Identity Theft

June 26, 2001---Interhack Corporation founder Matt Curtin speaks with WBNS 10-TV reporter Roger McCoy about identity theft. A story on identity theft and how to protect yourself will air on the 5:30 p.m. newscast on July 5, 2001.

What is Identity Theft?

Identity theft is the crime of assuming the identity of another person. If Charlie wants to buy some things, for example, without having to pay for them, one of his options is to pretend to be someone else, perhaps Bob. Charlie will need to learn some details about Bob, things like his social security number, perhaps his mother's maiden name, and some other information. Charlie will then open accounts using Bob's name and other identifying information. The end result is that Charlie makes his purchases and obtains what he wants. Bob eventually receives the bill. Whether Bob actually must pay or whether the credit company will absorb the cost is irrelevant. Bob will pay for the crime either by being stuck with the bill or in higher costs from credit institutions who need to offset their losses from fraud.

As reported in the June 19, 2001 issue of USA Today, the United States Treasury has recently issued a report on identity theft. At present, the most common means of perpetrating identity theft is by stealing a purse or wallet. Curtin argues that this will not remain forever true.

Identity theft today gets attention but isn't generally well understood. Information is being collected at a tremendous rate now. Everything from discount club membership cards to sweepstakes entries exist primarily for the purpose of gathering information about people. Information is of great value, and it is information that makes identity theft possible.

Failing to understand the risks inherent with sharing information so freely, many people will give essentially any information about themselves to nearly anyone who asks for it. Especially when a discount or merely the chance to win something, people will give away more information than is needed to commit very serious crimes against them.

Computers and Scalability

We go about our daily lives leaving little clues about who we are and what we're thinking behind us. These are generally harmless, because when we tell the neighborhood shop owner that we're going on a vacation, what our address is, or what we're buying, he's likely to forget at some point. We're often just making small talk or giving him something he needs to complete a transaction that we've initiated.

With widespread computerization, we've taken some fundamental steps toward unique identification of everything. Instead of identifying items we purchase by their price, they're identified by universal product codes (UPC). Those UPCs are written in computer-scanner-readable barcode form. Following widespread adoption of barcode scanners, coupons began to come with barcoded unique identifiers. Now many grocers are identifying their customers uniquely, though "savings cards" that are barcoded and linked back to the information supplied by the cardholder to get the card.

Now instead of having a limited amount of information available to a grocer -- whatever it was that he's able to remember -- computers can identify each item, each coupon, and each customer uniquely. It's possible to remember everything about everyone.

"Who Cares If They Know What I Buy?"

A common objection to arguments in favor of privacy is that the information being gathered is useless. Consider this: over time, "profiles" can be built showing not only what people buy and how often, but when they're making purchases and when they're not. Such information can be used to identify when people are and aren't likely to be home, if they live alone, and their likely age range.

Though this kind of information can be gathered on a case-by-case basis using less technical methods, computerization makes it possible to gather all of this information on a large scale. Computerization further makes it possible "to mine" such data, looking, for example, for people in the system who spend less than $30 per visit on average and who buy products for cleaning dentures. With computers, it's very easy for a predator to pick his targets out of a set of millions of people, if the data to search exist in the first place.

But My Grocer Won't Share the Data!

An extremely important issue to recognize with information is that it isn't expensive to store, even for very, very long periods of time. It's easy to steal information, such that the holder doesn't even know that it's been duplicated. Information can be bought and sold years -- even decades -- after it was originally collected.

Further, some information is even more useful many years later. Do young men from the households that were buying baby food, action figures, and boys' bicycles years ago register for the draft?

And if you think that the vendors you deal with won't share information about you, consider the case of the Bureau of Motor Vehicles. The Direct Marketing Association has been buying data through such avenues for years. If what's effectively a government-mandated registration -- let's face it, for how many people is not getting a driver's license an option? -- results in such data sharing, what reason do we have to believe that private businesses will not be engaged in the same practice? And even if they don't now, what reason do we have to believe that they won't next year or in 10 years?

What's This Have To Do With Identity Theft?

Identity theft is a crime made possible by the collection of information. Information that might seem completely harmless, the kind of information that ask for and give out all the time. Each time information is given about someone, the exposure to risk of identity theft increases.

Another thing to keep in mind is that it is impossible to recover information that has been shared. Once someone learns your SSN, it's impossible to recover. You cannot make someone unlearn something. Even in a computer, where the datum can be removed, you don't know if it has been copied or how many times.

What Can Be Done?

Simply stated, the best thing you can do is refuse to give any information about yourself to anyone. Assert your privacy, because no one else is going to protect it for you. You bear the risk and must live with the consequences if it happens to you. So you must act to protect yourself.

There are some simple guidelines that you can follow:

Never give your social security number (SSN) to anyone

SSNs are commonly used as identifiers where they don't need to be. They're often used in connection with credit checks, health insurance, and the like. None of those organizations will pay you social security when you reach the magic age. They don't need your number. If you press your case, sometimes escalating a few layers into management, you'll find that there's a way around it.

Get out of marketers' databases

Despite the unworkability of "opt-out" systems to protect privacy, there are some steps you can take to get yourself out of databases. More correctly stated, you get added into a special part of the database that means "do not try to sell stuff to this person" -- you're still in the database and there's probably no way out of it altogether.

Avoid getting put into databases in the first place

This is a good general rule of thumb, but can be difficult in practice. It basically comes down to not telling anyone about yourself and recognizing how information can be collected on you. Magazine subscriptions and mail order products (especially book and CD clubs) are especially interesting, because information that's legitimately needed to complete the transaction that you've initiated gets put into databases and can be used for other purposes, even sold to others.

Where Can I Get More Information?

Maintains a privacy archive with information on many aspects of privacy and how you can take action to protect yourself against abuses including identity theft. The EPIC Privacy Archive can be found at www.epic.org/privacy/.