A giant data brokerage firm exposes the records of more than 145,000 individuals, and 750 of those are confirmed victims of identity theft. A cell phone conglomerate admits that its system, used by Secret Service agents among millions of other people, was recently broken into. A respected senator discovers that anyone with Senate clearance can learn the Social Security numbers of Brad Pitt, his celebrity friends, and also the Vice-President, with a few clicks. One of the largest banks in the United States reports that it has lost a tape backup containing 1.2 million credit card records, a significant portion of which are directly related to Pentagon and other federal government accounts. A well-known legal information services firm admits that 32,000 of its records have been stolen. Exactly what is going on here?
To hear the politicians tell it, identify theft is the inevitable result of our fast-paced information society. It is unstoppable given that our law enforcement agencies are generally too slow to keep up with technology, and too bureaucratic to delegate to multi-jurisdictional, inter-agency teams, let alone teams that span international boundaries. Congress wants to pass new laws that will centralize the investigation and enforcement of identity theft cases—and it certainly should. Anything would be an improvement over the current mess. Yet re-mapping the murky domains of federal agencies alone will not be enough to actually stop identity theft, or even slow it down. Really curbing the problem will require attacking the problem at its root: the keyboard.
On March 10, 2005, Larry Johnson, the Special Agent in Charge of the Criminal Investigative Division of the United States Secret Service made a good point before the Senate Committee on Banking, Housing and Urban Affairs: identity theft is increasingly a technical problem. Once upon a time, thieves dug company directories out of trash cans, but now it's much easier to send out mass e-mails to millions of people that happen to look like they originated from local banks, asking for confirmation of credit card numbers. In fact, were it not for the ability of computer databases to store millions of records at a time in a centralized and efficient manner, "identity theft" would be practically unheard of. So, what are we doing to make sure that our nation's databases are protected?
I learned this the hard way only three weeks ago, when in the process of downloading my 2004 W-2 from my former web-based payroll company, I discovered that I could download the W-2 of every person who had ever been a customer of that payroll company, as far back as 1999, or perhaps even earlier. As it so happens, IRS Form W-2 is the perfect tool for blackmail, containing one's Social Security number, annual salary, home address, employer's EIN, and employer's state tax ID. With one keystroke, without breaking into any systems, without hacking—really, without even trying, I could have pretended to be anyone I desired, from a fairly nice pool of 25,468 to about 100,000 people.
Even in the wake of ChoicePoint, or perhaps because of it, the payroll company didn't want to hear about the problem, and even told me that it didn't exist, more than two weeks after I first brought the issue to its attention. Faced with the prospect of my own personal data leaking out onto the internet, I started making phone calls. Once word of the flaw began making its way into the press, the company threatened to sue me on civil and criminal charges for violating U.S.C. 18 section 1030, otherwise known as the Computer Fraud and Abuse Act of 1986, never mind that I was a (former) customer trying to access my own data in my own W-2, who had passed on information about the flaw (that apparently didn't exist) as a courtesy. Yet, I could not ignore the fact that the charges were "very serious," as my lawyer (who had never even heard of the Act), repeatedly told me.
What is a digital good samaritan to do? If you knew that your Social Security number and salary was being broadcast to the world, could you simply walk away? No? In that case, perhaps you might choose the flip side: ten years in prison for committing a non-crime, or in the best-case scenario, the expense and inconvenience of going to trial.
Indeed, legislation that centralizes the government's sizable burden of dealing with identity fraud is all well and good, but it misses the mark completely. Identity thieves will have nothing to steal if our computers are well protected. Therefore, to be truly effective, any new law designed to fight identity theft absolutely must comprise at least two key components. One of these is a clause that must force financial institutions—and not just those affected by the Fair Credit Reporting Act, but also payroll companies and anyone storing credit card numbers—to stay up to par with computer security standards, as defined by the latest industry developments. The second required component is a loophole to protect "white hat" hackers, who know enough about computer security to point out flaws, but who do not have malicious intent. When these security professionals find problems, companies have far too many incentives to shoot the messenger. Currently there is no clear way out of the byzantine regulations that the USA PATRIOT Act further confounded in 2001, and security professionals, the true patriots trying to protect our digital infrastructure, have to fight legal battles that should never arise in the first place.
Identity theft may be an inevitable part of our society's technological evolution, but it is not unstoppable. New laws can and will help, so long as they protect those who understand the underlying technologies involved. After all, a safer society, free of identity theft and cyber-terrorism will probably never come about if the good guys are all tied up in court, or worse yet, in jail.