Identity Theft and the Need for a New Common Sense

A couple stories have come up the last two days that highlight how the way the law and business determines identity isn’t keeping up with technology. One story is about identity theft and the other about computer security violations, but both have a common thread: technology has made it so our common-sense assumptions about how to tell someone’s identity no longer work.

The first is a lengthy Washington Post article about identity theft. The driving story is about Michael Berry, whose identity was stolen by an ex-con who proceeded to rack up debt and eventually commit murder all while living under Berry’s name. Around this driving story the article gives a good analysis of just how incredibly easy and common this kind of identity theft is today.

It used to be that identifying someone was a long-term and high-touch operation. You’d get paychecks from a local business, deposit checks at the local bank branch, and write checks to the local grocery store. Over time all these entities would get to know you and your identity would become firmly entrenched in the system. Now that society is more mobile that system doesn’t work, and we’re finding that the replacement system of asking for social security numbers or mother’s maiden name doesn’t work too well either. Currently banks have to eat any monetary losses that come from identity-theft fraud, but do not currently have to take responsibility for damage caused to a person’s credit rating or reputation (as a recently upheld by the South Carolina Supreme Court). That means that, as the law stands now, the economic incentives encourage more convenience and less security than would be the case if banks had to take the total cost of identity theft into account.

The second story is from yesterday’s New York Times, who reported that a British man was exonerated of child pornography charges after his computer was found to have been infected by nearly a dozen Trojan-horse programs. Mr. Green, who has lost custody of his daughter and spent nine days in prison and three months in a “bail hostel” due to charges, has all along claimed that his computer was infected and that it even dialed into the Internet when no one was home.

In this case the question is whether Green is responsible for the material on his own computer. Not long ago if a crime was committed in a particular house then the perpetrator could only be one of a handful of people. For these data crimes, the person actually downloading porn onto Green’s computer could have been literally anyone in the world. Similar arguments have been made about open Wi-Fi access points and “zombie” computers that are used as launching pads for attacks on other sites on the Net. As the Times article points out, there are two issues here. One is that bad guys could use such security problems as a defense, the other is that it really is a valid defense:

“The scary thing is not that the defense might work,” said Mark Rasch, a former federal computer crime prosecutor. “The scary thing is that the defense might be right,” and that hijacked computers could be turned to an evil purpose without an owner’s knowledge or consent.

The general problem is that our old common sense ideas of identity no longer hold, or can’t be applied in our hyper-convenient and mobile society. I’m not necessarily in control of my own networked computer. I’m not the only person who knows the last four digits of my SSN. And the person handling my application has almost certainly never seen me before, and that’s no cause for alarm. Perhaps technology will come to the rescue in the form of biometrics that can prevent identity theft while still preventing governmental abuses. Perhaps regulation will come to the rescue in terms of systems to challenge faulty information, and by insuring that those who are responsible for security have the incentive to maintain it. Probably a combination of these will be required, but in the mean time I expect the problem to get worse before it gets better.