, and determines the personally identifiable information (PII) most frequently targeted by thieves and fraudsters.

Access Publication: Download PDF

In today’s technology-driven marketplace, staying aware of the latest trends in identity authentication is essential. Customers can be courted with convenient and trusted identity verification procedures or driven away by burdensome and unreliable systems. Confidence in the identity of your users is not only a best business practice, but a legal requirement in many cases. In order to both protect customers’ data and provide them with a streamlined experience, companies must carefully consider all of the authentication options available to them. The following trends in biometric adoption can help a business to gain insights into emerging usage and acceptance rates of biometrics across a wide range of applications and markets.

Access Publication: Download PDF of Report

Less than a decade ago, consumers largely viewed biometric applications as clandestine extensions of government and law enforcement. Business initiatives relying on biometric applications once failed across market sectors, for a variety of reasons, but that trend appears to be changing as younger consumer generations are now surrounded by smartphones, selfies, mobile payments, and wearables. The advantages of using biometrics for authentication and verification of identity, such as stability and uniqueness, make it a promising avenue for the marketplace. However, consumers overall have still been slow to embrace the widespread use of biometric technology. Researchers have cited several reasons for reluctance to use biometric authentication technology, including lack of confidence in their reliability (for organizations) and user apprehension. These user concerns could inhibit the mass acceptance of biometric authentication and lead to lack of trust in business applications utilizing biometrics for authenticating clients and customers. This report presents the findings from a survey of 1000 respondents about their familiarity and comfort with biometric authentication. We examine the trend of consumer biometric acceptance and adoption and analyze the factors affecting consumer comfort with biometrics. 

Access Publication: Download PDF of Report

Prior research shows that only a tiny percentage of users actually read the online privacy policies they implicitly agree to while using a website. Prior research also suggests that users ignore privacy policies because these policies are lengthy and, on average, require two years of college education to comprehend. We propose a novel technique that tackles this problem by automatically extracting summaries of online privacy policies. We use data mining models to analyze the text of privacy policies and answer ten basic questions concerning the privacy and security of user data, what information is gathered from them, and how this information is used. In order to train the data mining models, we thoroughly study privacy policies of 400 companies (considering 10% of all listings on NYSE, Nasdaq, and AMEX stock markets) across industries. Our free Chrome browser extension, PrivacyCheck, utilizes the data mining models to summarize any HTML page that contains a privacy policy. PrivacyCheck stands out from currently available counterparts because it is readily applicable on any online privacy policy. Cross validation results show that PrivacyCheck summaries are accurate 40% to 73% of the time. Over 400 independent Chrome users are currently using PrivacyCheck.

Access Publication: PrivacyCheck- Automatic Summarization of Privacy Policies Using Data Mining.pdf