Dee Harvey
Embedding Privacy
Fall 2005
Identity theft is a serious crime. How does it happen?
Identity theft occurs when someone uses your personal
information without your permission to commit fraud or other crimes. While you
can't entirely control whether you will become a victim, there are steps you
can take to minimize your risk.
http://www.consumer.gov/idtheft/
What is Identity theft?
Your identity and personal information are valuable.
Criminals can find out your personal details and use them to open bank accounts
and get credit cards, loans, state benefits and documents such as passports and
driving licenses in your name.
http://www.identity-theft.org.uk/
Your identity is a valuable commodity - you need it to
function in everyday life. You need evidence of who you are to open bank
accounts, obtain credit cards, finance, loans and mortgages, to obtain goods or
services, or to claim benefits.
http://www.cifas.org.uk/identity_fraud.asp
Identity
Fraud or Identity Theft is something we are all supposed to be worrying about
these days. Someone could steal your identity and use it to commit crimes such
as credit card fraud or other forms of theft. The idea of an identity as a
piece of property that can be stolen by another person is absurd. It reduces a
personÕs identity to the sum of data stored about about them. ÒIdentity theftÓ
is not theft, itÕs a form of record system breach. By casting it as a theft of
our identity the people who keep these records and fail to prevent their being
breached put the responsbility for it back on us. The emphasis in discussion of
identity theft is usually on what people can do to minimise their risk, even
while it is admitted that there is little that can be done. This places the
onus on us to protect data that we donÕt own, have no access to and in many
cases didnÕt consent to being stored. The idea of identity fraud is a fraud
being perpetrated on ordinary people who are being asked to bear the costs of a
crime they are victims of by the organisations that made that crime possible.
The
world we live in has become increasingly dependent on the exchange of personal
information. Computer databases are used by almost all businesses and
bureaucracies to perform their functions. These databases store information
about users of services from healthcare to online bookstores. We rely on
systems of identification to establish trust in a world where people donÕt know
each other by sight, and may in fact do business without ever meeting. David
Lyon at QueenÕs University in Canada points out
As the more anonymous
arrangements of the modern Ôsociety of strangersÕ emerged, and privacy was more
valued, so the reciprocal need for tokens of trust grew as a means of
maintaining the integrity of relations between those strangers. As the
locally-known, embodied person slid from view in the web of social relations,
so the importance of credentials, identification and other documenetary
evidence was amplified.
Social
and business interactions require knowledge of the other party or parties
involved and where people donÕt know one another personally, that means
personal information must be stored somehow.
Companies
we do business with routinely gather data about us and store it. If we buy car
insurance we have a policy with information about us and our car and our record
of accidents that is stored in the insurance companyÕs database. Credit card
companies have records of all our transactions, banks of all our financial
information, telephone companies of the phone calls we make. These companies
store this data because it comes to them as a matter of course through the
relationship that we have with them. The company owns this information and can
do with it what it will. What need is there for a phone company to hold records
of all the phone calls I make? Just because they have access to my list of
dialled numbers doesnÕt mean they have to store it. However, I have no say over
whether this information is stored or for how long it is kept. Even though the
information is about me, it is generated through my relationship with the phone
company, by the phone company, and thus belongs to them.
Having
stored this information the companies I do business with can use it to learn
more about me and give me what I want from them. Gathering and interpreting
information about your customers is a means of figuring out how to sell more of
your produect and even gain new customers. The SAS Customer Intelligence
website claims:
To create customer and prospect profiles, identify your most profitable customers, optimize multichannel communications and anticipate customer needs, marketers need the ability to:
¥ Create customer intelligence from the mountains of disconnected customer data the company collects on a daily basis.
¥ Apply that intelligence to create the ideal marketing
mix or channel distribution and execute more targeted, effective inbound and
outbound campaigns.
¥ Measure the value of those campaigns and feed that information back into the planning process.
The
information stored by companies I do business with is not just held idly in
databases, it is being used to create a profile of my behaviour, my
preferences, my habits. Then it is used to predict how I will behave in the
future, specifically what kinds of products I will buy or be persuaded to buy.
Companies
who store my data donÕt only use it to help themselves make more money off me
in the future they also often realise its value in a more direct way by selling
it on to other companies. The trade in personal data is a lucrative one Ð large
database companies like Acxiom and ChoicePoint buy customer data from other
companies. They aggregate this information to create profiles about people that
they then sell on to businesses and government agencies. The businesses that
buy this information use it to try to sell us stuff. Companies I have never
done business or willingly entered into any relationship with are trading in my
personal information without my knowledge or permission.
The
technology that makes it easy for these profiles to be created is an old and
familiar one Ð the social security number. The SSN has become a de facto
identification number, despite numerous assurances down the years that its use
would be restricted. SSNs are used to cross-reference data about us from various
sources. They become the primary key that is used to identify us across
multiple records and databases. The Wall Street JournalÕs Glenn Simpson points
out that
By mixing and matching its databases, Choicepoint can accumulate all kinds of information Ð a speeding fine, a bankrupty filing, a spouseÕs name Ð under a single Social Security number, tailoring the data and related software to a particular client. However, the company has warned investors that its ability to do business would suffer if Congress were to enact laws restricting the private use of Social Securit numbers, as has been propsed in recent years. (2001)
Our
personal information is being stored under our SSNs for the convenience and
profit of large database companies, which sell information to government
agencies as well as businesses.
So
it can be seen that far from being a result of carelessness on our part,
Identity Theft is an effect of the bureaucracy of the information society. The
system works in a way that makes us vulnerable. In his book The Digital
Person, Daniel Solove argues
The underlying cause of identity theft is an architecture that makes us vulnerable to such crimes and unable to adequately repair the damage. This architecture is not created by identity thieves; rather, it is exploited by them. It is an architecture of vulerability, one where personal information is not protected with adequate security, where identity thives have easy asccess to data and the ability to use it in detrimental ways. (2004)
Participation
in society requires that we regularly divulge information about ourselves to
third parties. Buying goods with credit cards, having electricity or gas in
your home, insuring your car, having access to the Internet Ð all these every
day activities involve a file being stored about you in a database somewhere.
The information in these files is traded as a commodity. It belongs to the
companies that gather and buy it, and as such their concern is for its
usefulness, not its security. It is convenient and profitable for businesses to
store our information in ways that make it easy to aggregate. This makes it
easy for anyone who can gain access to one key piece of data about us to find
out enough to be able to impersonate us for the purposes of fraud.
Not
only are we vulnerable to Òidentity theftÓ, if we are unlucky enough to have
our records breached by criminals we are entirely on our own. Despite the fact
that we have no control over the data stored about us, if it is stolen it is
still our responsibility to correct any mistakes at our own expense. Daniel
Solove gives the following example of identity theft
The identity of a retired 74-year-old man is stolen. Debts continue to amass on his credit reports. Although the victim lives in Maryland, a Texas bank issues a car loan to the identity thief in Texas. The victim continually fights to have the debts removed from this credit reports, but he is told to take up the issues with the creditors who claim that the debts are legitimate. Even after debts are removed, they reappear on his credit reports because a different collection agency replaces them. (2004)
Companies
make little effort to prevent people with stolen credit card numbers from
buying expensive goods and then insist on reclaiming the debt from the victim
of the original theft. It takes over two years and more than 200 hours to clear
your name after your identity is stolen (Solove, 2004). It can cost thousands
of dollars and will cause problems getting credit cards, mortgages and even
jobs. If warrants are issued on the basis of fraud committed by the person who
stole your information there is the possibility that you could be arrested. The
victim of identity fraud is extremely vulnerable Ð she must correct mistakes in
a large system of files that is administered by corporations with nothing at
all to gain by helping her.
To
add insult to injury, we are now being offered identity insurance to help
defray the costs of having the records held on us by businesses breached by
criminals.
Identity theft insurance provides reimbursement to crime
victims for the cost of restoring their identity and repairing credit reports.
Some companies now include it as part of their homeowners insurance policy.
Others sell it as either a stand alone policy or as an endorsement to a
homeowners or renters insurance policy.
On average,
these policies cost between $25 and $50 for $15,000 to $25,000 worth of
coverage. Identity theft insurance provides reimbursement for expenses such as
phone bills, lost wages, notary and certified mailing costs and sometimes
attorney fees with the prior consent of the insurer. (http://www.iii.org/individuals/other/insurance/identitytheft/)
Insurance
companies are making money off our vulnerability to people gaining access to
our data. This access takes place because companies, insurance companies among
them, are not taking adequate care of our data and are failing to secure it
from criminals.
A
major injustice is being allowed to take place whereby the victims of a crime
are being asked to pay for it, clean up after it, and prevent its happening.
All of us are at risk of having the records held on us by private companies
breached, and if that happens we will have to fix the problem ourselves and
cover any costs (unless we are insured). We have no access to the records held
about us, we have no way of checking that they are accurate, we have no
ownership of the information that is stored there. It is not up to us to
protect that data or decide how it should be stored, when or by whom it should
be accessed. And yet we are responsible if someone should access it
fraudulently and use it to commit crimes. The whole idea of identity theft is a
fraud Ð our identities canÕt be stolen. But our personal information can be,
and the companies that keep those records should play a part in restoring our
good name and in covering the costs caused by a breach of their record system.
Sources:
Lyon,
David; ÒEveryday Surveillance: Personal data and social classificationsÓ
Simpson,
Glenn; ÒBig Brother-in-Law: If the FBI hopes to get the goods on you, it may
ask ChoicepointÓ in Wall Street Journal, 4/13/2001.
Solove,
Daniel; The Digital Person: Technology and privacy in the information age (2004), New York University Press, New York.