overview

This note considers what has variously been characterised as identity referencing and security vetting.

That activity is typically concerned with confirmation of an individual's identity (including verification of claims made in employment resumes) and identification of attributes that may pose security or other concerns in the public and private sectors.

The note covers -

• this overview - an introduction to concepts such as positive vetting and negative vetting, along with some questions about the prevalence of vetting and costs
• mechanisms and issues - what does referencing involve, where does information come from and how is it validated
• public - vetting by the national government in Australia and by other governments, including initiatives such as AusCheck
• private - use of identity referencing in the private sector
• services - commercial identity referencing services
• issues - key concerns such as privacy, consent and effectiveness

It supplements discussion elsewhere on this site regarding such matters as identity crime, government databases, biometrics, commercial credit reporting, privacy regimes, offender registers, pretexting and the Australia Card.

     introduction

Personal referencing and vetting is now an integral part of recruitment and other activity in the public and private sectors, something that can be quite overt or that occurs in the background.

It is essentially concerned with two questions -

• who are you?
• what are you?

The focus of those questions may be confirmative, verifying that an individual is whom he or she claims to be and truly has the qualifications or other attributes that are asserted in curriculum vitae or other documents.

Such verification is significant, given instances of impersonation, fictive professional experience, bogus academic qualifications and forged identity documents highlighted elsewhere on this site.

Patients, for example, have an interest in ensuring that a medical practitioner has indeed undergone appropriate training and possesses claimed qualifications. Shareholders similarly have an interest in avoiding the embarrassment - and financial loss - resulting from disclosure that a corporate executive has concocted key experience, has gained qualifications from a diploma mill or has no right to military honours. Governments wish to limit passports and welfare services to legitimate recipients.

The focus may instead be predictive, identifying attributes that indicate the individual is likely to act in a particular way in future.

The nature of that action reflects the character of the relationship between the individual and the entity seeking the information. Will the individual for example -

• succumb to financial inducements or blackmail by criminals or an espionage agency
• engage in large-scale embezzlement to feed a gambling or drug habit
• pose a risk to colleagues and customers because of psychological problems or other health problems
• pose a threat to minors because of a history of molestation
• default on a loan from a credit provider?

Some indicators are largely uncontentious: there is little community enthusiasm for employing serial sex offenders in childcare facilities or schizophrenics as commercial aircraft pilots.

Determination of other indicators and decisions about their use are more subjective. It is clear that many organisations have denied employment to or restricted the careers of people on the basis of sexual preference, religious belief, political affiliation, age or marital status.

As highlighted in the following page of this note, it is also clear that government and commercial vetting or referencing can be fundamentally problematical because it relies on worthless data and inept analysis.

Scrutiny by historians for example has revealed incompetent data collection by Australian and US security agencies, which on occasion involved fundamental confusion about identities, cooption by a subject's rivals and retailing of unfounded neighbourhood gossip and fantasy.

Some executive recruitment services have failed to identify obvious inconsistencies in CVs or public statements by candidates, with discovery being done by journalists or the person's new subordinates. Others have been gulled by plausible lies and an inability to recognise fake papers.

More broadly, vetting can be problematical because it is embraced uncritically and because it is used coercively.

Security vetting of officials, for example, has notoriously excluded individuals without desired affiliations such as education at Eton or service in the US Marines but has failed to stop 'bad' members getting into MI5, the CIA and other clubs. Contrary to assertions about psychographics or other techniques for seeing into the hearts of men, vetting is not a foolproof mechanism for determining how people will react once they have been accredited.

Ken Aldred notes that as late as 1988 thirty US states allowed the use of polygraph testing "at will" in business settings, for preemployment screening, investigation of alleged wrongdoing and routine checks.

     how much vetting and referencing?

Discussion elsewhere on this site regarding identity crime notes suggestions that suggestions that up to 500,000 false tertiary degrees (including 10,000 bogus medical degrees) are in US in the US and that 30% of employees were hired with 'massaged' credentials. It is clear that some prominent officials, academics and business figures have embellished their CVs or simply fabricated major parts of their lives.

Comprehensive, independent figures regarding the extent of resume massaging, use of decorative paper from degree mills and the significance of abuses - life-threatening or merely a few typos - are not available. Some studies, such as the 1996 report (PDF) by Michael Finn & Joe Baker, indicate that hyperbole from commercial resume verification services should be treated cautiously.

There are similarly no comprehensive Australian figures for all government vetting activity, discussed later in this note, or private sector identity referencing.

Some figures are not publicly disclosed, although ASIO reported in 2006 that it conducted 135,000 personnel security checks in 2005-06 in the lead-up to the Commonwealth Games, in the aviation and maritime sectors (eg for the Maritime Security Identification Card (MISC)) and for people seeking access to ammonium nitrate. ASIO had also conducted 53,147 visa security assessments.

Figures for other government verification, for example through CrimTrac, and for the true cost of that verification are not available. It is not possible to do an independent cost analysis, although the discussion of data loss costs, identity crime costs and Australia Card costs may be of interest.

How much private sector vetting of employees/agents and referencing of potential customers is carried out each year. Again, no one knows. There is no obligation for all organisations to provide aggregate figures on such activity and it is likely that many organisations, such as banks, indeed do not know how much referencing has taken place.

That comment may seem paradoxical. It reflects increasing automation of referencing and submergence of referencing in ordinary business systems, with for example some checking taking place as a matter of course whenever a consumer seeks to open a bank account, gain a credit card or receive a loan.

As noted in the discussion of official registers and other databases there are no integrated figures about the number of official and private searches of those information collections. Indeed, there is no single comprehensive and accurate publicly available inventory of such databases.

Much information used by officials and by private sector organisations is drawn from nongovernment data collections, which in isolation are often innocuous but provide material for sophisticated and large scale datamining and commercial exploitation by data brokers. As the following page notes, some organisations are making increasing use of information published on the net by individuals regarding themselves.

One US survey in 2006 thus claimed that 77% of executive recruiters ran background checks on candidates by using search engines, with 21% eliminating applications on the basis of such searching. The criteria for exclusion and the effectiveness of search techniques is unclear.

Another survey, equally opaque, claimed that 25% of all US hiring managers used search engines to screen candidates; supposedly 10% checked profiles on social networking sites such as Facebook and MySpace.

The extensiveness of that checking - three minutes or three hours - and inferences drawn from any search results are uncertain.

One jaundiced recruiter commented in 2006 that

it is a cut-throat industry where lots of people are great at selling but have few research skills. They work on commission. They will say anything to make a sale, so of course 'all our candidates have been thoroughly screened'. When I look at the resume fraud you've highlighted I wonder how effective a lot of that screening is.

A US recruiter indicated in 2007 that some candidates were excluded on the basis that being the subject of scurrilous comments online signalled that the individual was "a lightning rod for controversy".

   next page  (vetting mechanisms)