LCN 10-99 Identity Theft

This article by Stuart L. Adams, Jr. appeared in the

Louisville Computer News

Are You Suffering an Identity Crisis?

Identity Theft by the Numbers

September 1999

Have you ever looked at your credit card statement and wondered, "I don’t remember shopping at that store." Perhaps the store made a mistake. Perhaps, however, it’s you who made the mistake and fell prey to an increasingly popular form of theft. The theft of personal information which enables a thief to spend your money even faster than you can, is a growing problem in e-commerce.

IDENTITY THEFT 101

According to a recent Wall Street Journal poll (2,025 adults chosen from 520 randomly selected geographic areas of the continental U.S.) 29% of those polled (the highest response rate of all questions asked on this point) listed the loss of personal privacy as their number one fear in the next century. This fear outranked terrorism, global warming, overpopulation, economic depression, and other popular concerns. This fear may be the most likely to come to reality in the next millennium.

Our popular local jurist, Louis Brandeis, a U.S. Supreme Court justice, wrote in the 1890s that "privacy is the right to one’s personality." It is also the "right to be left alone," as Judge Thomas Cooley opined. Identity theft has been around for years, with waiters pocketing their customer’s credit card numbers and people even rummaging through the garbage to come up with tips to your secrets. That garbage can be a gold mine if it contains a bank statement with your account number and balance, your home address, or even your Social Security number, the current holy grail of all personal information. The Social Security number has become the most popular piece of data to allow financial institutions, the government, and essentially everyone else, to know who you are.

E-commerce has increased access to personal information in several ways. First, e-commerce has induced the expansion of a data "Network," and I don’t mean the Sandra Bullock movie or the spin-off TV show, but an ever tightening international database gaining a life of its own. Second, the very fact that businesses have realized that the more personal information they have about their customers and prospects, the more efficient they can be in reaching and selling these folks whatever service or product they have, has made use of this information a business "necessity."

This "data mining" process has focused businesses on both the efficiency of their data collection machinery and the encouragement of their customer "targets" to give them even more voluminous and detailed (i.e. personal) data. Data mining is the harvesting of data by increasingly powerful software, which can accumulate, filter and report according to essentially any criteria. This has become another one of those corporate buzz words in recent years, which further propels it into expanded practice by many businesses.

Benignly, this ability of Web site proprietors to determine what "pages" of their site you visit, and for how long, as well as what type of machine you are using to get online, the identity of your Internet service provider, and the location of the site you were visiting when you first entered their site, all allow the e-proprietor to "tailor" and personalize what you will see the next time you visit. You will often note that you are asked to fill out a little virtual "registration" card when you visit commercial Web sites, and pressure increases on you to divulge more personal data, when you actually make a selection or purchase something online. You are often asked to type in a password to access the site again (presumably so you can either modify your current order later, or not have to spend the time filling out another virtual registration card before placing your next order.) I’m sure it has occurred to you that an unscrupulous individual would know you might be using the same password for more than one account or application (so you can remember it yourself, if for no other reason) and that he could also use it to gain access to those same gateways. All this is in addition to the tons of "cookies" routinely following your every visit, unless you filter them out automatically with your Web browser software.

SOME EXAMPLES OF IDENTITY THEFT

A recent article posted at Newsweek.com points out a fairly typical incident. When a gentleman was attempting to buy a Mercedes, the dealer ran a credit check. The search indicated that this was the third Mercedes SUV the man was purchasing in a two day period. Although the shopper initially escaped, police finally caught up with the private data miner, who was not the person he initially appeared to be. After obtaining just the name and credit card of the real person, the identity thief was able to leverage this into a wholesale opportunity to steal in a substantial way. Meanwhile the real owner of the data was 250 miles away, obliviously driving his old car with 160,000 miles on it, while the thief was able to become a collector of expensive new cars.

In another incident reported in the same Newsweek.com article, an Internet consultant attempted to log onto AOL, only to find that his account had been closed, due to alleged criminal activity in a chat room. As it turned out, the activity was software piracy, which carries substantial civil and criminal penalties, let alone the attorney and expert witness fees, court costs and other expenses involved in trying to defend what is typically a technically intense and complicated case. Classically, neither "Mr. SUV" nor "Mr. Pirate" could think of any time they had been online and divulged any personal information, such as a mother’s maiden name, or other private "key" to the inner sanctum. Investigators, of course, are skeptical, since the private data collection methods e-commerce mavens use are often intentionally innocuous.

In both cases above, the victims could be the customer, the business with whom their "phantom" clone had dealt and already concluded their expensive transaction, as well as an unsuspecting financial institution which may have liability to both, for failure to authenticate and protect the real customer. In both cases, none of the victims, but particularly the individual consumer, will ever recover the tremendous number of hours, the emotional damages, nor the total monetary loss involved even in "successful" efforts to get out of ultimate civil or criminal liability for charges or crimes attributed to them. Imagine the dozens (or perhaps hundreds) of letters, phone calls and meetings it typically takes to convince the merchants, banks, police and others involved in the "System." This, of course, does not necessarily include repair of the perhaps permanent damage to your job, your reputation in the community, nor that of your family, if your coworkers or neighbors saw the police visit you to serve a summons, subpoena, warrant or even that invitation to come "downtown" to talk about it.

Suffice it to say, that promotion or reelection to the PTA board may be in question, even if you are able to escape jail for all those criminal charges on "your" record. Some people spend the rest of their lives trying to repair their credit and their reputations after having their identity stolen. Spending time in jail is certainly within the realm of possibility, if your identity is used by a serious crook committing serious offenses. Even though you are innocent until proven guilty in this country, the practical effect may be getting out on bail, while you hire lawyers and others to help you prove it really wasn’t you.

Part of the problem is that once an identity thief has a little bit of key data about you, such as the correct association of your name, address, date of birth and social security number, he can rapidly leverage this into obtaining a driver’s license, passport, credit card or almost anything else he can think of to feed off your good credit. The better your credit initially, the longer, more expensive and more complicated is the web the thief can spin. This has led many people into financial and emotional bankruptcy, and worse.

THE LAW IS HERE TO HELP YOU

There are, of course, innumerable laws against the conduct alluded to above. It may be the number, complexity and lack of uniformity of these laws, aside from jurisdictional issues, which is a factor in making them less than optimal in their effectiveness.

Congress, for instance, passed the Identity Theft and Assumption Deterrence Act in October of 1998. This Act, 18 U.S.C. §1028, makes it a crime at the Federal level when one: "knowingly transfers or uses, without lawful authority, a means of identity of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable state or local law." One major advantage of the Act is the potential involvement of the FBI, Justice Department, and other large Federal agencies, which have greater resources to locate and catch the real thieves.

There are dozens of other laws at all levels of the governmental hierarchy which could apply to various specific types of identity theft crimes. Some of the highlights are the Electronic Fund Transfer Act, which can limit the consumer’s liability for electronic credit and debit transactions; the Fair Credit Billing Act, which puts procedures in place for repairing incorrect information on credit card accounts; and the Fair Credit Reporting Act, which also provides a mechanism to correct credit report errors, and with the Fair Debt Collection Practices Act, prohibits certain types of access to your credit information.

HELP, I’M A PRISONER OF MY RECORDS

There are many ways you can reduce the chances of being an identity theft victim. Obviously, don’t give anyone an opportunity to learn your password to your Internet account, where they can use it to rampage through the online community of e-commerce businesses, to buy, sell and deal in almost anything for their profit and your loss. Speaking from personal experience, when I was an Internet "newbie," I had my password to both an AOL and then a CompuServe account pirated within the first year I had them. It’s a lot easier to get connected (particularly with all those free disks arriving almost daily from dozens of ISPs), than it is to disconnect the automatic withdrawal from your checking or credit card account.

When you receive your bank and credit card statements in the mail, or those seemingly daily direct mail offers to take advantage of your "pre-approved" new credit card, second mortgage, huge life insurance policy with no physical exam involved, etc., shred anything and everything which has any personal information about you. Your physical garbage can is still a prime source of gold for identity pirates, as well as the virtual garbage can that consumes a big portion of the database linked to the Internet. Considering all the different bits and pieces of data which are found just in these "free" offers, considering they all came from some database in which you already are listed, accumulating the pieces would allow almost anyone, over time, to know too much about you.

If an e-vendor asks you to type in too much personal information at their site, or asks for certain hypersensitive types of information, such as Social Security number or mother’s maiden name, in order to "verify" your identity for the transaction, beware. While the merchant certainly has both a right, and perhaps a duty, to try to verify your identity, some have been known to abuse this data (such as by an outright sale to an identity pirate) or to simply be so unsophisticated or negligent in their handling of it that it is, again lost to pirates. In either case, you lose.

Another thing to keep in mind, if a vendor gets too "personal," is that you, the consumer, have the ability to choose. You can weigh the value of doing the deal online right now, or spending perhaps only a few seconds shopping around for another e-vendor, who not only does not request the same depth of personal intrusion, but who may also feature a better price, faster or less expensive shipping option, or other advantage over the first nosey vendor. That’s the other bright side of this otherwise dark situation; you have great tools, speed, and seemingly endless alternatives in shopping on the Internet.

SELF DEFENSE RESOURCES

Another good thing about the Internet, is that it’s chock full of places you can research to get more tips on how to avoid being an identity theft victim, places with forms and suggestions to use to try to repair the damage if you’ve been "hit," and others which are clearinghouses of data on current laws, model prospective legislation, case studies, and forums on various aspects of the problem. Next month, I’ll cover some thoughts about how to be a consumer friendly e-commerce vendor. I’d like to hear from you if you have suggestions on how to improve on this exploding problem, which threatens to stifle e-commerce. If my current e-mail address isn’t pirated (fortunately I again have more than one, but please don’t steal this one) send me a note. Here are some sites which might help:

http://www.privacyrights.org/ for articles, including one on what to do if you are a victim and with a laundry list of resources and other hyperlinks;

http://www.junkbusters.com/ht/en/index.html for a site with links to tons of books at Amazon.com on privacy and related materials;

http://www.epic.org the Electronic Privacy Information Center, one of the foremost privacy resources on the Web;

http://www.ftc.gov the Federal Trade Commission gateway to innumerable resources on privacy and your rights and remedies at the Federal level.