Shostack + Friends Blog Archive


Identity Theft is more than Fraud By Impersonation

gossip.jpgIn “The Pros and Cons of LifeLock,” Bruce Schneier writes:

In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn’t work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry’s lobbyists would never allow that.

There’s a type of security expert who likes to sigh and assert that ID theft is simply a clever name for impersonation. I used to be one of them. More recently, I’ve found that it often leads to incorrect or incomplete thinking like the above.

The real problem of ID theft is not the impersonation: the bank eats that, although we pay eventually. The real problem is that one’s “good name” is now controlled by the credit bureaus. The pain of ID theft is not that you have to deal with one bad loan, it’s how the claims about that bad loan haunt you through a shadowy network of unaccountable bureaucracies who libel you for years, and treat you like a liar when you try to clear up the problem.

So there’s a third way to deal with identity theft: make the various reporting agencies responsible for their words and the impact of those words. Align the law and their responsibilities with the reality of how their services are used.

I’ve talked about this before, in “The real problem in ID theft,” and Mordaxus has talked about “What Congress Can Do To Prevent Identity Theft.”

4 comments on "Identity Theft is more than Fraud By Impersonation"

  • The problem with these schemes that deal with essentially libelous speech and emotional distress is that its extremely hard to develop a good standard of conduct, what constitutes harm, etc.
    Dealing with ID theft as a problem with your “good name”, unrelated to direct financial damage, puts it into the horrible camp of lawsuits about emotional distress. There aren’t concrete criteria for judging this, its horribly fuzzy, and subject to massive lawsuit abusive over frivolous claims.
    This isn’t to say there isn’t horrible emotional distress in these situations. Making that the focus though makes it unlikely we can effectively enforce this, that we can make the social and financial burdens appropriate, etc.
    Make it about emotional distress and you get into the issues around the first amendment, hate speech, and all the nonsensical debates about that.
    I’d rather have hefty burdens for people that abuse their data rights and/or cause the problems. Make their burden bad enough and perhaps things get fixed.

  • There may be several solutions to the existing problem, some more effective than others. I would agree with Bruce that the best way would be to correct the problem at its root. I’ve also written about it in my blog some time ago:
    But as the society is usually reluctant to implement solutions that correct problem at its root, your proposal may prove as being very efficient at healing the symptoms.

  • Chris says:

    It’s *my* name, but the information about it is the credit bureau’s. A solution, as we discussed here at some length, is giving me a property right in information about myself, where the original source of the information is me (that way, you don’t need to pay me a royalty to write that my eyes are brown). We discussed one variant of this with some folks from the Burton Group —
    Of course, widespread contractually-enforced restrictions on the dissemination of PII (where the “P” is now a legal person set up to protect a natural person) would likely be resisted strenuously.

  • Adam says:

    What do you think is the problem, and what is its root cause?
    Andy, libel law is not nearly as fuzzy as emotional distress. When I look at the IDTRC numbers, much of the ongoing pain is that organizations won’t fix their reports. Do you have specific instances or trends where US libel law is subject to heavy abuse?

Comments are closed.