Shostack + Friends Blog Archive


It’s not all about "identity theft"

handshake.jpgThere’s a fascinating conversation going on between Chris and Andy Steingruebl in the comments to Data on Data Breaches. In it, Chris writes:

If what we care about is reducing ID theft, then maybe all this effort about analyzing breach reports is a sideshow, since for all we know 80% of the revealed PII never gets detected as having been revealed.

Data breaches are not meaningful because of identity theft.

They are about honesty about a commitment that an organization has made while collecting data, and a failure to meet that commitment. They’re about people’s privacy, as the Astroglide and Victoria’s Secret cases make clear.

We shouldn’t allow the discussion to center on ID theft. It should center around the meeting of the minds, and the exchange of value.

That was my point of my privacy enhancing technologies talk: that we’ve got to look at these things as privacy issues, not just security issues.

Photo: “Handshake through TFT screen” [link to no longer works], by Henkster on

5 comments on "It’s not all about "identity theft""

  • Dissent says:

    ** stands up and applauds **

  • Alex says:

    “80% of the revealed PII never gets detected as having been revealed.”
    Do we know what % of revealed PII is used in crime?

  • Well said. Its easy to forget this when we’re faced with a regulatory regime that focuses solely on the possibility of identity theft. I wrote a little piece to further back this up –

  • Andy Steingruebl says:

    Ok, the last URL I posted has an extra trailing period on it and doesn’t work. Sorry about that. Perhaps *someone* can fix it? I made the same mistake in my comment on Chris’ original item.

  • Chris says:

    ID Analytics did some work with a purposive sample (i.e., non-random but intended to be representative) and claim that the probability of ID theft within (IIRC) 12 months of a breach is no more than 1 in 1000.
    Until there is more transparency into how they track the ID elements, I’d use this as “suggestive” and maybe give or take an order of magnitude. Since they have now productized this tracking capability, they probably have more information, but I haven’t seen any more white papers from them.
    @Andy — I fixed your URLs.

Comments are closed.