On their web site, the FTC estimates that "as many as 9 million Americans have their identities stolen each year." There are 300 million people in the US… you can do the math. On average, they say, you will likely be impacted by identity crime several times during your life.
In the IT world, we’ve known this for a long time. Everyone’s basic information, including your SSN is readily available, cheaply and in a full spectrum of legal and illegal ways. We also know that the real failing isn’t the fact that the information is out there and available, it’s the fact that such information is easy to use that constitutes the danger.
So, you may wonder why credit card ID theft commercials are en vogue, reporting on how much consumers and companies lose to ID theft each year… yet you never hear about the credit, medical, insurance, or any other industry lobbying congress to change the situation…
Could it be that ID theft is good for business?
Of course it is, and it all revolves around one word, “liability”.
Simplifying the problem –
People get confused about ID theft because it’s not a simple act, but for the sake of clarity, I will break it down to the major parts, Privacy and Crime.
Privacy is simple, you give company A your information, and suddenly company B, or criminal C has it. Doesn’t matter how it happened, this is an invasion of your privacy. The Crime portion comes when someone decides to use this information in a criminal manner. This can be as simple as someone using your credit information to buy a TV, or when HP’s private investigators get your phone records to prove you were leaking info to the press.
So, which is worse, having your information out there, or having it be easily misused? It’s a very simple answer. People want your information BECAUSE it can be easily misused, in both criminal and non-criminal-but-should-be ways. If there’s no profit in stealing your identity, or if the risks outweigh the benefits, then the privacy situation returns to the non-, or small issue it had been for hundreds of years.
Of Crime and Jengo –
ID Crime relies on one fundamental building block, absence of liability. No one has to steal anything from you to get a credit agency to extend a line of credit in your name, nor is anyone liable by default, for the damages done… so it happens every day. Making personal information more difficult to use – or to improve the “Authentication” of those conducting transactions of all kinds is the only thing that will bring the ID theft tower down, but without liability, no business will take on the messy task of pulling that block.
For example, it is entirely possible that a 10 year old kid in America already has a mortgage… it’s entirely plausible that his identity was stolen years ago, used for lines of credit ending in a home loan that the criminal has skipped out on.
Did the mortgage agency commit a crime? No, they did all they were required to do. They will likely take the loss and help the kid restore his credit. He is after all, 10 years old, and it would be a tough court case to win… but they could try to make the case to a judge if they chose. So imagine how much harder it is for a 30 year old who may have to spend his life savings just to prove that he didn’t spend his life savings.
Nowhere to turn –
It’s perfectly legal for a crediting agency to issue a line of credit to anyone claiming to be you; they set their own authentication procedures. It is also legal for the crediting agency to hold you responsible for a line of credit given to the wrong person. Credit reporting agencies are also not required to validate or authenticate information provided to them by creditors. There simply is no minimum requirement for authenticating transactions of any kind, so you really have no recourse, it’s just your word against theirs.
THAT is the pillar upon which ID Theft is built.
Your misfortune is a good way to turn a buck –
What’s more, credit and insurance agencies have found out that the fear of ID theft is a pretty good money maker… and makes a pretty entertaining commercial to boot. Now all credit cards offer some kind of premium anti-fraud service you can pay for… or you can get anti-ID theft insurance for yourself or your business.
You may recognize that racket in mobster movies. In the old days, you paid the mafia protection money… protection from whom? The mafia. Today, you pay money to protect your identity to the people who lobby to ensure your identity isn’t protected.
Seems an apt analogy.
The public is confused about the issue and hounding legislators for action. Legislators on the other hand, have been given very clear message from business: Fo’gettabboddit!
Self-Solving Riddles –
We do not have to regulate the means of authentication to make things right… all we have to do is hold companies liable for costs and damages associated with providing credit or conducting transactions (financial or informational) with the wrong individual. Let the free market figure out how to deal with that.
Any massively centralized Federal effort, like a National ID card would be fraught with loopholes and corruption. Personally, I think that private industry can offer far more elegant, varied and secure solutions. All I am saying is that right now, what’s good for business is also good for criminals, so much so that it’s difficult to distinguish the two. Business needs a reason to join the fight, and the best way to do that is to make it cheaper to do the right thing.