May 25, 2004

Identity Theft - the American Disease

Identity theft is a uniquely American problem. It reflects the massive - in comparison to other countries - use of data and credit to manage Americans' lives. Other countries would do well to follow the experiences, as "what happens there, comes here." Here are two articles on the modus operandi of the identity thief [1], and the positive side of massive data collection [2].

First up, the identity thief [1]. He's not an individual, he's a gang, or more like a farm. Your identity is simply a crop to process. Surprisingly, it appears that garbage collected from the streets (Americans call it trash) is still the seed material. Further, the database nation's targetting characteristics work for the thief as he doesn't need to "qualify" the victim any. If you receive lots of wonderful finance deals, he wants your business too.

Once sufficient information is collected (bounties paid per paper) it becomes a process of using PCs and innocent address authorities to weezle ones way into the prime spot. For example, your mail is redirected to the farm, the right mails are extracted, and your proper mail is conveniently re-delivered - the classic MITM. We all know paper identity is worthless for real security, but it is still surprising to see how easily we can be brought in to harvest.

[Addendum: Lynn Wheeler reports that a new study by Professor Judith Collins of Michigan State University reveals up to 70% of identity theft starts with employee insider theft [1.b]. This study, as reported by MSNBC, directly challenges the above article.]

Next up, a surprisingly thoughtful article on how data collection delivers real value - cost savings - to the American society [2]. The surprise is in the author, Declan McCullagh, who had previously been thought to be a bit of a Barbie for his sallacious use of gossip in the paparazzi tech press. The content is good but very long.

The real use of information is to make informed choices - not offer the wrong thing. Historically, this evolved as networks of traders that shared information. To counteract fraud that arose, traders kept blacklists and excluded no-gooders. A dealer exposed as misusing his position of power stood to lose a lot, as Adam Smith argued, far more indeed than the gain on any one transaction [3].

In the large, merchants with businesses exposed to public scrutiny, or to American-style suits, can be trusted to deal fairly. Indeed, McCullagh claims, the US websites are delivering approximately the same results in privacy protection as those in Europe. Free market wins again over centralised regulations.

Yet there is one area where things are going to pot. The company known as the US government, a sprawling, complex interlinking of huge numbers of databases, is above any consumer scrutiny and thus pressure for fair dealings. Indeed, we've known for some years that the policing agencies did an endrun around Congress' prohibition on databases by outsourcing to the private sector. The FBI's new purchase of your data from Checkpoint is "so secret that even the contract number may not be disclosed." This routine dishonesty and disrespect doesn't even raise an eyebrow anymore.

Where do we go from here? As suggested, the challenge is to enjoy the benefits of massive data conglomeration without losing the benefit of privacy and freedom. It'll be tough - the technological solutions to identity frauds at all levels from financial cryptographers have not succeeded in gaining traction, probably because they are so asymmetric, and deployment is so complicated as to rule out easy wins. Even the fairly mild SSL systems the net community put in place in the '90s have been rampantly bypassed by phishing-based identity attacks, not leaving us with much hope that financial cryptographers will ever succeed in privacy protection [4].

What is perhaps surprising is that we have in recent years redesigned our strong privacy systems to add optional identity tokens - for highly regulated markets such as securities trading [5]. The designs haven't been tested in the full, but it does seem as though it is possible to build systems that are both identity strong and privacy strong. In fact, the result seems to be stronger than either approach alone.

But it remains clear that deployment against an uninterested public is a hard issue. Every company selling privacy to my knowledge has failed. Don't hold your breath, or your faith, and keep an eye on how this so-far American disease spreads to other countries.

[1] Mike Lee & Brian Hitchen, "Identity Theft - The Real Cause,"
[1.b] Bob Sullivan, "Study: ID theft usually an inside job,"
[2] Declan McCullagh, 'The upside of "zero privacy,"'
[3] Adam Smith, "Lecture on the Influence of Commerce on Manners," 1766.
[4] I write about the embarrassment known as secure browsing here:
[5] The methods for this are ... not publishable just yet, embarrassingly.

Posted by iang at May 25, 2004 08:34 AM | TrackBack

In my eyes, Identity Theft is much easier if the only identificator that is commonplace, namely the SSN, is used for authentication as well.

This definitely is a benefit of a national identity card. I don't want to incite a flame war about the possible abuse of such a card and the reason why most US citizens don't like the idea - but it is a single document that is somewhat hard to fake and it looks exactly the same all over the country (in contrast to US driver's licences). Over here it has photograph on it and it states some biometrical data (like height and eye color) that are hard to fake. Since there is only one issuing authority the effect is somewhat of a PKI. It's harder to get such a document than it is to dumpster dive, get pieces of a victim's life and abuse them.

As a matter of fact, identity theft plays no role over here whatsoever. I called our federal criminal authority and asked them about it.

Posted by: Axel at May 27, 2004 05:27 AM

> Identity theft is a uniquely American problem. It reflects the massive
> - in comparison to other countries - use of data and credit to manage
> Americans' lives. Other countries would do well to follow the
> experiences, as "what happens there, comes here."

Hmm... to the contrary I have assumed, the US will gravitate towards better ways.

All of the advanced cultures learn from other cultures. What they are able to absorb at any given time, varies a lot. People may embrace some things, be repelled by others. Our media and institutions sometimes block it, or sometimes, accelerate it.

The dominant population in the US are the white patriarchic, christian population. These people have demonstrate, at least since 1918, very large organizational forms. This was not unique; the british, french, germans did this too. As did the japanese with their trading companies and still do, have some of the largest effectively operating organziations on earth.

What is unique in the US is that nobody has ever come in and completely destroyed the place, therefore the US has ridiculously vulnerable infrastructures both physically and in its social organization. Today only the Japanese have such vulnerable money and ID systems but they have such a homogeneous population, foreigners can't really exploit it. And they have millions in their unofficial police force (the yakuza and the rightist organizations) to maintain order.

The US has its own peculiar adaptations; its police industry thrives on crime and has no real intention of reducing it, which would put itself out of business. So it goes on. Now we will have a federal, homeland security (sic) organization. More pork, more patronage equals more crime.


Posted by: Todd at June 7, 2004 06:55 AM


the reason Identity Theft is not prevalent outside America is that it is not worthwhile. That's the whole point - Identity is the root handle on a huge credit availability that simply doesn't exist in other countries. Getting hold of an American's identity is very valuable. How much is yours or mine worth, in credit terms?

Compared to which, the existence of SSNs or other tokens is a side issue, that's just a practical problem of costs for the identity thief. The starting point must be "how much is it worth?" which allows working the budget to cover the costs of stealing the identity.


Posted by: Iang at June 7, 2004 06:59 AM

Ian, can you elaborate on that? I can't as of yet see why the credit market should be substantially bigger in the US than in other countries.

I'd still say that at least in Germany the trackability is there due to a thorough identity management system. Nothing along those lines exists in the US, the UK or Canada.

Posted by: Axel at June 8, 2004 02:43 AM

We are not talking about trackability. We are talking about Identity theft. Very different things.

In the USA, there is a very large credit culture. This culture doesn't exist elsewhere, to my knowledge (but is gradually taking off in nearer countries). The credit system works by keeping national databases with three main companies of everyone on the system.

If you can crack the identity of someone, you can gain access to the credit which allows a very fast turnaround of purchases. It's possible to go buy a car the way other people buy appliances, and drive it out that hour. This happens a lot, by people stealing the identity and then living off it for a while, then moving on to the next identity.

Now, generally that credit is extended by a new company with which the identity has no prior relationship. (Everyone fights for this business.) So it is unlike for example getting access to a bank account (although that is a big part of the online phishing scams). In the case of a new credit relationship, the credit provider is caught between the desparation of acquiring new customers and the difficulty in proving who they really are.

In general, they go for the former, and everyone pays for the costs of the thief of the latter.

I can't recall, but at the FTC it is now the leading problem. It is the only serious crime on the net - phishing. By serious, I mean serious fraud, not the vandalous nature of viruses.

I'm conscious of not being able to explain it so well - which is why I wrote the blog entry. I didn't understand it until I lived with and observed some Americans and their credit histories. It's powerful stuff, culturally and economically pervasive.

Posted by: Iang at June 8, 2004 03:59 AM

Ah, but trackability and traceability plays a huge role! If you have little chance of being traced and tracked down when doing fraudulent business, you can act much more carefree. That's what I mean by trackability: it's easy to hunt you down over here. However, this is only being done if there is a need.

You are right, of course, when you say that the credit culture is different. I didn't know it was possible to buy a car and drive it out the door the same hour - over here it takes about a day to check your credit rating and do all the paper work. And they often copy your id card (trackability once again).

Yes, I'll have to think about this some more, you're right ;-)

Posted by: Axel at June 8, 2004 04:12 AM