Schneier on Security
A blog covering security and security technology.
« More on ChoicePoint |
| Why Surveillance Cameras Don't Reduce Crime »
March 30, 2005
ID Theft is Inescapable
The Register says what I've been saying all along:
While this is nothing new, there is an important observation here that's worth emphasizing: none of these cases involved online transactions.
Many people innocently believe that they're safe from credit card fraud and identity theft in the brick and mortar world. Nothing could be farther from the truth. The vast majority of incidents can be traced to skimming, dumpster diving, and just plain stupidity among those who "own" our personal data.
Only a small fraction of such incidents result from online transactions. Every time you pay by check, use a debit or credit card, or fill out an application for insurance, housing, credit, employment, or education, you lose control of sensitive data.
In the US, a merchant is at liberty to do anything he pleases with the information, and this includes selling it to a third party without your knowledge or permission, or entering it into a computerized database, possibly with lax access controls, and possibly connected to the Internet.
Sadly, Congress's response has been to increase the penalties for identity theft, rather than to regulate access to, and use of, personal data by merchants, marketers, and data miners. Incredibly, the only person with absolutely no control over the collection, storage, security, and use of such sensitive information is its actual owner.
For this reason, it's literally impossible for an individual to prevent identity theft and credit card fraud, and it will remain impossible until Congress sees fit to regulate the privacy invasion industry.
Posted on March 30, 2005 at 7:35 AM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
There is another option. An alternative system of identity management, one based on sound privacy principals and strong encryption could very quickly replace the central repository role of the personal information brokers.
Any time you have lots of valuable private information in one place it becomes a tempting target. Only by distributing the information to a large number of privacy brokers can the benefits of having the information available come into balance with the risks of storing it.
It's been said before:
"Information wants to be free" and it'll be said again:
"Information (no matter which type) wants to be free"
It's past time for a US Data Protection Act, along the lines of the UK model.
Wow, that's quite a non-response you have there. You said exactly nothing. My private information "wants" to be in the hands of whoever wants it? Interesting.
I guess we should give up on security entirely then. I think I'll go ahead and post my name, address, SSN, and all account numbers on a public web page, so I can simply hand out the URL as needed.
Then, I'll stop writing to my representatives about the privacy and security issues. I'll just explain that we've been wrong all along; that sensitive data just "wants" to be free after all.
Humans and Information are like curious primates and a stack of thigh bones...
Unless you can figure out how to make humans naturally smarter each generation on a large-scale information will always be misused. Just an FYI: It isn't the Information that is the problem.
There is one point that does need to be made about the Internet and identity theft. It provides another avenue for using credit card information once it has been stolen.
With banks increasingly abusing recent legislation allowing them to post check images online for customer review, we have a new threat. Anyone whose online banking credentials are compromised is now victim to a massive exposure of personal information. It was bad enough when an intruder had access to your bank account--now he can see the account numbers of your credit cards, your doctors' names, your business associates' names, the check recipients' endorsement signatures, and anything else you or anyone else ever writes on a check. This is a whole new class of information which banks are now disclosing; much of it is advisory information for the people you are writing the checks to, e.g. your account number, which the bank has no need to know and certainly no business disclosing online.
Banks should be allowed to disclose only check numbers and amounts. This check images thing is going to bite a lot of people in the ass. This is such a serious matter I can't understand why it isn't being posted all over the network security media. Dr. Schneier, please share any thoughts you have on this matter. Thanks.
Well, my point in posting the Register article on your log (http://www.schneier.com/blog/archives/2005/03/more_on_choicep.html) was not to emphasize the futility of securing information, but rather to suggest that disclosure laws have a real impact that favors personal identity safety over big business (ChoicePoint) profit motives.
The Register article makes a fine point about the problems, but it skirts over the fact that March has had more disclosures than ever due to government-led regulation.
Security professionals, and even Howard Schmidt, may quibble over whether the break-ins are online or offline, but the bottom line is that if someone is a steward of your personal information and they give it to a criminal, they should notify you. Period. You need to know when that information is misplaced/stolen regardless of the method.
In fact, emphasizing the distinction between brick-and-mortar and online transactions is relevant today if only to help people see the need for defense-in-depth and bring the CSO and CISO roles together. That is good fodder for companies to chew on as they investigate their risk profile, but consumers really do not care if a criminal accesses their data from a database directly or tricks an employee into doing it.
"Sadly, Congress's response has been to increase the penalties for identity theft, rather than to regulate access to, and use of, personal data by merchants, marketers, and data miners. Incredibly, the only person with absolutely no control over the collection, storage, security, and use of such sensitive information is its actual owner."
This is technically only true with regard to the US Congress, but as I've posted before the state of California has laws that are specifically designed to give control back to the owner:
Breach disclosure (SB1386)
Reasonable security (AB1950)
Sharing or shine the light (SB27)
The latter two laws went into effect Jan 1, 2005. The "Shine the Light" law, which is very interesting but few people seem to discuss yet, requires certain businesses to disclose their information-sharing practices with their customers. If you send a request to a company, they must tell you with whom they have shared your personal information for marketing purposes within the last twelve months.
Bruce, could you make that your blog entry for tomorrow? ;)
Moreover, the Register should know better than to suggest that the standing regulation of disclosure, which was passed two years ago, is mututally exclusive with "control over the collection, storage, security, and use of information". They are virtually the same and I suspect (judging by recent FDIC bulletins) that (unless ChoicePoint and their fellow conservatives can afford to back the strong anti-citizen-rights lobby) a federal breach disclosure law may be in place by the end of 2005.
Anyone interested in the general subject of identity theft should check this guy's journal out:
Apparently he guy actually tracked down and caught his own identity thieves. He was lucky they were so local to him... One might even call it inspirational.
Information wants to be free, but so does most of the population of any given prison. Carrying the analogy a step or two further, if the warden at any given prison were as careless with the inmates in his/her charge as the fine folks at ChoicePoint has been with data, do you think they would still have a job? It is certainly difficult to secure both information and prisoners, but I think we can all agree that the effort must be made.
As for the idea of returning control over information to it's original owner, would this be the same population that makes a password the same as their birthday, then gets angry at the inconvenience of being forced to change it every 6 months? If somebody engages in criminally negligent behavior with my personal information, I sure don't want them coming back to me to say I should have been more careful with it. Anything short of laws holding corporations and their officers liable for their acts or omissions is merely buck-passing masquerading as reform.
Use more cash and fewer checks and credit cards. It reduces your total exposure from a number of different angles. It does increase your risk of being robbed some. I usually carry a gun while in public too so I don't worry much about carrying several hundred dollars in cash or making large cash withdrawls from ATMs. There are always tradeoffs...
I recall the Dilbert cartoon where Dilbert was out dining with a young lady. While he was lecturing her about the dangers of sending his credit card number out over the Web, he handed his card to the waitress.
She came back at the end of his lecture wearing a mink coat.
The issue is not how to completely give up and survive in a completely lawless and hostile survivors-only world, but how to help contribute to (if not create) a more safe environment that encourages stability and positive economic growth while preserving individual liberties. In other words, the goal is to reduce vulnerability AND mitigate threat.
I mean if you measure risk as assets x vulnerability x threat, your rootin-tootin' gun-totin' style of security only handles half the issue. If you're the sharpest-shooter in Dodge, then you have the potential to reduce your vulnerability (and even that is questionable since armed resistance often begets an escalation of risk). So while you might *feel* less vulnerable with your trusty firearm in pocket, that alone does not cost-effectively reduce the threat (which I believe is the bigger concern in your case).
Incredibly, the only person with absolutely no control over the collection, storage, security, and use of such sensitive information is its actual owner.
This is a common misconception. In America, we don't actually own our personal data. It is owned by those who spent the time and effort collecting it. This is a difference from Europe, which (I think) has personal data ownership laws that give ownership to the person it pertains to. Because the data is about you doesn't mean you own it (or should own it).
Personally, I think assigning ownership rights to the person the data is about is a definite step in the right direction.
I notice that Tox listed "name, address, SSN, and all account numbers" as the most sensitive information involved. That points at the other side of the problem: even that whole set *shouldn't* be enough for identity theft. The only reason it's risky to reveal your SSN is that too many institutions incorrectly use it as a pseudo-password. Knowing someone's name and account number shuld not be enough for the bank to authenticate you as that person. That problem needs to be addressed too, and it seems to me to be the easier of the two.
I notice that Tox listed "name, address, SSN, and all account numbers" as the most sensitive information involved. That points at the other side of the problem: even that whole set *shouldn't* be enough for identity theft. The only reason it's risky to reveal your SSN is that too many institutions incorrectly use it as a pseudo-password. Knowing someone's name and account number shuld not be enough for the bank to authenticate you as that person. That side needs to be addressed too.
To the moderator: delete my post above, it's full of error's!
Control over one's personal ID information is a myth.
But that doesn't mean everybody will be send to prison because some person stole his/hers ID and used it for malicious things.
I mean, with credit card fraud the credit card owner isn't victimized, because when he/she notices the fraud he/she immediately calls the bank and who undoes the transaction. That's why most E commerce-shop's go bankrupt, it's because customer (victimized ones) undo their transactions, while the E commerce-shop's they are left with no money.
Well, I'm no James Bond, so i don't know all the possible ID thefts that do work, but i don't exclude the fact that there are ways on stealing an ID.
Let's face it, an ID really is nothing more than a registration at some government agency in which it states that my face belongs to that ID.
Who's to know if it's true or not ?
And when is a new ID created. At the birth of a new human.
In the Netherlands we have a registration duty of every newborn by law. It then gets a birth-certificate ( and of course they are registered in a national database).
I think ID is all based on faith. Faith in the fact that the person that faces you really is the person he/she claims to be.
I personally think no digital electronic system is going to guarantee ID security or validity for that matter.
The title of this thread is "ID Theft is Inescapable". Drop the ID and we have "Theft is Inescapable", and who would want to argue with that.
The issue is really one of reducing the crime and its effects to acceptable and managable proportions. This is nothing new.
What is new is the level of identity-related crime and public perception of it. It's the "in" problem.
As time passes, we will get a better grip on it, through legal sanctions, law enforcement, business behaviour and personal care.
Let's just try and get there sooner!
Bruce wrote "ID Theft is Inescapable" but he really wanted to write "ID theft in the USA is inescable because regulators, politicians and data collectors in the USA all agree that individuals don't have a right to privacy and data protection." But that title was too long, so he decided for the shorter, alas factually wrong, tile.
The reason ID Theft is Inescapable is because the current identification system is based on the assumption that you can identify someone by having them provide 'secret' information about themselves as verification that they are who they claim to be. The problem is that every time I want to verify my identity, I need to display my 'secret' information in the public domain. In an age where information is being captured, stored and distributed at an ever increasing rate, requiring me to share my 'secret' information in public every time I want to identify myself is obviously going to allow violation of my identity.
The solution is not to create numerous pieces of legislate that all attempt to control the data and keep it 'secret' because this is impossible. Rather, a system needs to be developed that is not based on data having to be 'secret' to identify an individual in the first place.
"The reason ID Theft is Inescapable is because the current identification system is based on the assumption that you can identify someone by having them provide 'secret' information about themselves as verification that they are who they claim to be." This isn't generally the case. The only situation when I need "secret" information to identify myself is when I need a password for some online transaction. Otherwise, I usually identify myself with documents. Never with my "mother's maiden name" or bullshit like that.
Isreal: "Information wants to be free"
I've heard this cliche so many times, but the blatant falsehood never seems to be addressed. Information is inanimate. It couldn't care less whether it is shared or not.
However, what people really mean when they say this is "I want your information, no matter what you think". This attitude directly leads to a lack of respect for other's property- including their identity. Hacking into systems, stealing and sharing information, publishing information that is damaging to others all naturally follow.
If you don't accurately state the issue, you will never be able to address it.
What I think we need is a European style privacy law. Congress seems to have the impression that that would violate the first amendment and so can't be done here. Given the many ways in which communication, especially the commercial sort, is already regulated (copyright, classified and restricted data, obscenity, libel, advertising rules for some professions, and even the regulation of those who give financial advice) I fail to see how giving us back control of our personal data breaks any new constitutional ground.
Here is a link to the UK Data Protection Act 1998, including information on amendments since 1998:
Given recent technological and societal changes, it's difficult to view it as ideal. However, it does offer greater protection to individuals than currently available in the USA.
John David Galt: excellent point. You could add software patents (i. e. patents on ideas), gene patents and many more. Disney threatens school children who paint Mickey Mouse characters on a wall with legal action. American seed companies have patented Basmati rice (a sort of rice that has been developed and grown in India for centuries), corn varieties found in the field in Mexico, etc. A doctor patened genes that he had found in the body of one of his patients without even telling him. (To remember, patents were originally supposed to protect inventions of human ingenuity, not mere findings). The patient sued to invalidate the patent but the courts said he had no right over his own body parts. What all this tells us is that something must be wrong with the current interpretation of the US constitution. It surely wasn't the idea of the founders to protect only the "rights" of commercial enterprise and deny individual human rights.
I use a credit monitoring service, which I use to think was a waste of money, but don't think that now.
My ex-wife puts a fraud alert on her credit every two years. This requires the credit bureau to call you any and every time someone tries to get credit in your name.
An European style privacy law will never pass consitutional muster. The First Amendment provides special protection to free exchange of information--and yes, even corporations have constitutional rights. While it doesn't mean everything related to information is permitted, it does mean that prior restraint is the last resort, when irreparable harms would occur otherwise. I fail to see how that's the case here. If someone apply a loan under your name, it can be taken off the book. If someone charge your credit card, you can be reimbursed.
"While it doesn't mean everything related to information is permitted, it does mean that prior restraint is the last resort, when irreparable harms would occur otherwise." Where is the irreparable harm done by children painting Mickey Mouse on the wall? And yet, Congress passed a law prolonging the period during which Disney's copyright is protected, and nobody mentioned the constitution. Come on, the First Amendment is only a pretext. And lest you haven't heard of that, European constitutions too protect "the freedom of speech, or of the press".
Your characterization of people who carry guns for protection is completely wrong. In most major U.S. cities(exclude NYC, Washington D.C., Chicago, and cities in California) about one out every 50 people you pass on the sidewalk are legally carrying a firearm. The number that carry illegally is unknown but I know a number of fine upstanding, professional, people that carried in Chicago before leaving for some legal jurisdiction that didn't prohibit you from defending yourself with the best available tools. Firearms are used to successfully defend innocent life from 1 to 2 millions times each year in the U.S. Please do some research before you dismiss as cowboys 40% of the U.S. population that owns firearms--most of those in part for self defense. I suggest you read one or more of the following:
http://tinyurl.com/6qwxf (More Guns Less Crime)
Physical security is an important part of any security plan. Firearms play an important role in that.
The New Hampshire Supreme Court ruled that information brokers can face civil liability over the selling of personal information to third parties. The case was about an individual who had been tracked down and murdered outside their workplace. The perpetrator had purchased the SSN and work address of the victim from an information broker Web site. See http://www.epic.org/privacy/boyer/ for more information.
Information by "nature" is available to all. This is what makes it free. Those whom do not want it to be free (such as being known or available to others) must fight very hard to corral it and conceal it. But sometimes it jumps the fence and sets itself free.
Not sure what universe you live in, but in my universe information, by "nature", is subject to numerous physical constraints, the most obvious being the speed of light. Information is no more "free" than electromagnetic radiation. I mean, as long as you're dragging "nature" into the discussion...
Don't be fooled into believing that LifeLock can keep you safe. They just admitted (http://www.ftc.gov/opa/2010/03/lifelock.shtm) that they have been lying to their customers about their service.
If you've been using LifeLock; you've been played for a fool.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.