The problem of identity theft, a topic newly current after revelations about ChoicePoint and a “breach of security”, was the subject of dueling opinion pieces today in USA Today.
First, a few excerpts from the editorial piece that sets the context and says something that I think is a little more complicated than the editors seem to think:
The company is a data broker that boasts a collection of 17 billion public records. The records span everything from birth dates and addresses to driver’s license and Social Security numbers — just enough information to cause trouble if it gets into the wrong hands.
And it did.
The company, duped by criminals masquerading as business owners, gave up personal information on 145,000 people last year. For months, as police investigated, the consumer-victims weren’t told.
Thus, we have a company in the business of collecting “personal information” and then selling it; other companies are convinced that they must have this information to be competitive.
The editors say it in so many words, but don’t recognize this basic problem: how can one distinguish the “criminals” from the [legitimate] “business owners”? What happens when they are the same?
My point would be that, to the company selling the data, there is no real difference. What does it mean to “masquerade” as a legitimate business, and how is it operationally any different from “real” businesses?
The root of the problem, and the source of the solution, is not with enhancing safeguards on the data, since potential clients and potential thieves are indistinguishable. Either the data must not be collected in the first place — that battle was probably lost in the past decade or more — or it must be made somehow less useful to “masquerading bussinesses”.
In a response Fred H. Cate says:
A California law requiring businesses to notify consumers when the security of their personal data is breached is a poor substitute for real action to address the scourge of identity theft.
The problem at the heart of most identity theft isn’t access to information or consumer inattention, it is the lack of will and effective tools to verify the identity of consumers, especially when granting credit.
Mr. Cate certainly recognizes that the problem is not going to lie with enhancing “safeguards” on the data, nor with giving consumers notice of “security breaches”. (Talk about refusing to take responsibility by doing nothing that superficially appears to be doing something.)
When I was young and first got my own Social Security number, we were taught things about the number’s proper use that were thought to be so important and so inviolable that it might have been written in the consititution: your Social Security number is not a universal identity number, and you should NEVER allow it to be used as one.
Whatever happened to that admonition? Look how steadily it has eroded in the past 30 years until the Social Security number has become, de facto, a universal (US) ID number. For no good reason either: in most cases I can think of, it was used merely as a convenience for whomever was requesting it so that they could assign a unique number to someone for some temporary purpose. There are other ways to accomplish that, even easy ones, that don’t compromise the Social Security number.
Now, one almost never thinks about such a request, and one’s Social Security number can be found lying around everywhere. It would be simplistic to suggest that this is the sole cause of the problem and that restricting its use would halt the problem, but it is nearer the source of the problem, and looking there could lead to — if not solutions — at least mitigating strategies.
[Update, 1 March 2005:] The Detroit News offers its opinion in the editorial “U.S. Should Limit Use of Social Security Numbers”, identifying at least one of the problems that I mentioned. Whether their solution is more than just a start will require quite a bit more reflection.