« Law Firm Partnership: Waiting for Godot? | Main | Ain't no justice in DC: Law on the streets and law on the books »

Wednesday, June 15, 2005

Identity Theft Fears and Online Shopping

Idtheft4 From a recent survey:

Nearly half of U.S. voters say they don't shop online because they fear identity thieves may capture their bank-account information, according to a survey released on Wednesday by a technology-industry trade group.

These fears are heightened because of the rash of security breaches in recent months.   I previously posted about these breaches here and here

However, these fears are misplaced.  Much identity theft has little to do with whether people shop online or not.  In fact, it has little to do with the measures people might take to protect themselves against identity theft.   When I'm interviewed by journalists about identity theft, they often ask me for tips that consumers can do to protect themselves.  They are looking for the usual tips -- shred your documents, guard your Social Security Number like a hawk, and so on.  But these tips aren't very protective.  Social Security Numbers are sold by many companies for a small fee; they appear on numerous public records; and yet companies continue to use them as passwords to gain access to accounts.   As I wrote in a law review article about identity theft:  "The problem stems not only from the government's creation of a de facto identifier [the Social Security Number] and lax protection of it, but also from the private sector's inadequate security measures in handling personal information. "   Thus, I tell journalists that these tips often just make victims of identity theft feel that they are to blame; and that these tips make people feel the illusion of being safe when in fact they are not. 

Youreviltwin There is little a person can do to protect herself from identity theft.  Even if you shred all your documents, you're only as safe as the lowest common denominator among the hundreds -- if not thousands -- of companies that use your personal data.  Much identity theft occurs not because of online fraud or because people fail to shred their documents, but because of a bad employee at a company who steals people's data, because of data leaks, or because of the theft of mail.  For an account of how identity thieves perpetrate their crimes, see MSNBC journalist Bob Sullivan's Your Evil Twin: Behind the Identity Theft Epidemic.  There are some really fascinating stories in this book.

Identity theft occurs because of an information system that is flawed.  The leakage of Social Security Numbers would not be such a problem if they weren't so widely used by companies and financial institutions as passwords to allow access to people's accounts.   We have a system of monitoring people's credit and processing personal information that leaves people out of the loop and that lacks sufficient accountability.   It's no wonder identity thieves readily exploit the system. 

While such public fears over identity theft might spur legislative action, I wish that people were fearing the real problems.  People are correct to be worried, but they have little idea about the causes of identity theft.    

Posted by Daniel Solove on June 15, 2005 at 03:59 PM in Daniel Solove, Information and Technology | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference Identity Theft Fears and Online Shopping:

» Looking on the bright side from PrawfsBlawg
It's easy to become alarmed from reading Dan Solove's far too regular posts about the perils of identity theft. [Read More]

Tracked on Jun 22, 2005 4:49:43 PM



Statistics on identity theft causes are notoriously hard to come by and to verify, since so few identity thieves are caught. Here is a synopsis of some of the identity theft survey and study results. The statistics are often created by asking victims how they think the thief obtained the information. Many have no idea. The best set of resources on identity theft, including information about surveys, is the Privacy Rights Clearinghouse.

The issue of identity theft involves more than the thief just obtaining the data. The problem is that data leaks or bad employees or mail interceptions would not be so harmful to victims if (1) companies didn't use Social Security Numbers as passwords, thus limiting the harmfulness of the leakage of this information; (2) consumers were more aware of how their information was being used, thus alerting them to identity theft more quickly; and (3) victims had more potent rights and remedies to fix the damage wrought by the identity thief.

Posted by: Daniel Solove | Jun 16, 2005 1:03:29 AM

Whether the consumer is helpless depends on where most identity thefts occur. Although the recent reports about data tapes falling off trucks containing millions of records have made lots of news, I don't think lost tapes produce much in the way of identity theft. Speculating off the top of my head, I think there are 4 likely suspects:

1) An outside hacker getting into a merchant's electronic database containing past transaction data due to poor security.

2) Numerous employee defalcations at individual merchants.

3) A smaller number of employee defalcations at a bank or credit card company, producing hundreds of victims at once.

4) Dumpster diving.

1 and 4 can be combatted by the consumer (1 by using a random-number generating credit card; 4 by shredding). 2 and 3 are pretty much beyond your control. I've heard of all 4 occurring (as well as phishing), but the question I have is where are most of the successful thefts coming from?

Posted by: Bruce | Jun 16, 2005 12:39:14 AM

Yes, it is a good idea to check one's credit reports. One can learn about the fact that he or she might be a victim of identity theft that way and attempt to halt the damage. But you're right, the horse is out of the barn.

Sadly, the FACTA only mandates that people be allowed to obtain one free credit report per year. And credit reporting agencies are trying to scam their legal responsibility by tricking people to sign up for fee-based credit monitoring service. I wrote about it in this post.

By the way, I just saw the new TV ads for "FreeCreditReport.com" which is not the website where people can obtain their free credit report. The correct website is https://www.annualcreditreport.com/. Instead, FreeCreditReport.com is a service some credit reporting agencies are selling to consumers for a fee. The TV ad, which ends with a sweet jingle, touts how this credit monitoring service will be a helpful way for people to maintain the accuracy of their reports and protect against identity theft -- the very things that the law requires credit reporting agencies to do for free. Ironically, the credit reporting agencies tell Congress that one free credit report a year is the effective way people can protect themselves against identity theft and then turn around and sell what they claim to be the "really effective" protections for profit. With rampant misinformation and manipulation like this, it is no wonder consumers are so confused about identity theft.

Posted by: Daniel Solove | Jun 15, 2005 5:10:00 PM

I assume that it _is_ helpful to check your credit report regularly, right? That way, at least you can (hopefully) stop further damage from happening. Still, that's an awfully closing-the-barn-door-after-the-horse-is-out kind of tip.

Posted by: Kaimi | Jun 15, 2005 4:43:16 PM

The comments to this entry are closed.