EDITORIAL: Identity Theft, Privacy Protection, and the First Amendment
In late May 2005 Paula Zahn produced a comprehensive program for CNN on identity theft. To all appearance, identity theft and other compromises of consumer privacy have become epidemic. The general impression that the growth of identity theft parallels the growth of unsupervised use of the Internet. However, consumer privacy is a complex and non-linear topic, and one must sort it out to get at what is going on. Not all of the problems are due to the online world.
Surveying the Problems
The biggest complaint seems to be that identity thieves get credit cards, car loans and even mortgages with stolen identities. They get hold of social security numbers and make credit applications with phony addresses and employment histories. They run up debts that appear on the consumer’s credit report. The consumer does not get the bills so he or she does not know that there is a problem until applying for credit or for a job. There have been cases of job loss due to identity theft, as some employers, for internal security reasons, may be very strict in requiring associates to take personal responsibility for keeping their own credit clean (“guilty until proven innocent” when it comes to employment). This observation leads to recommendations that each consumer check his own credit report at least once a year; this may get easier later in 2005 when consumers will have the legal right to free credit reports once per year in all areas of the United States. Some ISPs offer automated credit report change information reporting systems for a fee, but these need to become more reliable and easier to use.
It is also possible for consumers to get called by collection agencies or even, in extreme cases, have court judgments entered against them (maybe even leading to wage garnishment or asset seizure) for fictitious debts. The latter would seem less likely as normally one needs a proper service of process for a judgment, but in some states service process is a lax procedure. Consumers would seem not to be legally responsible for fraudulent debts, but this is not always easy to establish. Sometimes longstanding debts are sold to collection agencies (a practice that seems to fall into a legal gray area), which then may have less legal pressure to honor disputes, even under the FDCPA.
There are other various problems that occur. The most common is “phishing”—emails that impersonate a bank and demand identification and bank account (even paypal or eBay) information, which is then bought and sold in chat rooms. “Demand drafts” – checks that do not require signatures, have been known to result in stealing money from consumer bank accounts. And there are various practices that may be marginally legal that result in surprising charges on credit cards, for various “club memberships.”
Another danger occurs with keylogging
programs, which parents or employers use to monitor their kids or employees
(legally). Some email attachments or even raw websites (when visited) will
cause the downloading of spyware keylogging
programs which would allow an attacker to monitor a user’s signon
and passwords with. Say, online banking sites, making it possible for the
attacker to log on and steal money. An
A somewhat distinct problem associated with consumer privacy has to do with the physical security of the consumer. A person who has made “enemies” may find himself being stalked or threatened; family members, coworkers and neighbors of the person could become involved as innocent bystanders. (This has recently been a problem for some judges.) This is something that used to happen in earlier eras with low-tech methods (letters and phones) when circular social mores invited “witch-hunts” (for homosexuality or Communist association). The film Advise and Consent provides a good example of this.
One valuable, if difficult-to-implement suggestion, would be
to place a $50 cap and dispute resolution on identity theft cases, as has long
been the case with credit cards.
This could give “corporate
How Much of this Is
the Fault of ‘Corporate
Plenty. We have all heard recently about large but clandestine companies like ChoicePoint that have had major security breaches. Credit reporting companies are notoriously slow in correcting erroneous information, although there are other companies that specialize in doing this (to facilitate loans) and law now requires credit reporting companies to place fraud alerts when requested on consumer files and to free consumer files from credit report requests without notification (as for promotions). Based on my own experience in information technology at least through the nineties, it seems that companies tended to be lax on physical security of customer information, as employers often allowed employees to leave the premises with production computer printouts and diskettes (often for legitimate “telecommuting” work-at-home or production support on-call duties) with little inspection or accountabilities. Old-fashioned physical security at institutions may be a major source of problems.
There is an extra issue with data brokers like ChoicePoint. They sell some “intelligence” on consumers that does not fall under the Fair Credit Reporting Act. Occasionally, persons have been denied jobs or loans because of this extra information that does not allow consumers a reasonable opportunity to correct. There would be questions whether private investigators might use information from the Web with search engines (“Google hacking”) which could find information posted by third parties that cannot be validated (although it could expose the speakers to civil libel suits if not true, and this would seem to be true for data brokers, too). Again, the openness of information creation and low on databases, especially those that are web-accessible, does pose some actuarially unquantifiable risks to consumers and employees. From the 1950s to the early 1970s, it used to be common for small private investigative companies (like Fildelifacts) to gather information on individuals (such as arrest records from police raids of gay bars), and for employers to use them.
It is puzzling why credit grantors are so careless in granting credit to fictitious applications. There would seem to exist a technological solution. Here it goes: Allow each consumer to specify a mailing USPS address to which he or she wants every debt obligation sent. Require credit grantors to bill only through this address. This way a consumer knows if he has a problem if he stops getting bills that he expects. Use the existing USPS NCOA (National Change of Address) system, using FastForward and Code-1 address standardization technologies, to implement this. The USPS already has auditing procedures in place that could be effective in such an implementation (I have worked with them in one of my jobs). As an alternative, the consumer to prefer to receive e-bills, but only through ISPs certified to process such bills with registered electronic addresses. The government might have to provide some compensation to companies to manage such an anti-fraud program at certified companies (effectively contractors), as this could require additional systems development and security staff to be hired. A “preferred address” system could be combined with email security systems (like Microsoft’s Sender ID) to control spam and impersonation or spoofing. The “preferred address” would have to be used for mailing of all credit cards, and encrypted into a code to be used by credit card activation systems (commonly accessed through 800 numbers). Of course, this invokes many issues of legal cooperation (between government and various companies to be certified) and may raise questions about the potential for government abuse of private information (similar to questions raised by the Patriot Act). Such a solution would require action by Congress.
To their credit, banks have been better at checking with consumers for unusual activity within short time frames (less than one billing period), and requiring address verification for purchases. Pin verification is often required on debit cards, and this could be required on credit cards, too. Car dealers and mortgage companies, however, should be much more careful about verifying identities in person (with passports or alternate id pieces) before letting “borrowers” take control of property. State DMV departments should require address verification (as with NCOA, improved) before handing out driver’s licenses or state id’s.
Visa, Master Card and other credit card companies already require merchants offering their own credit card processing (without turning the processing over to third party companies) to encrypt customer credit card databases and to discard verification numbers. There are heavy fines for violations. Typically ISPs help small businesses set up merchant accounts and arrangements with transaction processing companies that will do the encryption.
There is also valid criticism of misuse of the social security number as an identifier in business transactions.
What is the effect on free speech?
This is where I have some concerns. So far, most of the
proposals for legislation to fight identity theft emphasize reportability
of breaches (already in effect in many states, especially
But the issues become more subtle. Small companies like
“zabasearch.com” have been providing identification and public records
“background investigation” on consumers for a small fee. (Part of the problem
here is that state and local governments have put public records online,
although in some states they are restricting public record access online now.)
An individual, for example, may have published only a mailbox and cell phone as
contact information on the Internet, and a “background investigation” site
could provide real residence address and phone, which could provide security
issues for others (family members or residential neighbors) associated with the
individual. This has not yet become a major problem in this country (it has
been more of a problem in
Feedback from Congress tells me that “public records” information is (by definition) information that can be legally published. Now privacy law has been developing the notion that identifying information like social security numbers can be legally protected as confidential. How “public” is a public record if it cannot be tied easily to a specific individual identified by a database “key” number? The question, in the minds of Congress, is about packaging legally available information in such a way that anyone with mischievous intentions can access it efficiently with little cost or need-to-know supervision. Senator Diane Feinstein (D-CA) proposes making it illegal to sell social security numbers and similar information, but to do this the legal nature of personal identifier information needs to be redefined.
In other areas of intellectual property law, however, there is not such a connection (to identifiers). Libel law usually assumes that a reader can figure out who a particular individual is, even if not named. Writers and journalists generally are free to use bibliographic information as they like, and such information is not usually tied to such identifiers.
We get to a possible legal conundrum and a slippery slope. Congress probably needs to define some kinds of personal information (social security numbers and residential address information) as legally confidential without some kind of need-to-know basis. Otherwise, we run the risk that in other intellectual property law situations, the legality of published content will depend more on the context of publication – such as whether it is online or print, free or for fee, from the established press or from a blogger, etc. For example, someone who had published a book or a print article twenty years ago might not want to find himself so easily “Google hacked” today if that could hamper his employment situation today. This could have enormous First Amendment implications, or it could result in the idea that website owners or bloggers need to post indemnification bonds.
We have already seen examples of this kind of problem, as with the litigation concerning the Child Online Protection Act (COPA), where some of the legal concepts (“harmful to minors”) seem to have an overly subjective contextual potential. And copyright law, with its Fair Use provision, does have contextual provisions that allow some judgment and subjectivity. Likewise, context may matter in disputes over trademarks and Internet domain names.
One problem at least distantly related to all of this is spoofing: the use of someone else’s name or Internet ID to send spam or illegal content. Although spoofing usually solvable by law enforcement forensics, the possibility that hackers could frame someone for sending illegal content does sound like another potential form of “identity theft.” It is important for users to remember that anonymity of speech is not protected (by fictitious screen names) when illegal content or behavior is involved.
Even so, if identity theft is not to lead to a major battle over the deployment of content on the Internet, Congress needs to reign in on big business and come up with some technological supervision. It is possible to adopt the strategy of providing beefing up national id cards (with biometrics like retinal scans), creating the possibility of abuse by future or even present governments (a legitimate libertarian fear) but relieving individuals and small businesses of the incidental downstream liability for contributing to the identity theft problem. Congress is likely to manipulate the First Amendment and regulate what kind of information can be sold or even stored on sites (for example keylogging software). The If Congress were to require ISPs to monitor customers for violations, this could expose ISPs to downstream liability, in contradiction to Section 230 provisions of the 1996 Communications Decency Act (a provision that was kept during the 1997 Supreme Court ruling). Eventually, individuals could be required to provide liability bonds to have websites and would not longer have their own voices on the Net. The record of Congress in the past in weighing such factors as consumer security or protection and the chilling effect of downstream liability is not convincing.
©Copyright 2005 by
My Blog on how to stop identity theft: http://billboushka.blogspot.com/2006/01/simple-way-to-reduce-identity-theft.html or http://billboushkaid.blogspot.com see also the main blog: http://billboushka.blogspot.com
NBC Nightly News had a story about identity theft on Feb 5, in which a woman discovered she was a victim when Bank of America mailed her a visa card with the thief’s picture on it—an indication that a guaranteed mailing scheme to a “preferred address” can work. In this case, the thief was paying the bills, so the account was in a “reactive state.”
The Veterans Administration (around
It is important to realize that the VA burglary (or similar losses of personal data from laptop computers or work diskettes or CD’s, as in transport) could have happened even without an Internet. This is an issue involving old-fashioned old school workplace security—especially in a high gas price world where telecommuting and working from home has been encouraged. Another issue is that when major financial implementations are tested, companies typically use copies of live production data for system parallels. To do QA testing without such copying of data would introduce enormous costs to many I.T. projects.
But there is a danger that someone who steals such data
would try to sell it on the Internet. That lure exists as long as credit
grantors continue to give out easy credit without a system (such as a link to
NCOA) to verify the real identity of an applicant for credit. In network
broadcast interviews, military servicemembers have expressed additional
concerns about their personal and family security since their residence
addresses could be known to (VA burglary) thieves, who could give or sell the
information to terrorists or political enemies. However it is not known how
much data really was on the laptop, as the data disks were not taken (source:
Letter to Rep. Jim Moran on Internet privacy, and response
B. Prieto, “Data Mine: Stopping Identity Theft,” The New Republic,
 See a major story in the August 2005 issue of Reader’s Digest, or go to http://www.rd.com/content/openContent.do?contentId=16107
Fisher, The Gay Mystique,
Zeller, Jr., “The Scramble to Protect
Personal Data.” The New York Times,
Krebs, “Security Software Firm’s Customer Database Hacked,,” The Washington Post,
Arnold, “Hijacking your social security number,”
 Preto, op. cit. The company was BJ’s Wholesale Club.