MONDAY, SEPTEMBER 25, 2006
Outline of a project plan to implement a due diligence mechanism protecting personal identity
This document reproduces what was originally published in Jan 2006. Because the index got overwritten, I am recreating it here.
Although there are many ways that identity theft happens, the most troublesome seems to be the capability of a crook to create a fictitious "person instance" by using another’s social security number and then take out loans, which get reported as legal liabilities for the target person. A person may not learn of this problem for months, and could suffer loss of employment or housing as a result. This possibility is one of the main reasons why frequent checks of credit reports is necessary.
There exists an opportunity to prevent this kind of crime by encouraging every person to register a preferred contact address, and then requiring any credit grantor (mortgage company, credit card company, auto finance) to confirm a lone with that address. The United States Postal Service has a facility, National Change of Address (NCOA) that could form the kernel of such a policy. Any person, when he or she moves, can provide the USPS preferred mailing address information, and can provide more than one address. NCOA follows a number of automated practices, such as Code-1 (a standard format for mailing addresses), FastForward, and Move/Forward and Move/Update, an intricate procedure set which allows major companies to maintain preferred mailing addresses. Major corporate postal customers must follow rigorous audit standards to use these facilities. Various software vendors, such as Group-1 and Harthanks, provide software for companies to interface with the USPS. It is easy to imagine expanding such a system to include preferred e-mail addresses.
Public policy (through legislation or administrative law) would then be changed to require all businesses making loans to confirm the obligation at an NCOA address. Therefore if an obligation was made by another party duplicating the target person's identity, that person would receive a notification immediately. The remaining issue would then be securing the NCOA processing as much as possible, but this seems to be much more secure than many other information banks have been, as illustrated by many media reports.
There could be many wrinkles in this process. For example, when a consumer receives an original or a replacement credit card from a bank, the consumer typically call's the bank's 800 number (or goes to its web site) to activate the card. The credit card would, according to proposed law, would have to be mailed only to the preferred NCOA address. Activation information would have to include a preferred address code, a nine-digit zip plus box number if applicable, and that might well have to be encrypted or mapped to a random number for the consumer to use.
Would this violate personal privacy, in that it gives the government a specific contact point to track any person (as a "mark")? In an ideological sense, maybe. But in practice, most active people need to know that they can be reliably contacted, at least by certified mail if nothing else, in case there is some kind of problem that they don’t know about. In the middle 1990s I had a situation with a mortgage that had been assumed. Without such contact, a person could even have a default judgment entered against himself or herself in certain kinds of circumstances. For persons who operate Internet websites, ICANN and registration companies require the maintenance of a reliable USPS land contact address.
It is also important to note that such a preferred address would not need to be where the person lives. An individual would not need to give away his residence to potential stalkers, for example, although certain Internet search or “skip trace” companies make it easier to find such a person. One could use a land address at a mailing company (such as UPS’s Mail Boxes, Etc.). One could use a place of employment with the employer's permission. There is no reason why a simple USPD PO Box would not suffice (although many businesses require a client to use a land address). When the primary address is an email address, one could look to a company like pobox.com as providing a paradigm for preferred contact.
In a sense, this is what happens now when a consumer's record has a fraud alert with a major credit reporting company (Experian, Equifax, Trans-Union). The lender has to do a lot more due diligence. I think the diligence must be performed in all cases. But there also needs to be an extra layer in the setup to ensure a preferred and guaranteed contact address, and the USPS NCOA is the logical starting point.
Of course, implementation of such a proposal would require major software enhancements by the USPS, companies that provide mail-related software, and software related to credit card, mortgage and auto loan processing. But there's no harm these days in giving I.T. people more work and in creating some jobs.
There are more details at this link. I certainly welcome comments.
EDITORIAL: Identity Theft, Privacy Protection, and the First Amendment
In late May 2005 Paula Zahn produced a comprehensive program for CNN on identity theft. To all appearance, identity theft and other compromises of consumer privacy have become epidemic. The general impression that the growth of identity theft parallels the growth of unsupervised use of the Internet. However, consumer privacy is a complex and non-linear topic, and one must sort it out to get at what is going on. Not all of the problems are due to the online world.
Surveying the Problems
The biggest complaint seems to be that identity thieves get credit cards, car loans and even mortgages with stolen identities. They get hold of social security numbers and make credit applications with phony addresses and employment histories. They run up debts that appear on the consumer’s credit report. The consumer does not get the bills so he or she does not know that there is a problem until applying for credit or for a job. There have been cases of job loss due to identity theft, as some employers, for internal security reasons, may be very strict in requiring associates to take personal responsibility for keeping their own credit clean (“guilty until proven innocent” when it comes to employment). This observation leads to recommendations that each consumer check his own credit report at least once a year; this may get easier later in 2005 when consumers will have the legal right to free credit reports once per year in all areas of the United States. Some ISPs offer automated credit report change information reporting systems for a fee, but these need to become more reliable and easier to use.
It is also possible for consumers to get called by collection agencies or even, in extreme cases, have court judgments entered against them (maybe even leading to wage garnishment or asset seizure) for fictitious debts. The latter would seem less likely as normally one needs a proper service of process for a judgment, but in some states service process is a lax procedure. Consumers would seem not to be legally responsible for fraudulent debts, but this is not always easy to establish. Sometimes longstanding debts are sold to collection agencies (a practice that seems to fall into a legal gray area), which then may have less legal pressure to honor disputes, even under the FDCPA.
There are other various problems that occur. The most common is “phishing”—emails that impersonate a bank and demand identification and bank account (even paypal or eBay) information, which is then bought and sold in chat rooms. “Demand drafts” – checks that do not require signatures, have been known to result in stealing money from consumer bank accounts. And there are various practices that may be marginally legal that result in surprising charges on credit cards, for various “club memberships.”
Another danger occurs with keylogging programs, which parents or employers use to monitor their kids or employees (legally). Some email attachments or even raw websites (when visited) will cause the downloading of spyware keylogging programs which would allow an attacker to monitor a user’s signon and passwords with. Say, online banking sites, making it possible for the attacker to log on and steal money. An ABC news story claims that one third of online computer crimes occur because of keylogging, although this trend has not been widely reported yet in other media.
A somewhat distinct problem associated with consumer privacy has to do with the physical security of the consumer. A person who has made “enemies” may find himself being stalked or threatened; family members, coworkers and neighbors of the person could become involved as innocent bystanders. (This has recently been a problem for some judges.) This is something that used to happen in earlier eras with low-tech methods (letters and phones) when circular social mores invited “witch-hunts” (for homosexuality or Communist association). The film Advise and Consent provides a good example of this.
One valuable, if difficult-to-implement suggestion, would be to place a $50 cap and dispute resolution on identity theft cases, as has long been the case with credit cards. This could give “corporate America” – next section – some newfound incentives.
How Much of this Is the Fault of ‘Corporate America’?
Plenty. We have all heard recently about large but clandestine companies like ChoicePoint that have had major security breaches. Credit reporting companies are notoriously slow in correcting erroneous information, although there are other companies that specialize in doing this (to facilitate loans) and law now requires credit reporting companies to place fraud alerts when requested on consumer files and to free consumer files from credit report requests without notification (as for promotions). Based on my own experience in information technology at least through the nineties, it seems that companies tended to be lax on physical security of customer information, as employers often allowed employees to leave the premises with production computer printouts and diskettes (often for legitimate “telecommuting” work-at-home or production support on-call duties) with little inspection or accountabilities. Old-fashioned physical security at institutions may be a major source of problems.
There is an extra issue with data brokers like ChoicePoint. They sell some “intelligence” on consumers that does not fall under the Fair Credit Reporting Act. Occasionally, persons have been denied jobs or loans because of this extra information that does not allow consumers a reasonable opportunity to correct. There would be questions whether private investigators might use information from the Web with search engines (“Google hacking”) which could find information posted by third parties that cannot be validated (although it could expose the speakers to civil libel suits if not true, and this would seem to be true for data brokers, too). Again, the openness of information creation and low on databases, especially those that are web-accessible, does pose some actuarially unquantifiable risks to consumers and employees. From the 1950s to the early 1970s, it used to be common for small private investigative companies (like Fildelifacts) to gather information on individuals (such as arrest records from police raids of gay bars), and for employers to use them.
It is puzzling why credit grantors are so careless in granting credit to fictitious applications. There would seem to exist a technological solution. Here it goes: Allow each consumer to specify a mailing USPS address to which he or she wants every debt obligation sent. Require credit grantors to bill only through this address. This way a consumer knows if he has a problem if he stops getting bills that he expects. Use the existing USPS NCOA (National Change of Address) system, using FastForward and Code-1 address standardization technologies, to implement this. The USPS already has auditing procedures in place that could be effective in such an implementation (I have worked with them in one of my jobs). As an alternative, the consumer to prefer to receive e-bills, but only through ISPs certified to process such bills with registered electronic addresses. The government might have to provide some compensation to companies to manage such an anti-fraud program at certified companies (effectively contractors), as this could require additional systems development and security staff to be hired. A “preferred address” system could be combined with email security systems (like Microsoft’s Sender ID) to control spam and impersonation or spoofing. The “preferred address” would have to be used for mailing of all credit cards, and encrypted into a code to be used by credit card activation systems (commonly accessed through 800 numbers). Of course, this invokes many issues of legal cooperation (between government and various companies to be certified) and may raise questions about the potential for government abuse of private information (similar to questions raised by the Patriot Act). Such a solution would require action by Congress
To their credit, banks have been better at checking with consumers for unusual activity within short time frames (less than one billing period), and requiring address verification for purchases. Pin verification is often required on debit cards, and this could be required on credit cards, too. Car dealers and mortgage companies, however, should be much more careful about verifying identities in person (with passports or alternate id pieces) before letting “borrowers” take control of property. State DMV departments should require address verification (as with NCOA, improved) before handing out driver’s licenses or state id’s.
Visa, Master Card and other credit card companies already require merchants offering their own credit card processing (without turning the processing over to third party companies) to encrypt customer credit card databases and to discard verification numbers. There are heavy fines for violations. Typically ISPs help small businesses set up merchant accounts and arrangements with transaction processing companies that will do the encryption.
There is also valid criticism of misuse of the social security number as an identifier in business transactions.
What is the effect on free speech?
This is where I have some concerns. So far, most of the proposals for legislation to fight identity theft emphasize reportability of breaches (already in effect in many states, especially California, where new state laws probably account for unearthing some of these scandals) and fines or increased civil liability for companies that have sensitive consumer information and allow the information to become compromised. There is controversy over whether stricter rules should apply only to banks and financial institutions (usually large companies) or to smaller payment processing companies and even e-commerce sites. Extending the rules to these latter companies could stifle the ability of companies to offer products from very small businesses and individuals (books, movies or DVDs, music) at least without a lot of major further cooperative innovation, an issue already in play in the legal complications of file-sharing. Already, some relatively small companies have had to accept strict encryption and auditing requirements.
But the issues become more subtle. Small companies like “zabasearch.com” have been providing identification and public records “background investigation” on consumers for a small fee. (Part of the problem here is that state and local governments have put public records online, although in some states they are restricting public record access online now.) An individual, for example, may have published only a mailbox and cell phone as contact information on the Internet, and a “background investigation” site could provide real residence address and phone, which could provide security issues for others (family members or residential neighbors) associated with the individual. This has not yet become a major problem in this country (it has been more of a problem in Britain with some threats by Islamic fundamentalists against a couple of authors). The more obvious observation is that such practices facilitate identity theft, but we should remember that identity theft can also happen in the physical world, with lost checkbooks and rummaging garbage (“dumpster diving”) for unshredded receipts. Large companies are often quite careless with the physical security of printed information and cassette tapes on their premises (as documented by Aaron Brown’s report on CNN on June 7, 2005) and are easily fooled by imposters, and they may sometimes hire employees who might have unusual presumptive motives to want the data for particular classes on stakeholders, which gets back to the “conflict of interest” questions that I have often discussed.
Feedback from Congress tells me that “public records” information is (by definition) information that can be legally published. Now privacy law has been developing the notion that identifying information like social security numbers can be legally protected as confidential. How “public” is a public record if it cannot be tied easily to a specific individual identified by a database “key” number? The question, in the minds of Congress, is about packaging legally available information in such a way that anyone with mischievous intentions can access it efficiently with little cost or need-to-know supervision. Senator Diane Feinstein (D-CA) proposes making it illegal to sell social security numbers and similar information, but to do this the legal nature of personal identifier information needs to be redefined.
In other areas of intellectual property law, however, there is not such a connection (to identifiers). Libel law usually assumes that a reader can figure out who a particular individual is, even if not named. Writers and journalists generally are free to use bibliographic information as they like, and such information is not usually tied to such identifiers.
We get to a possible legal conundrum and a slippery slope. Congress probably needs to define some kinds of personal information (social security numbers and residential address information) as legally confidential without some kind of need-to-know basis. Otherwise, we run the risk that in other intellectual property law situations, the legality of published content will depend more on the context of publication – such as whether it is online or print, free or for fee, from the established press or from a blogger, etc. For example, someone who had published a book or a print article twenty years ago might not want to find himself so easily “Google hacked” today if that could hamper his employment situation today. This could have enormous First Amendment implications, or it could result in the idea that website owners or bloggers need to post indemnification bonds.
We have already seen examples of this kind of problem, as with the litigation concerning the Child Online Protection Act (COPA), where some of the legal concepts (“harmful to minors”) seem to have an overly subjective contextual potential. And copyright law, with its Fair Use provision, does have contextual provisions that allow some judgment and subjectivity. Likewise, context may matter in disputes over trademarks and Internet domain names.
One problem at least distantly related to all of this is spoofing: the use of someone else’s name or Internet ID to send spam or illegal content. Although spoofing usually solvable by law enforcement forensics, the possibility that hackers could frame someone for sending illegal content does sound like another potential form of “identity theft.” It is important for users to remember that anonymity of speech is not protected (by fictitious screen names) when illegal content or behavior is involved.
Even so, if identity theft is not to lead to a major battle over the deployment of content on the Internet, Congress needs to reign in on big business and come up with some technological supervision. It is possible to adopt the strategy of providing beefing up national id cards (with biometrics like retinal scans), creating the possibility of abuse by future or even present governments (a legitimate libertarian fear) but relieving individuals and small businesses of the incidental downstream liability for contributing to the identity theft problem. Congress is likely to manipulate the First Amendment and regulate what kind of information can be sold or even stored on sites (for example keylogging software). The If Congress were to require ISPs to monitor customers for violations, this could expose ISPs to downstream liability, in contradiction to Section 230 provisions of the 1996 Communications Decency Act (a provision that was kept during the 1997 Supreme Court ruling). Eventually, individuals could be required to provide liability bonds to have websites and would not longer have their own voices on the Net. The record of Congress in the past in weighing such factors as consumer security or protection and the chilling effect of downstream liability is not convincing.
©Copyright 2005 by Bill Boushka. All rights reserved, subject to fair use.
NBC Nightly News had a story about identity theft on Feb 5, 2005 in which a woman discovered she was a victim when Bank of America mailed her a visa card with the thief’s picture on it—an indication that a guaranteed mailing scheme to a “preferred address” can work. In this case, the thief was paying the bills, so the account was in a “reactive state.”
The Veterans Administration (around May 20, 2006) lost data on 26 million veterans and probably active servicemembers and national guard members when an employee took a laptop home and his home was burglarized. This will certainly lead employers to look at the whole work-at-home issue, a serious conundrum in the time of high gasoline prices (and the demands of salaried employment) conflicting with security. However, this was a breach of physical security, not Internet security or a problem of domains operated by amateurs; this was a major failure in government itself.
It is important to realize that the VA burglary (or similar losses of personal data from laptop computers or work diskettes or CD’s, as in transport) could have happened even without an Internet. This is an issue involving old-fashioned old school workplace security—especially in a high gas price world where telecommuting and working from home has been encouraged. Another issue is that when major financial implementations are tested, companies typically use copies of live production data for system parallels. To do QA testing without such copying of data would introduce enormous costs to many I.T. projects.
But there is a danger that someone who steals such data would try to sell it on the Internet. That lure exists as long as credit grantors continue to give out easy credit without a system (such as a link to NCOA) to verify the real identity of an applicant for credit. In network broadcast interviews, military servicemembers have expressed additional concerns about their personal and family security since their residence addresses could be known to (VA burglary) thieves, who could give or sell the information to terrorists or political enemies. However it is not known how much data really was on the laptop, as the