Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Donate Shop PBS Search PBS
I, Cringely - The Survival of the Nerdiest with Robert X. Cringely
Search I,Cringely:

The Pulpit
The Pulpit

<< [ How to Steal $65 Billion ]   |  Ego, Super-ego, and ID Theft  |   [ Taguchi Me This ] >>

Weekly Column

Ego, Super-ego, and ID Theft: Why Identity Theft is Only Likely to Get Worse, not Better

Status: [CLOSED]
By Robert X. Cringely
bob@cringely.com

This column has a global audience, and I worried that last week's story about identity theft would produce a response I get frequently concerning topics that are so U.S.-centric � foreign reader boredom and/or smugness. International readers love to tell me how they are unaffected by whatever malaise is bothering America, and some even go on to ask me to simply change the subject. But identity theft seems to be much more of an international problem than I expected. The specific terms change from country to country, but bad people are everywhere, and more and more often, they are representing themselves as people they aren't. So I will continue the topic this week, and if the terms aren't directly applicable to your country, the problem probably is.

Some readers were unmoved by my plight, seeing fairly simple methods that could be used to avoid the problem. I could get a locking mailbox, move to town, or tell the national credit reporting agencies to block my personal information and only release it with my specific permission. This latter technique, which is sometimes called putting your credit information on a fraud alert, has been available in many states and is now available nationally. "If your account is properly flagged by the reporting agency," wrote a very helpful prosecutor from Florida, "any attempt to get instant credit in your name will generate a response to the requesting store to notify local law enforcement of a possible ID theft in progress. This is one of the few ways we actually catch them."

Sounds good, but it often doesn't work.

Other readers with supposedly locked credit records have had no trouble at all applying for instant credit cards hundreds of miles from home. A reader told me about watching a mortgage broker order up a three-agency credit report from his supposedly "locked" account, and printing it right in front of him. So if you think you have told the credit bureau not to release your information without your permission, there is a chance they aren't doing as you ask.

It would be very useful, I think, if there was a way for people to check and see if this feature that they think they have activated is really operating, and a way to punish credit reporting agencies if it isn't activated.

Some readers � and these folks really worry me � think that because it says "not for identification purposes" on their Social Security card, they are safe from ID theft. What that means is that THE CARD can't be used to prove you are old enough to drink or buy cigarettes, that it is not a personal identification document like a drivers' license. But your Social Security number absolutely identifies you. That's why it exists. And that's the problem. If you think you are somehow protected by those words, you aren't.

Some readers think it shouldn't be "ID theft," but "ID fraud." When the Department of Justice changes its term, I'll change mine.

And some readers, who I'm just guessing like to hang out with the last two groups mentioned above, point out that you always have the option on almost any application to simply not provide your Social Security number. Yes, and they have the right to reject your application or tag you as a potential terrorist. The USA Patriot Act now requires even more businesses to collect Social Security numbers. Try just saying no to U.S. Attorney General John Ashcroft.

Now for some even worse news: If you thought credit cards were fraught with peril, checking accounts are worse. You can order checks for any checking account under any name with any number. All you need is an ABA routing number and account number, and you are there. These same numbers can also be used for electronic funds transfers without printing anything. ANYONE can take money out of your checking account using information from any old cancelled or unused check.

And gathering this kind of information is incredibly easy. My problem, you'll recall, started with an error at the Post Office. Well, things aren't getting better there. The United States Postal Service recently outsourced all their customer contact information to be stored in databases controlled not by the USPS (which despite everything, is kept in line by the Inspection Service), but by a private company, Convergys. I have no reason to believe that Convergys is less secure than the USPS, but I am still concerned. You tell me if it's a good thing when a private company knows your vacation plans, or that you aren't home during the day to accept registered letters, or that you've just wired $100 to cousin Juanita in Guadalajara? Each example on its own is bad, but all of them together are worse.

Your personal information is in places out of your control other than just at the Post Office. Have you applied for a job? Your name, address, date of birth, Social Security number and other information are sitting in some Human Resources database that may or may not be secured. If you applied for many jobs in many places, your data is spread all over town or all over the country.

Have you tried to rent a house or apartment? Typically, apartment or house rental applications require not just the same information needed to apply for a job, but they also want your bank account number and sometimes even a copy of your bank statement. Everything needed to make your life a nightmare is sitting in landlord file cabinets or on hard disks, and the people who hold that information are as far as I know completely unregulated in the way they store that data. If they lose it or give it away, there is no penalty.

Then there is online identity theft. Under the "I Like It!" button, you'll find several interesting links, including one to a foreign web site where you can buy or sell valid stolen credit card numbers. But this is a wholesale business, so bring a lot of money and expect to buy or sell in the hundreds or thousands. I don't know if they accept credit cards, but reading and writing Russian would definitely help.

There are lots of technical ideas for improving identity security, but they generally end up butting heads with the nature of databases, where the primary key has to be unique. Any big company has dozens of John Smiths, but which one is filing a disability claim? Since Social Security numbers are supposed to be unique and unchanging, they become the primary key. Oracle uses record IDs, but what happens when you combine two divisions and they both have record IDs one through 999? Renumbering the record IDs � then renumbering the renumbered record IDs � nearly always lands you back at using Social Security numbers.

We can come up with PINs to associate with our Social Security numbers. We can invent Social Security numbers that expire like scrip currency used in occupied countries. We can even come up with single-use Social Security numbers that point back to a master record, but can be used only one time each. There are lots of techniques that can be used to make things a little more secure, but inherent in each of these is a fundamental flaw: ID theft hasn't been fixed because there is no profit in doing so for the people who can fix it, and there's no penalty for not fixing it. In fact, there's even an incentive not to fix it, because publicizing the scope of the problem makes all consumers uneasy, and is therefore bad for business.

As it stands right now, if my identity is stolen, it is my responsibility. It doesn't matter if the credit bureau gave out information they shouldn't, if a crooked landlord has been selling application data, if someone is stealing my mail, it is effectively MY problem. If an institution is defrauded by someone posing as me, why is it somehow my problem? They are the ones who made a poor decision based on insufficiently verified claims. We should have the institutions accept responsibility for their poor decisions and take the loss.

And to a certain extent they do, but their attitude in doing this is part of the problem. Banks expect fraud losses of five percent or more per year. They build those losses into their business plans. Really big losses are generally insured. As long as that continues, there will be no improvement.

One thing we can do is lay claim to our personal information. Ironically, the groundwork for this has already been laid by several Supreme Court decisions. One of them declared personal information to be an "article of commerce" � that is, property. If it's property, it has an owner: you. And that means the Fifth and Fourth Amendments come into play.

Privacy law should be (but generally isn't) based on the fundamental idea that you are the author of your life and the owner of your personal information. Add this to the right to privacy found in the Constitution in Griswold v. Connecticut and Roe v. Wade, and one can easily come to the conclusion that laws requiring you to reveal your personal information to all and sundry may well be unconstitutional. Right now, even domain name registrars are required to give away your personal information (as was pointed out last week in a Congressional hearing). This has to change.

Identity theft is a problem that is already bad and getting worse, yet it doesn't have to happen at all. We can spend a lot of time here thinking of clever technical hacks to protect our personal data, but the problem isn't really one that can be or ought to be solved through technical gimmicks. It is a problem that should be solved through assigning responsibility.

Here is a dirty little secret in two parts. First, data files that can be compromised are most often compromised by criminals called "employees." Sometimes, they just take data home as did Department of Energy scientist Wen Ho Lee, who went to jail, or former CIA director John Deutch, who didn't go to jail. Second, look at the folks who are getting caught stealing secrets. They aren't Rush Limbaugh "liberals" who are arrested as spies. They're right wing conservatives who all passed the security checks. As a result, too often we have the inmates guarding the asylum.

At the end of the day, we have a system that has divorced our personal and financial identities. Nobody even needs to meet you anymore if you want to get a home mortgage or borrow money to buy a car, which by and large is good. It allows for a greater number of suppliers, more competition and greater economies of scale. But it also means that the lady at the bank no longer knows your name, and if someone is siphoning your bank account, they have no way of knowing that someone isn't you because financial efficiency has brought with it personal anonymity.

And that means no matter what the laws and regulations, when it comes to identity theft, we are really on our own.

Comments from the Tribe

Status: [CLOSED] read all comments (0)