In Hans Christian Andersen's children's story "The Emperor's New Clothes," townsfolk refused to remark about the obvious nudity of the emperor for fear of appearing foolish. It took an innocent child to speak up and proclaim that the emperor wasn't wearing anything at all. It's now time for someone to once again speak up and ask an innocent question: "Why are fraud victims held accountable for identity theft when it's governments and financial institutions that have allowed that theft to happen?"

Last year turned out to be a bumper-crop year for losses of computer files with personal information. Names, Social Security account numbers, birth dates, salary histories, and other personal data of Americans were lost at an alarming rate. The loss of a laptop computer containing personal information on more than 26.5 million military veterans in an apparent burglary at the home of a Department of Veterans Affairs employee received quite a bit of publicity and represents the largest known loss to date. Yet, it is actually just another episode in a string of known losses. And those are just the reported losses. One can only estimate how many employees, outsourced contractors with authorized access to databases, and even outsiders who have been able to break into systems have stolen personal data without leaving any evidence that any theft has taken place. With those stolen files goes the peace of mind of virtually every person whose information was contained therein, all of whom are now exposed to the risk of "identity theft."

What Is "Identity Theft"?

So-called "identity theft" occurs when a person pretends to be someone else (say that victim is you) and a financial institution or government agency accepts as proof of identity the criminal's knowledge of your personal data — such as your Social Security account number or birth date. This personal data is then treated like a "master password" that allows access to your accounts — or even allows for the creation of new accounts in your name. Obviously, so-called identity theft is not really a case of stolen identity, but is instead a case of impersonation.

How could this affect you? A criminal like Abraham Abdallah, who once had billions of dollars at his fingertips through accessing the financial information of the rich and famous, gets or creates the letterhead of an investment company, and he then uses the letterhead to request a credit report on you from a credit reporting company. The company sends Abdallah a credit report that includes the locations of all your accounts. He then calls your bank to wire your money to a new account or to make purchases of goods, which he will have delivered to a nearby FedEx location where he can pick them up.

To prevent ID fraud, government agencies such as the Federal Trade Commission glibly advise individuals to not disclose their personal data. As we all know, however, that advice is laughable. Most Americans are powerless to prevent disclosure of their personal data to strangers. Take, for example, employer benefits programs. The programs routinely use such data as an employee ID, Social Security account number, and birth date as the required keys to access the employees' accounts. Without disclosing such data to a stranger, who is frequently a person in a call center in a foreign country, many individuals can't even make appointments for routine dental checkups or eye exams. Considering the growing popularity of companies' relocating their call centers overseas, one can only imagine how much this trend will increase identity theft if unchecked.

Criminals can also access our personal data through other means. Wholesale dissemination (sometimes accidentally) of large amounts of personal data happens via government agencies, employers, and other businesses. This can take place through computer backup tapes that are lost or retired without being erased, through the outsourcing of computer operations jobs to people inside as well as outside of the United States, and through lax enforcement of immigration laws thereby allowing foreign criminals to obtain computer jobs in America — just to name few. In the state of Wisconsin recently a company printed the Social Security numbers of 171,000 citizens on 2006 tax booklets that were to be sent through the mail. The printing company is sent a list of Social Security numbers from the state each year. They are supposed to use parts of each taxpayer's confidential information to create an identifying code, but they erred.

Virtually every Tom, Dick, and Harry in America, along with numerous people in call centers in India and other foreign countries, have access to people's Social Security account numbers, birth dates, and other personal data. Let's face it — your personal data just isn't a secret anymore.

How Did This Happen?

Many businesses enjoy issuing easy credit for impulse buying. Whether it be for inexpensive items or big-ticket items, they want to make the sale quickly, before the customer changes his mind. They don't mind taking shortcuts in the credit authorization process as long they make more money on the additional sales than they lose in uncollected debts. Not all identity theft debts go uncollected. Sometimes the perpetrator is found and is forced to pay. Sometimes, particularly with small dollar amounts, the victims don't even notice the small charges on their credit-card bills. Sometimes the fear of having a bad mark against them in their credit reports, threatening letters from the creditor companies demanding payment, and the cost of proving one's innocence have even intimidated some innocent victims into paying someone else's bills.

Another contributing factor to growth of identity theft is the loss of local banks. These local banks typically required paper documents for applications for savings or checking accounts, and they would mail copies to the applicant's address as part of the application and verification processes. If that mail came back to the bank as undeliverable, the bank could immediately take action and stop further activity on new accounts until the identity of the applicant was verified — stopping fraud. If the new account had problems, bankers would have a physical address to trace the location of the person involved. They could make telephone calls to verify identity, where necessary.

But the big banks that have swallowed up the local banks don't operate the same way. Instead of having identification decisions made by people, they prefer to have such decisions made by computers. This problem is exacerbated because using your Social Security account number or birth date as a password is a great convenience for them.

Clearly, the biggest reason for the increase in identity theft is the U.S. Congress, which has passed a number of laws more favorable to the credit industry than to American citizens. Perhaps the most devastating was the 1996 update to the Fair Credit Reporting Act (FCRA). This act contained a number of controversial provisions such as preemption, a supposed right of the federal government to supersede state laws in a number of areas regarding credit-bureau data. This preemption nullified a number of laws passed at the state level that were favorable to the consumer.

One such state law in Illinois required credit companies to make reasonable efforts to verify consumers' identities once an identity-theft victim had filed a police report indicating ongoing identity theft. Texas had a law requiring the credit reporting companies to place a security alert on a victim's credit report within 24 hours of a request by an identity-theft victim. Of course, nowhere in the U.S. Constitution is there a grant of power of preemption over state laws to the U.S. Congress.

Other provisions in the law that are more favorable to the credit industry than to consumers include granting the industry considerable immunity from lawsuits regarding incorrect information in people's credit reports. In his book Your Evil Twin: Behind the Identity Theft Epidemic, Bob Sullivan writes: "The industry enjoys remarkable immunity under federal law. Citizens have virtually no rights to sue furnishers for libel, while the firms can say anything they want about a consumer's payment history, such as 'This consumer has defaulted on an account,' to the credit bureaus with little fear of being sued. And if consumers turn to credit bureaus, they can only sue for actual damages, unless they can somehow prove willful violations of the Fair Credit Reporting Act. Simple accidents, no matter how devastating to victims, are insulated from liability." Sullivan goes on to say that "consumer advocates think of the 1996 Fair Credit Reporting Act as the Identity Theft Enabling Act of 1996."

False Solutions

Identity theft victims wishing to clear their credit ratings frequently find themselves hit with a number of double standards, starting with their being required to prove themselves innocent and having to submit more extensive documentation in support of their innocence than the perpetrator was required to submit while impersonating them. They may also be required to submit originals of paper documents, which can be downright comical when the creditor company brags about its paperless E-commerce activities, which were the reason why the perpetrator was able to commit the crime without submitting any hardcopy documents.

• National ID card with biometric data: Of course, politicians in Washington, rather than admit their role in expanding identity theft, are proposing ways to parlay the massive amounts of ID fraud into yet another opportunity to grow the federal government and further centralize power.

Some have suggested that a national ID card for all Americans would solve our identity-theft problems. This national ID card would be supported with biometric data either stored on the card or given by the individual as the card is being used. Examples of the biometric data to be used could include fingerprints, facial recognition, iris scan, or numerous other measurements that are unique to a person's body. There are even some who think this could enable a cashless society with our coins and currency being replaced by government or bank-issued debit cards.

In addition to being blatantly unconstitutional, national ID cards would not solve the identification problems. Imagine the system as it would be used: when purchasing an item or opening a credit line or gaining access to government records, you would need to have your biometric identifier (say your fingerprint) scanned electronically at a store, financial institution, or government office. Your electronic fingerprint would then be verified electronically by the U.S. government. At any one of the aforementioned locations plus other locations along the way, your fingerprint image would be available to be downloaded and stored by any criminal with the capability to save it on his computer.

Even ignoring the negative impact of computer or network outages while the federal government authorizes business transactions, this is a failed system. Once someone obtains an unauthorized copy of that fingerprint image, he could use it in a computer program that emulates a fingerprint reader. Instead of using your finger as a source for your fingerprint image, he would just transmit your stolen fingerprint image directly from his database. We'd be right back where we are now except that instead of being concerned about ID thefts using stolen Social Security account numbers, we'd be concerned about ID thefts using stolen fingerprint images

• Credit monitoring: One solution being promoted by the financial institutions is "credit monitoring." Credit monitoring involves using advanced computer programs to monitor individuals' credit lines so that fraud victims are alerted to misuse of their credit soon after it begins, stopping fraudsters before they can do much damage.

For example, say that your laptop with your personal information was stolen. To be safe, you sign up for a credit monitoring service. If strange activity happens on your credit line, it is reported to you immediately. Say that you subsequently make a credit-card purchase that is large and unusual for you. Within a day or two of the purchase, you will be notified via e-mail from the credit monitoring company warning you of this unusual purchase.

This sounds good on the surface, but this too is still far from an ideal solution: it doesn't stop fraud until after it starts; it places the responsibility for identifying ID fraud on the victim; the cost of credit monitoring is borne by the innocent consumer; and it is Orwellian in its approach. In one sense, it is impressive to see such technology in the computer programs that analyze credit-card purchases. On the other hand, it can also make one shudder to comprehend how computers have such data-mining capabilities and access to so much knowledge of people's financial habits.

One may say, "I have no fear of invasion of privacy. I'm not breaking any laws." But freedom-loving Americans beware. That may be true today, but not for long. The advocates of socialized medicine are already preparing prescriptions of which foods Americans should and shouldn't eat. Between credit-card usage and using store-sponsored discount cards when purchasing groceries, people's purchases at grocery stores can easily be monitored and citizens could easily be found in violation of a bureaucratic edict from Washington, D.C.

Such powerful monitoring programs are a cause for concern in private hands and frightening when put in the hands of the federal government. Also, why should consumers pay money to the credit industry for protection from a problem caused by the credit industry?

• Electronic signature: Another suggested solution is the "Electronic Signature." Congress passed the E-SIGN Commerce Act (Electronic Signatures In Global National Commerce Act) in 2000. Under E-SIGN's provisions, a consumer can electronically sign a document using a number of different technologies ranging from simply adding one's name to a document, clicking on a web page, or pressing buttons on your telephone (least secure), up to such sophisticated technologies involving the latest cryptographic technology that allows you to encrypt your name along with selected parts of the document. When decrypted, this will show your signature along with sufficient pieces of the document to show that the signature was associated with the document in question.

The problems with this law are myriad. Obviously, the least secure "signatures" have huge holes that are unfavorable to consumers. How can you prove you didn't click "Yes, I agree" on a web page? With so many states having laws against recording telephone calls without informing the other party, how can a consumer prove he didn't push a certain button on his telephone while calling an automated telephone business line with no humans on the answering end?

There are security holes even in the more secure forms of electronic signatures where encryption is used as the basis of the uniqueness of a person's electronic signature. The uniqueness is not inherent to the individual as it is with human handwriting. Instead, the uniqueness of an electronic signature comes from the individual's unique encryption code, which typically isn't devised by the individual, but rather by someone else. Whoever has access to someone's electronic signature encryption code and the programs that encrypt it can forge that person's electronic signature on any of the computer systems that use that encryption code.

• Credit freezes: Credit-freezing services, recent newcomers in the identity theft controversy, can "lock" your personal credit files so that attempts to establish new lines of credit will fail unless you take action to unlock your credit files. While being touted as more proactive than credit monitoring, credit freezing is unfair to the consumer as it incurs an ongoing cost to pay for the service. Additionally, it doesn't address identity fraud committed against existing accounts, such as when someone with a replica of your checks appears in person at a bank and manages to cash a check because the bank accepts knowledge of the your Social Security account number or birth date as proof of identity.

Real Solutions

The best solution is to stop pretending that people's personal information, such as Social Security account numbers and birth dates, constitutes a universal secret password. The phrase "universal secret" is an oxymoron. For online business transactions, the consumer must be allowed to use a password of his own creation and have procedures in place for changing these passwords in case of suspected compromise.

Any Computer Science student worth his salt will tell you not to use your Social Security account number or birth date as a password. Why allow financial institutions and government agencies to do something in your stead that you're advised not to do for yourself?

A turn-around in favor of the consumer in identity theft would occur if the so-called Fair Credit Reporting Act and other federal laws such as E-SIGN are repealed by Congress or declared unconstitutional by the courts. That would allow the state legislatures to once again pass laws in favor of the consumers. Once several states begin to pass different laws that stand up for the rights of their citizens and demand that appropriate safety precautions be made, the people in other states will see that there are sensible and inexpensive cures that don't involve expansion of government, and they will pressure their state legislatures to take similar steps.

State legislatures could then protect their citizens from identity theft on existing accounts by passing laws acknowledging that the widespread dissemination of people's personal information has made such information unsuitable for use as proof of identity. Further, legislatures should require that customers be allowed to use customer-generated passwords with notification via e-mail or USPS mail when the password is changed. The laws should relieve individuals of financial liability when financial institutions fail to comply.

There's also an answer to the problem of criminals fraudulently opening new accounts: states should pass laws that make institutions verify a person's residence before establishing any form of new credit. As things stand now, criminals can often contact financial institutions via the phone or the Internet, pretend to be you by knowing a few pieces of your personal data, and establish a credit line. Financial institutions should be required to "physically contact" customers to establish identification. Obviously, this could be done through having potential customers come in for face-to-face meetings, but it could also be done via the use of mail, perhaps certified.

Say you call or e-mail a credit-card company because you wish a new credit card. Before that company could issue you a card, it would have to use USPS mail to send a contract to your residence (no P.O. boxes, no temporary residences — such as hotels — allowed) and wait until you send the contract back. This process establishes a physical location for you or any other credit applicant. Once you are contacted via suitable means, you can then become an appropriately identified online customer and can establish a password of your own choosing, using generally accepted principles for passwords for online transactions. The state legislatures should hold financial institutions accountable by defining their failure to comply as an act of financial negligence.

There are constitutionally allowable measures that can be enacted at the federal level to reduce ID fraud. Federal politicians, in a like manner to state ones, should consider submitting bills calling for all federal agencies to immediately cease using Social Security account numbers and birth dates as universal passwords.

Congress should also take steps to employ only the most rigorously scrupulous employees, eliminating hiring practices that include non-job-relevant hiring preferences and to hire employees based only on job-relevant criteria, such as their ability to do the job and their loyalty to the United States of America.

Congress should also take steps to enforce our immigration laws by deporting all illegal immigrants — especially those who have worked their way into our information infrastructure. If they're dishonest enough to be here in violation of our immigration laws, they're probably a high risk for doing something dishonest with American citizens' personal data. Congress also needs to review the impact of our current immigration laws that allow large numbers of foreigners, even some from terrorist-exporting nations, to come into our country legally via such programs as H1 and L1 and become part of our information infrastructure.

If We Don't Act

Without appropriate action, ID fraud as we know it today may become a mere steppingstone on a course to even greater abuses of consumers by large companies that are politically well-connected.

Of course, the emperor in Hans Christian Andersen's children's story decided to continue to march about stark naked rather than admit the obvious. Politicians are often much like that emperor. It's going to take pressure from citizens to get politicians to act on our behalf and pass laws protecting the citizens from mistaken identity. But it will be well worth it.

Kurt Hyde, a Certified Data Processor (CDP), has over 30 years' experience as a computer professional. 

Bookmark/Search this post with:

delicious | digg | newsvine | technorati