note considers what has variously been characterised as
identity referencing and security vetting.
That activity is typically concerned with confirmation
of an individual's identity (including verification of
claims made in employment resumes) and identification
of attributes that may pose security or other concerns
in the public and private sectors.
The note covers -
overview - an introduction to concepts such as positive
vetting and negative vetting, along with some questions
about the prevalence of vetting and costs
and issues - what does referencing involve, where does
information come from and how is it validated
- vetting by the national government in Australia and
by other governments, including initiatives such as
- use of identity referencing in the private sector
- commercial identity referencing services
- key concerns such as privacy, consent and effectiveness
supplements discussion elsewhere on this site regarding
such matters as identity crime, government databases,
biometrics, commercial credit reporting, privacy regimes,
offender registers, pretexting and the Australia Card.
Personal referencing and vetting is now an integral part
of recruitment and other activity in the public and private
sectors, something that can be quite overt or that occurs
in the background.
It is essentially concerned with two questions -
focus of those questions may be confirmative, verifying
that an individual is whom he or she claims to be and
truly has the qualifications or other attributes that
are asserted in curriculum vitae or other documents.
Such verification is significant, given instances of impersonation,
fictive professional experience, bogus academic qualifications
and forged identity
documents highlighted elsewhere on this site.
Patients, for example, have an interest in ensuring that
a medical practitioner has indeed undergone appropriate
training and possesses claimed qualifications. Shareholders
similarly have an interest in avoiding the embarrassment
- and financial loss - resulting from disclosure that
a corporate executive has concocted key experience,
has gained qualifications from a diploma
mill or has no right to military honours.
Governments wish to limit passports
and welfare services
to legitimate recipients.
The focus may instead be predictive, identifying
attributes that indicate the individual is likely to act
in a particular way in future.
The nature of that action reflects the character of the
relationship between the individual and the entity seeking
the information. Will the individual for example -
to financial inducements or blackmail
by criminals or an espionage agency
in large-scale embezzlement to feed a gambling or drug
a risk to colleagues and customers because of psychological
problems or other health problems
a threat to minors because of a history of molestation
on a loan from a credit provider?
indicators are largely uncontentious: there is little
community enthusiasm for employing serial sex
offenders in childcare facilities or schizophrenics
as commercial aircraft pilots.
Determination of other indicators and decisions about
their use are more subjective. It is clear that many organisations
have denied employment to or restricted the careers of
people on the basis of sexual preference, religious belief,
political affiliation, age or marital status.
As highlighted in the following page of this note, it
is also clear that government and commercial vetting or
referencing can be fundamentally problematical because
it relies on worthless data and inept analysis.
Scrutiny by historians for example has revealed incompetent
data collection by Australian and US security agencies,
which on occasion involved fundamental confusion about
identities, cooption by a subject's rivals and retailing
of unfounded neighbourhood gossip and fantasy.
Some executive recruitment services have failed to identify
obvious inconsistencies in CVs or public statements by
candidates, with discovery being done by journalists or
the person's new subordinates. Others have been gulled
by plausible lies and an inability to recognise fake papers.
More broadly, vetting can be problematical because it
is embraced uncritically and because it is used coercively.
Security vetting of officials, for example, has notoriously
excluded individuals without desired affiliations such
as education at Eton or service in the US Marines but
has failed to stop 'bad' members getting into MI5, the
CIA and other clubs. Contrary to assertions about psychographics
or other techniques for seeing into the hearts of men,
vetting is not a foolproof mechanism for determining how
people will react once they have been accredited.
Ken Aldred notes that as late as 1988 thirty US states
allowed the use of polygraph testing "at will"
in business settings, for preemployment screening, investigation
of alleged wrongdoing and routine checks.
how much vetting and referencing?
Discussion elsewhere on
this site regarding identity crime notes suggestions that
suggestions that up to 500,000 false tertiary degrees
(including 10,000 bogus medical degrees) are in US in
the US and that 30% of employees were hired with 'massaged'
credentials. It is clear that some prominent officials,
academics and business figures have embellished their
CVs or simply fabricated major parts of their lives.
Comprehensive, independent figures regarding the extent
of resume massaging, use of decorative paper from degree
mills and the significance of abuses - life-threatening
or merely a few typos - are not available. Some studies,
such as the 1996 report (PDF)
by Michael Finn & Joe Baker, indicate that hyperbole
from commercial resume verification services should be
There are similarly no comprehensive Australian figures
for all government vetting activity, discussed later in
this note, or private sector identity referencing.
Some figures are not publicly disclosed, although ASIO
reported in 2006 that it conducted 135,000 personnel security
checks in 2005-06 in the lead-up to the Commonwealth Games,
in the aviation and maritime sectors (eg for the Maritime
Security Identification Card (MISC)) and for people seeking
access to ammonium nitrate. ASIO had also conducted 53,147
visa security assessments.
Figures for other government verification, for example
through CrimTrac, and for the true cost of that verification
are not available. It is not possible to do an independent
cost analysis, although the discussion of data
loss costs, identity
crime costs and Australia
Card costs may be of interest.
How much private sector vetting of employees/agents and
referencing of potential customers is carried out each
year. Again, no one knows. There is no obligation for
all organisations to provide aggregate figures on such
activity and it is likely that many organisations, such
as banks, indeed do not know how much referencing has
That comment may seem paradoxical. It reflects increasing
automation of referencing and submergence of referencing
in ordinary business systems, with for example some checking
taking place as a matter of course whenever a consumer
seeks to open a bank account, gain a credit card or receive
As noted in the discussion of official
registers and other databases there are no integrated
figures about the number of official and private searches
of those information collections. Indeed, there is no
single comprehensive and accurate publicly available inventory
of such databases.
Much information used by officials and by private sector
organisations is drawn from nongovernment data collections,
which in isolation are often innocuous but provide material
for sophisticated and large scale datamining and commercial
exploitation by data brokers.
As the following page notes, some organisations are making
increasing use of information published on the net by
individuals regarding themselves.
One US survey in 2006 thus claimed that 77% of executive
recruiters ran background
checks on candidates by using search engines, with 21%
eliminating applications on the basis of such searching.
The criteria for exclusion and the effectiveness of search
techniques is unclear.
Another survey, equally opaque, claimed that 25% of all
US hiring managers used search engines to screen candidates;
supposedly 10% checked profiles on social
networking sites such as Facebook and MySpace.
The extensiveness of that checking - three minutes or
three hours - and inferences drawn from any search results
One jaundiced recruiter commented in 2006 that
is a cut-throat industry where lots of people are great
at selling but have few research skills. They work on
commission. They will say anything to make a sale, so
of course 'all our candidates have been thoroughly screened'.
When I look at the resume fraud you've highlighted
I wonder how effective a lot of that screening is.
A US recruiter indicated in 2007 that some candidates
were excluded on the basis that being the subject of scurrilous
comments online signalled that the individual was "a
lightning rod for controversy".