MONDAY, SEPTEMBER 25, 2006
Outline of a project plan to implement a due diligence
mechanism protecting personal identity
This document reproduces what was originally published in
Jan 2006. Because the index got overwritten, I am recreating it here.
Project Proposal
Although there are many ways that identity theft happens,
the most troublesome seems to be the capability of a crook to create a
fictitious "person instance" by using another’s social security
number and then take out loans, which get reported as legal liabilities for the
target person. A person may not learn of this problem for months,
and could suffer loss of employment or housing as a result. This
possibility is one of the main reasons why frequent checks of credit reports is
necessary.
There exists an opportunity to prevent this kind of crime by
encouraging every person to register a preferred contact address, and then
requiring any credit grantor (mortgage company, credit card company, auto
finance) to confirm a lone with that address. The United States Postal Service
has a facility, National Change of Address (NCOA) that could form the kernel of
such a policy. Any person, when he or she moves, can provide the USPS preferred
mailing address information, and can provide more than one address. NCOA
follows a number of automated practices, such as Code-1 (a standard format for
mailing addresses), FastForward, and Move/Forward and
Move/Update, an intricate procedure set which allows major companies to
maintain preferred mailing addresses. Major corporate postal customers must
follow rigorous audit standards to use these facilities. Various software
vendors, such as Group-1 and Harthanks, provide
software for companies to interface with the USPS. It is easy to imagine
expanding such a system to include preferred e-mail addresses.
Public policy (through legislation or administrative law)
would then be changed to require all businesses making loans to confirm the
obligation at an NCOA address. Therefore if an
obligation was made by another party duplicating the target person's identity,
that person would receive a notification immediately. The remaining issue would
then be securing the NCOA processing as much as possible, but this seems to be
much more secure than many other information banks have been, as illustrated by
many media reports.
There could be many wrinkles in this process. For example,
when a consumer receives an original or a replacement credit card from a bank,
the consumer typically call's the bank's 800 number (or goes to its web site)
to activate the card. The credit card would, according to proposed law, would
have to be mailed only to the preferred NCOA address. Activation information
would have to include a preferred address code, a nine-digit zip plus box
number if applicable, and that might well have to be encrypted or mapped to a
random number for the consumer to use.
Would this violate personal privacy, in that it gives the
government a specific contact point to track any person (as a
"mark")? In an ideological sense, maybe. But in practice, most active
people need to know that they can be reliably contacted, at least by certified
mail if nothing else, in case there is some kind of problem that they don’t
know about. In the middle 1990s I had a situation with a mortgage that had been
assumed. Without such contact, a person could even have a default judgment
entered against himself or herself in certain kinds of circumstances. For
persons who operate Internet websites, ICANN and registration companies require
the maintenance of a reliable USPS land contact address.
It is also important to note that such a preferred address
would not need to be where the person lives. An individual would not need to
give away his residence to potential stalkers, for example, although certain
Internet search or “skip trace” companies make it easier to find such a person.
One could use a land address at a mailing company (such as UPS’s Mail Boxes, Etc.). One could use a place of employment with
the employer's permission. There is no reason why a simple USPD PO Box would
not suffice (although many businesses require a client to use a land address).
When the primary address is an email address, one could look to a company like
pobox.com as providing a paradigm for preferred contact.
In a sense, this is what happens now when a consumer's
record has a fraud alert with a major credit reporting company (Experian,
Equifax, Trans-Union). The lender has to do a lot more due diligence. I think
the diligence must be performed in all cases. But there also needs to be an
extra layer in the setup to ensure a preferred and guaranteed contact address,
and the USPS NCOA is the logical starting point.
Of course, implementation of such a proposal would require
major software enhancements by the USPS, companies that provide mail-related
software, and software related to credit card, mortgage
and auto loan processing. But there's no harm these days in giving I.T. people
more work and in creating some jobs.
There are more details at this link. I certainly welcome comments.
Link:
EDITORIAL: Identity Theft, Privacy Protection, and the First
Amendment
In late May 2005 Paula Zahn produced a comprehensive program
for CNN on identity theft. To all appearance, identity theft and other
compromises of consumer privacy have become epidemic. The general impression
that the growth of identity theft parallels the growth of unsupervised use of
the Internet. However, consumer privacy is a complex and non-linear topic, and
one must sort it out to get at what is going on. Not all of the problems are
due to the online world.
Surveying the Problems
The biggest complaint seems to be that identity thieves get
credit cards, car loans and even mortgages with stolen identities. They get
hold of social security numbers and make credit applications with phony
addresses and employment histories. They run up debts that appear on the
consumer’s credit report. The consumer does not get the bills so he or she does
not know that there is a problem until applying for credit or for a job. There
have been cases of job loss due to identity theft, as some employers, for
internal security reasons, may be very strict in requiring associates to take
personal responsibility for keeping their own credit clean (“guilty until
proven innocent” when it comes to employment). This observation leads to
recommendations that each consumer check his own credit report at least once a
year; this may get easier later in 2005 when consumers will have the legal
right to free credit reports once per year in all areas of the United States.
Some ISPs offer automated credit report change information reporting systems
for a fee, but these need to become more reliable and easier to use.
It is also possible for consumers to get called by
collection agencies or even, in extreme cases, have court judgments entered
against them (maybe even leading to wage garnishment or asset seizure) for
fictitious debts. The latter would seem less likely as normally one needs a
proper service of process for a judgment, but in some states service process is
a lax procedure. Consumers would seem
not to be legally responsible for fraudulent debts, but this is not always easy
to establish. Sometimes longstanding debts are sold to collection agencies (a
practice that seems to fall into a legal gray area), which then may have less
legal pressure to honor disputes, even under the FDCPA.
There are other various problems that occur. The most common is “phishing”—emails that
impersonate a bank and demand identification and bank account (even paypal or eBay) information, which is then bought and sold
in chat rooms. “Demand drafts” – checks that do not require signatures, have
been known to result in stealing money from consumer bank accounts. And there
are various practices that may be marginally legal that result in surprising
charges on credit cards, for various “club memberships.”
Another danger occurs with keylogging programs, which
parents or employers use to monitor their kids or employees (legally). Some
email attachments or even raw websites (when visited) will cause the
downloading of spyware keylogging programs which would allow an attacker to
monitor a user’s signon and passwords with. Say,
online banking sites, making it possible for the attacker to log on and steal
money. An ABC news story claims that one third of online computer crimes occur
because of keylogging, although this trend has not been widely reported yet in
other media.
A somewhat distinct problem associated with consumer privacy
has to do with the physical security of the consumer. A person who has made
“enemies” may find himself being stalked or threatened; family members,
coworkers and neighbors of the person could become involved as innocent
bystanders. (This has recently been a problem for some judges.) This is
something that used to happen in earlier eras with low-tech methods (letters
and phones) when circular social mores invited “witch-hunts” (for homosexuality
or Communist association). The film Advise and Consent provides a good example
of this.
One valuable, if difficult-to-implement suggestion, would be
to place a $50 cap and dispute resolution on identity theft cases, as has long
been the case with credit cards.[2] This could give “corporate America” – next
section – some newfound incentives.
How Much of this Is the Fault of ‘Corporate America’?
Plenty. We have all heard recently about large but
clandestine companies like ChoicePoint that have had
major security breaches. Credit reporting companies are notoriously slow in
correcting erroneous information, although there are other companies that
specialize in doing this (to facilitate loans) and law now requires credit
reporting companies to place fraud alerts when requested on consumer files and
to free consumer files from credit report requests without notification (as for
promotions). Based on my own experience
in information technology at least through the nineties, it seems that
companies tended to be lax on physical security of customer information, as
employers often allowed employees to leave the premises with production
computer printouts and diskettes (often for legitimate “telecommuting”
work-at-home or production support on-call duties) with little inspection or
accountabilities. Old-fashioned physical security at institutions may be a
major source of problems.
There is an extra issue with data brokers like ChoicePoint. They sell some “intelligence” on consumers
that does not fall under the Fair Credit Reporting Act. Occasionally, persons
have been denied jobs or loans because of this extra information that does not
allow consumers a reasonable opportunity to correct.[3] There would be
questions whether private investigators might use information from the Web with
search engines (“Google hacking”) which could find information posted by third
parties that cannot be validated (although it could expose the speakers to
civil libel suits if not true, and this would seem to be true for data brokers,
too). Again, the openness of information creation and low on databases,
especially those that are web-accessible, does pose some actuarially
unquantifiable risks to consumers and employees. From the 1950s to the early
1970s, it used to be common for small private investigative companies (like Fildelifacts) to gather information on individuals (such as
arrest records from police raids of gay bars), and for employers to use
them.[4]
It is puzzling why credit grantors are so careless in
granting credit to fictitious applications. There would seem to exist a
technological solution. Here it goes: Allow each consumer to specify a mailing
USPS address to which he or she wants every debt obligation sent. Require
credit grantors to bill only through this address. This way a consumer knows if
he has a problem if he stops getting bills that he expects. Use the existing
USPS NCOA (National Change of Address) system, using FastForward
and Code-1 address standardization technologies, to implement this. The USPS
already has auditing procedures in place that could be effective in such an
implementation (I have worked with them in one of my jobs). As an alternative,
the consumer to prefer to receive e-bills, but only through ISPs certified to
process such bills with registered electronic addresses. The government might
have to provide some compensation to companies to manage such an anti-fraud
program at certified companies (effectively contractors), as this could require
additional systems development and security staff to be hired. A “preferred
address” system could be combined with email security systems (like Microsoft’s
Sender ID) to control spam and impersonation or spoofing. The “preferred address” would have to be used
for mailing of all credit cards, and encrypted into a
code to be used by credit card activation systems (commonly accessed through
800 numbers). Of course, this invokes many issues of legal cooperation (between
government and various companies to be certified) and may raise questions about
the potential for government abuse of private information (similar to questions
raised by the Patriot Act). Such a solution would require action by Congress
To their credit, banks have been better at checking with
consumers for unusual activity within short time frames (less than one billing
period), and requiring address verification for
purchases. Pin verification is often required on debit cards, and this could be
required on credit cards, too. Car dealers and mortgage companies, however,
should be much more careful about verifying identities in person (with
passports or alternate id pieces) before letting “borrowers” take control of property.
State DMV departments should require address verification (as with NCOA,
improved) before handing out driver’s licenses or state id’s.
Visa, Master Card and other credit
card companies already require merchants offering their own credit card
processing (without turning the processing over to third party companies) to
encrypt customer credit card databases and to discard verification numbers.
There are heavy fines for violations.[6] Typically ISPs help small businesses
set up merchant accounts and arrangements with transaction processing companies
that will do the encryption.
There is also valid criticism of misuse of the social
security number as an identifier in business transactions.
What is the effect on free speech?
This is where I have some concerns. So far, most of the
proposals for legislation to fight identity theft emphasize reportability of
breaches (already in effect in many states, especially California, where new
state laws probably account for unearthing some of these scandals) and fines or
increased civil liability for companies that have sensitive consumer
information and allow the information to become compromised. There is
controversy over whether stricter rules should apply only to banks and
financial institutions (usually large companies) or to smaller payment
processing companies and even e-commerce sites. Extending the rules to these
latter companies could stifle the ability of companies to offer products from
very small businesses and individuals (books, movies or DVDs, music) at least
without a lot of major further cooperative innovation, an issue already in play
in the legal complications of file-sharing. Already, some relatively small
companies have had to accept strict encryption and auditing requirements.
But the issues become more subtle. Small companies like
“zabasearch.com” have been providing identification and public records
“background investigation” on consumers for a small fee. (Part of the problem
here is that state and local governments have put public records online,
although in some states they are restricting public record access online now.)
An individual, for example, may have published only a mailbox and cell phone as
contact information on the Internet, and a “background investigation” site
could provide real residence address and phone, which could provide security
issues for others (family members or residential neighbors) associated with the
individual. This has not yet become a major problem in this country (it has
been more of a problem in Britain with some threats by Islamic fundamentalists
against a couple of authors). The more obvious observation is that such
practices facilitate identity theft, but we should remember that identity theft
can also happen in the physical world, with lost checkbooks and rummaging
garbage (“dumpster diving”) for unshredded
receipts.[9] Large companies are often
quite careless with the physical security of printed information and cassette
tapes on their premises (as documented by Aaron Brown’s report on CNN on June
7, 2005) and are easily fooled by imposters, and they may sometimes hire
employees who might have unusual presumptive motives to want the data for
particular classes on stakeholders, which gets back to the “conflict of
interest” questions that I have often discussed.
Feedback from Congress tells me that “public records”
information is (by definition) information that can be legally published. Now
privacy law has been developing the notion that identifying information like
social security numbers can be legally protected as confidential. How “public”
is a public record if it cannot be tied easily to a specific individual
identified by a database “key” number? The question, in the minds of Congress,
is about packaging legally available information in such a way that anyone with
mischievous intentions can access it efficiently with little cost or
need-to-know supervision. Senator Diane Feinstein (D-CA) proposes making it
illegal to sell social security numbers and similar information, but to do this
the legal nature of personal identifier information needs to be redefined.
In other areas of intellectual property law, however, there
is not such a connection (to identifiers). Libel law usually assumes that a
reader can figure out who a particular individual is, even if not named.
Writers and journalists generally are free to use bibliographic information as
they like, and such information is not usually tied to such identifiers.
We get to a possible legal conundrum and a slippery slope.
Congress probably needs to define some kinds of personal information (social
security numbers and residential address information) as legally confidential
without some kind of need-to-know basis. Otherwise, we run the risk that in
other intellectual property law situations, the legality of published content
will depend more on the context of publication – such as whether it is online
or print, free or for fee, from the established press or from a blogger,
etc. For example, someone who had
published a book or a print article twenty years ago
might not want to find himself so easily “Google hacked” today if that could
hamper his employment situation today. This could have enormous First Amendment
implications, or it could result in the idea that website owners or bloggers
need to post indemnification bonds.
We have already seen examples of this kind of problem, as
with the litigation concerning the Child Online Protection Act (COPA), where
some of the legal concepts (“harmful to minors”) seem to have an overly
subjective contextual potential. And copyright law, with its Fair Use
provision, does have contextual provisions that allow some judgment and
subjectivity. Likewise, context may matter in disputes over trademarks and
Internet domain names.
One problem at least distantly related to all of this is
spoofing: the use of someone else’s name or Internet ID to send spam or illegal
content. Although spoofing usually solvable by law enforcement forensics, the
possibility that hackers could frame someone for sending illegal content does
sound like another potential form of “identity theft.” It is important for
users to remember that anonymity of speech is not protected (by fictitious
screen names) when illegal content or behavior is involved.
Even so, if identity theft is not to lead to a major battle
over the deployment of content on the Internet, Congress needs to reign in on
big business and come up with some technological supervision. It is possible to
adopt the strategy of providing beefing up national id cards (with biometrics
like retinal scans), creating the possibility of abuse by future or even
present governments (a legitimate libertarian fear) but relieving individuals
and small businesses of the incidental downstream liability for contributing to
the identity theft problem. Congress is
likely to manipulate the First Amendment and regulate what kind of information
can be sold or even stored on sites (for example keylogging software). The If
Congress were to require ISPs to monitor customers for violations, this could
expose ISPs to downstream liability, in contradiction to Section 230 provisions
of the 1996 Communications Decency Act (a provision that was kept during the
1997 Supreme Court ruling). Eventually, individuals could be required to
provide liability bonds to have websites and would not
longer have their own voices on the Net. The record of Congress in the
past in weighing such factors as consumer security or protection and the
chilling effect of downstream liability is not convincing.
©Copyright 2005 by Bill Boushka. All rights reserved,
subject to fair use.
NBC Nightly News had a story about identity theft on Feb 5, 2005 in which a woman discovered she was a victim when Bank
of America mailed her a visa card with the thief’s picture on it—an indication
that a guaranteed mailing scheme to a “preferred address” can work. In this
case, the thief was paying the bills, so the account was in a “reactive state.”
The Veterans Administration (around May 20, 2006) lost data
on 26 million veterans and probably active servicemembers and national guard
members when an employee took a laptop home and his
home was burglarized. This will certainly lead employers to look at the whole
work-at-home issue, a serious conundrum in the time of high gasoline prices
(and the demands of salaried employment) conflicting with security. However,
this was a breach of physical security, not Internet security or a problem of
domains operated by amateurs; this was a major failure in government itself.
It is important to realize that the VA burglary (or similar
losses of personal data from laptop computers or work diskettes or CD’s, as in
transport) could have happened even without an Internet. This is an issue
involving old-fashioned old school workplace security—especially in a high gas
price world where telecommuting and working from home has been encouraged.
Another issue is that when major financial implementations are tested,
companies typically use copies of live production data for system parallels. To
do QA testing without such copying of data would introduce enormous costs to
many I.T. projects.
But there is a danger that someone who steals such data would try to sell it on the Internet. That lure exists as long as credit grantors continue to give out easy credit without a system (such as a link to NCOA) to verify the real identity of an applicant for credit. In network broadcast interviews, military servicemembers have expressed additional concerns about their personal and family security since their residence addresses could be known to (VA burglary) thieves, who could give or sell the information to terrorists or political enemies. However it is not known how much data really was on the laptop, as the