Exactly what is going on here?
To hear the politicians tell it, identity theft is the inevitable result of a fast-paced information society. Congress now wants to pass new laws that will centralize the investigation and enforcement of identity theft cases--and it certainly should.
To be sure, anything would mark improvement over the current mess. Yet remapping the murky domains of federal agencies alone will not be enough to actually stop or even slow identity theft. So what are we doing to make sure that our nation's databases are protected?
Nothing.
I learned this the hard way. In the process of downloading my 2004 W-2 from a Web-based payroll company, I discovered I could also download the W-2 of every person who had ever been a customer, as far back as 1999.
As it happens, IRS Form W-2 is the perfect tool for blackmail, containing one's Social Security number, annual salary, home address, employer's federal identification number and employer's state tax ID. With one keystroke, without breaking into any systems, without hacking--really, without even trying--I could have pretended to be anyone I desired to be out of a potential pool of up to 100,000 people.
Even in the wake of the ChoicePoint fiasco, the payroll company didn't want to hear about the problem. Faced with the prospect of my own personal data leaking out onto the Internet, I started making phone calls.
Once word of the flaw began making its way into the press, the company threatened to sue me for violating U.S. Code Title 18 Section 1030, otherwise known as the Computer Fraud and Abuse Act of 1986. Never mind that I was a (former) customer trying to access my own data in my own W-2 and that I had passed on information about the flaw as a courtesy. I could not ignore the fact that the charges were "very serious," as my lawyer (who had never even heard of the 1986 law) repeatedly told me.
What is a digital Good Samaritan to do? If you knew that your Social Security number and salary were being broadcast to the world, could you simply walk away? Perhaps you might choose the flipside: 10 years in prison for committing a noncrime or, in the best-case scenario, shoulder the expense and inconvenience of going to trial.
Indeed, legislation that centralizes the government's sizable burden of dealing with identity fraud is all well and good, but it misses the mark completely. Identity thieves will have nothing to steal if our computers are well-protected.
Therefore, to be truly effective, any new law designed to fight identity theft absolutely must comprise at least two key components. One would be a clause forcing financial institutions--not just those affected by the Fair Credit Reporting Act, but also payroll companies and businesses storing credit card numbers--to stay current with computer security standards as defined by the latest industry developments.
The second "must-have" is a loophole to protect white-hat hackers, who know enough about computer security to point out flaws, but who are not acting out of malicious intent. When these security professionals find problems, companies have far too many incentives to shoot the messenger.
Currently, there is no clear way out. Byzantine regulations imposed by the USA Patriot Act further compound the problem. Meanwhile, security professionals--true patriots trying to protect our digital infrastructure--find themselves forced to fight legal battles that never should have arisen in the first place.
Identity theft may be an inevitable part of our society's technological evolution, but it is not unstoppable. New laws can and will help, as long as they protect those who understand the underlying technologies involved. After all, a safer society, free of identity theft and cyberterrorism, will probably never come about if the good guys are all tied up in court--or jail.
Biography
Aaron Greenspan is the author of the forthcoming book Authoritas: One Student's Harvard Admissions and the Founding of the Facebook Era. He also claims ownership of the idea for Facebook.
See more CNET content tagged:
identity theft, social security number, payroll, Social Security, computer security
http://www.tallahassee.com/mld/tallahassee/news/local/11282027.htm
I just read the recent article about Identity Theft and I wanted to add that there are great services out there to monitor your credit, but not a lot that RESTORE your credit once it's been stolen.
Pre-Paid Legal in conjunction with Kroll make it possible to not only get the monitoring, but Kroll promises to restore your credit to what
it was before the theft took place.
See the benefits of the Identity Theft Shield?
Email us for more information...
http://www.tallahassee.com/mld/tallahassee/news/local/11282027.htm
I just read the recent article about Identity Theft and I wanted to add that there are great services out there to monitor your credit, but not a lot that RESTORE your credit once it's been stolen.
Pre-Paid Legal in conjunction with Kroll make it possible to not only get the monitoring, but Kroll promises to restore your credit to what
it was before the theft took place.
See the benefits of the Identity Theft Shield?
Email us for more information...
Have either of you furnished this information to all relevant agencies, Members of Congress, the President, both political parties and the general public?
There is at least one computer abuse and spam control bill pending in each house to which both of these could and should be attached and passed, and most people favor the best possible answer to these problems. What would happen if we all Emailed our three Members of Congress and the White House strongly urging its passage if they hope to be reelected on the same day, maybe July 4th? Incidentally, is that why they don't publish Email addresses so you could send the same Email to all four of them, but keep track of who visits various public federal web sites?
Now, for a little on-line gambling spam, Permit me to offer to bet that neither this, nor anything else that might impact the bottom line of any corporate or other campaign contributor to either party or any candidate thereof, will ever be passed, or passed without a loophole you could drive a truck trhough,and that, like the CAN-SPAM Act, will not be worth the paper it's written on.
My law school dean used to like to quote Will Rogers: "Every time Congress tells a joke, it's a law, and every time Congress passes a law, it's a joke!"
Let's face it,you would probably have to either have sex with the entire Congress or, like the creidt card companies, spent over forty million dollars, or both, to get any decent bill enacted into civil or cirminal law over the objection of any company or CEO who thought it might cost him or some other campaign contributor a dime. Both parties have adopted a "The public be damned! attitude except to pass something that says and does nothing so they can say they sponsored a bill with a nice-sounding name.
Then you probably could never get it envorced. enforced. My wife was recently phished and our modest bank account emptied, and none ofthe federal or state authorities, or rivate entities, I have contacted have even acknowledged the report of this crime. If the risk were placed where the power to control it lies, this would get solved in a hurry. "Thou shalt not steal" has been on the books, including the Texas Penal Code and U. S. Code, for a long time already, but the federal government long ago adopted a high minimum dollar loss figure, well known to phishers and other thieves, below which they will not enforce a federal criminal law. I ran into this and learned the printed minimum number when my credit cards were stolen several years ago. My brother in law, with the Corps of Engineers, is one of those individuals, as w4ell as the U. S. Government itslef, caused considerable trouble by the recent negligent leak of credit card numbers by Bamk of America, the issuer.
If anyone in Washington ever really wants to deal honestly and effectively with these problems, their bill will start with a rejection of current law and say simply "Information about an individual is his, and nobody else may collect, store, use or communicate it for any purpose without his free and voluntary consent, which may not be lawfully influenced by any refusal to deal or discrimination in terms, or in any other manner." and provide strong civil and criminal sanctions for violation." Oh, I forgot, we had such a law, quoted on my first Social Security card, 50 years ago. regarding one's SSN and prohibiting its use for anything but Social Security and Social Security tax pruposes. If that has ever actually been repealed in an up or down record vote, or otherwise, please show it to me in the U. S. Code.
Paragraph 2 would require that anyone collecting information about an individual, except for law enforcement pruposes, send him or her a copy and offer free, unquestioned correction or deletion thereof.
Paragraph 3 would provide for substantial civil liability, plus attorney's fees and costs, any time any entity assembled, used, or published any allegedly factual information about an individual or small business that it failed to verify with themj and otherwise first or which turned out to be false or unjustified.
Pagragraph 4 would provide substantial civil liability, plus attorney's fees and costs, any time any entity failed to safeguard any manner of personal information, and require disclosre ot the victims of any and all breaches thereof.
Paragraph 5 would make it a federal felony for anyone to use any cookie, spyware program, ice cream cone, or other device to obtain, or any information from any computer, or to use or disclose any such information for any purpose whatsoever, without the express, informed, free and voluntary consent of the owner and user thereof, and adopt the rules for searches of homes, private offices, and first-class mail.
Paragraph 6 would similarly make it a felony to have any effect upon my computer unless I specifically askked or freely and voluntarily permitted you, without economic or other compulsion, to do so.
Having served briefly as general cousnel to a downtown Dallas bnak, and from clients and presonal experience, I could tell horror stories all day about wildly bad computer data in government, hospital, insurance, credit bureau, and other contexts, and glaring failures to secure even the most sensitive data including an upcoming FBI child pornography raid, identities of confidential informants and rape victims, etc.
Under current law, if, let's say hypothetically so I don't get arrested, I had a hacker buddy check out and discover, and download some evidence from, a local child porn site, and recognized the first child whose troublingly suggestine but probably not technically illegal picture, offered as a teaser, discovered that certain officials had molested their own daughters, sisters, and nieces and shared this information and pictures on the net, and Emailed the information anonymously to the authorities from a public computer because they and aI were afraid of these people. Under current law, we would have committed a series of federal crimes. There is a vast difference between rounding up someone's excaped cow and fence and his cows have got out and curring the fence and teling the cows yourself which 18 U.S.C. 1030 and other laws, incredibly, do not recognize. I won't say what else I really did, but I did Email certain reputable private and public child-protection agencies to explain my professional activity in the subject, wny my computer might contain some sexual content (but no pictures I didn't sent to them), and why I didn't trust certain more or less specifically identified politicians and sworn officials, some of whose daughters, sisters, and nieces I happen to have represented, with this information or alone with a child.
I already know the answr to this question, which may come up in a case I am preparing to file this year.
Have either of you furnished this information to all relevant agencies, Members of Congress, the President, both political parties and the general public?
There is at least one computer abuse and spam control bill pending in each house to which both of these could and should be attached and passed, and most people favor the best possible answer to these problems. What would happen if we all Emailed our three Members of Congress and the White House strongly urging its passage if they hope to be reelected on the same day, maybe July 4th? Incidentally, is that why they don't publish Email addresses so you could send the same Email to all four of them, but keep track of who visits various public federal web sites?
Now, for a little on-line gambling spam, Permit me to offer to bet that neither this, nor anything else that might impact the bottom line of any corporate or other campaign contributor to either party or any candidate thereof, will ever be passed, or passed without a loophole you could drive a truck trhough,and that, like the CAN-SPAM Act, will not be worth the paper it's written on.
My law school dean used to like to quote Will Rogers: "Every time Congress tells a joke, it's a law, and every time Congress passes a law, it's a joke!"
Let's face it,you would probably have to either have sex with the entire Congress or, like the creidt card companies, spent over forty million dollars, or both, to get any decent bill enacted into civil or cirminal law over the objection of any company or CEO who thought it might cost him or some other campaign contributor a dime. Both parties have adopted a "The public be damned! attitude except to pass something that says and does nothing so they can say they sponsored a bill with a nice-sounding name.
Then you probably could never get it envorced. enforced. My wife was recently phished and our modest bank account emptied, and none ofthe federal or state authorities, or rivate entities, I have contacted have even acknowledged the report of this crime. If the risk were placed where the power to control it lies, this would get solved in a hurry. "Thou shalt not steal" has been on the books, including the Texas Penal Code and U. S. Code, for a long time already, but the federal government long ago adopted a high minimum dollar loss figure, well known to phishers and other thieves, below which they will not enforce a federal criminal law. I ran into this and learned the printed minimum number when my credit cards were stolen several years ago. My brother in law, with the Corps of Engineers, is one of those individuals, as w4ell as the U. S. Government itslef, caused considerable trouble by the recent negligent leak of credit card numbers by Bamk of America, the issuer.
If anyone in Washington ever really wants to deal honestly and effectively with these problems, their bill will start with a rejection of current law and say simply "Information about an individual is his, and nobody else may collect, store, use or communicate it for any purpose without his free and voluntary consent, which may not be lawfully influenced by any refusal to deal or discrimination in terms, or in any other manner." and provide strong civil and criminal sanctions for violation." Oh, I forgot, we had such a law, quoted on my first Social Security card, 50 years ago. regarding one's SSN and prohibiting its use for anything but Social Security and Social Security tax pruposes. If that has ever actually been repealed in an up or down record vote, or otherwise, please show it to me in the U. S. Code.
Paragraph 2 would require that anyone collecting information about an individual, except for law enforcement pruposes, send him or her a copy and offer free, unquestioned correction or deletion thereof.
Paragraph 3 would provide for substantial civil liability, plus attorney's fees and costs, any time any entity assembled, used, or published any allegedly factual information about an individual or small business that it failed to verify with themj and otherwise first or which turned out to be false or unjustified.
Pagragraph 4 would provide substantial civil liability, plus attorney's fees and costs, any time any entity failed to safeguard any manner of personal information, and require disclosre ot the victims of any and all breaches thereof.
Paragraph 5 would make it a federal felony for anyone to use any cookie, spyware program, ice cream cone, or other device to obtain, or any information from any computer, or to use or disclose any such information for any purpose whatsoever, without the express, informed, free and voluntary consent of the owner and user thereof, and adopt the rules for searches of homes, private offices, and first-class mail.
Paragraph 6 would similarly make it a felony to have any effect upon my computer unless I specifically askked or freely and voluntarily permitted you, without economic or other compulsion, to do so.
Having served briefly as general cousnel to a downtown Dallas bnak, and from clients and presonal experience, I could tell horror stories all day about wildly bad computer data in government, hospital, insurance, credit bureau, and other contexts, and glaring failures to secure even the most sensitive data including an upcoming FBI child pornography raid, identities of confidential informants and rape victims, etc.
Under current law, if, let's say hypothetically so I don't get arrested, I had a hacker buddy check out and discover, and download some evidence from, a local child porn site, and recognized the first child whose troublingly suggestine but probably not technically illegal picture, offered as a teaser, discovered that certain officials had molested their own daughters, sisters, and nieces and shared this information and pictures on the net, and Emailed the information anonymously to the authorities from a public computer because they and aI were afraid of these people. Under current law, we would have committed a series of federal crimes. There is a vast difference between rounding up someone's excaped cow and fence and his cows have got out and curring the fence and teling the cows yourself which 18 U.S.C. 1030 and other laws, incredibly, do not recognize. I won't say what else I really did, but I did Email certain reputable private and public child-protection agencies to explain my professional activity in the subject, wny my computer might contain some sexual content (but no pictures I didn't sent to them), and why I didn't trust certain more or less specifically identified politicians and sworn officials, some of whose daughters, sisters, and nieces I happen to have represented, with this information or alone with a child.
I already know the answr to this question, which may come up in a case I am preparing to file this year.
When you wrote: 'Identity thieves will have nothing to steal if our computers are well-protected.'
it is not quite so. Imagine a bank clerk who is authorised to log into the bank's network using multi-layer authentication.
What is to stop him from copying the IDs on display on his computer screens onto pieces of paper and selling them to crimianls or terrorists to commit fraud?
Doesn't that destroy you theory about secure computers = secure IDs?
Please visit my website dinkumid.com and read more about ID security. Thanks for the op.
When you wrote: 'Identity thieves will have nothing to steal if our computers are well-protected.'
it is not quite so. Imagine a bank clerk who is authorised to log into the bank's network using multi-layer authentication.
What is to stop him from copying the IDs on display on his computer screens onto pieces of paper and selling them to crimianls or terrorists to commit fraud?
Doesn't that destroy you theory about secure computers = secure IDs?
Please visit my website dinkumid.com and read more about ID security. Thanks for the op.
Identity theft may be an inevitable part of our society's technological evolution, but it is not unstoppable.
You are right in that comment even though you are probably unaware that we at DINKUMID have created that security solution.
- You are also right!
- by May 19, 2005 12:11 PM PDT
- When you wrote that:
- Like this Reply to this comment
-
(14 Comments)Identity theft may be an inevitable part of our society's technological evolution, but it is not unstoppable.
You are right in that comment even though you are probably unaware that we at DINKUMID have created that security solution.