Schneier on Security
A blog covering security and security technology.
« Ransomware |
| Magnetic Ring Attack on Electronic Locks »
June 17, 2008
LifeLock and Identity Theft
LifeLock, one of the companies that offers identity-theft protection in the United States, has been taking quite a beating recently. They're being sued by credit bureaus, competitors and lawyers in several states that are launching class action lawsuits. And the stories in the media ... it's like a piranha feeding frenzy.
There are also a lot of errors and misconceptions. With its aggressive advertising campaign and a CEO who publishes his Social Security number and dares people to steal his identity -- Todd Davis, 457-55-5462 -- LifeLock is a company that's easy to hate. But the company's story has some interesting security lessons, and it's worth understanding in some detail.
In December 2003, as part of the Fair and Accurate Credit Transactions Act, or Facta, credit bureaus were forced to allow you to put a fraud alert on their credit reports, requiring lenders to verify your identity before issuing a credit card in your name. This alert is temporary, and expires after 90 days. Several companies have sprung up -- LifeLock, Debix, LoudSiren, TrustedID -- that automatically renew these alerts and effectively make them permanent.
This service pisses off the credit bureaus and their financial customers. The reason lenders don't routinely verify your identity before issuing you credit is that it takes time, costs money and is one more hurdle between you and another credit card. (Buy, buy, buy -- it's the American way.) So in the eyes of credit bureaus, LifeLock's customers are inferior goods; selling their data isn't as valuable. LifeLock also opts its customers out of pre-approved credit card offers, further making them less valuable in the eyes of credit bureaus.
And, so began a smear campaign on the part of the credit bureaus. You can read their points of view in this New York Times article, written by a reporter who didn't do much more than regurgitate their talking points. And the class action lawsuits have piled on, accusing LifeLock of deceptive business practices, fraudulent advertising and so on. The biggest smear is that LifeLock didn't even protect Todd Davis, and that his identity was allegedly stolen.
It wasn't. Someone in Texas used Davis's SSN to get a $500 advance against his paycheck. It worked because the loan operation didn't check with any of the credit bureaus before approving the loan -- perfectly reasonable for an amount this small. The payday-loan operation called Davis to collect, and LifeLock cleared up the problem. His credit report remains spotless.
The Experian credit bureau's lawsuit basically claims that fraud alerts are only for people who have been victims of identity theft. This seems spurious; the text of the law states that anyone "who asserts a good faith suspicion that the consumer has been or is about to become a victim of fraud or related crime" can request a fraud alert. It seems to me that includes anybody who has ever received one of those notices about their financial details being lost or stolen, which is everybody.
As to deceptive business practices and fraudulent advertising -- those just seem like class action lawyers piling on. LifeLock's aggressive fear-based marketing doesn't seem any worse than a lot of other similar advertising campaigns. My guess is that the class action lawsuits won't go anywhere.
In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn't work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry's lobbyists would never allow that.
LifeLock does a bunch of other clever things. They monitor the national address database, and alert you if your address changes. They look for your credit and debit card numbers on hacker and criminal websites and such, and assist you in getting a new number if they see it. They have a million-dollar service guarantee -- for complicated legal reasons, they can't call it insurance -- to help you recover if your identity is ever stolen.
But even with all of this, I am not a LifeLock customer. At $120 a year, it's just not worth it. You wouldn't know it from the press attention, but dealing with identity theft has become easier and more routine. Sure, it's a pervasive problem. The Federal Trade Commission reported that 8.3 million Americans were identity-theft victims in 2005. But that includes things like someone stealing your credit card and using it, something that rarely costs you any money and that LifeLock doesn't protect against. New account fraud is much less common, affecting 1.8 million Americans per year, or 0.8 percent of the adult population. The FTC hasn't published detailed numbers for 2006 or 2007, but the rate seems to be declining.
New card fraud is also not very damaging. The median amount of fraud the thief commits is $1,350, but you're not liable for that. Some spectacularly horrible identity-theft stories notwithstanding, the financial industry is pretty good at quickly cleaning up the mess. The victim's median out-of-pocket cost for new account fraud is only $40, plus ten hours of grief to clean up the problem. Even assuming your time is worth $100 an hour, LifeLock isn't worth more than $8 a year.
And it's hard to get any data on how effective LifeLock really is. They've been in business three years and have about a million customers, but most of them have joined up in the last year. They've paid out on their service guarantee 113 times, but a lot of those were for things that happened before their customers became customers. (It was easier to pay than argue, I assume.) But they don't know how often the fraud alerts actually catch an identity thief in the act. My guess is that it's less than the 0.8 percent fraud rate above.
LifeLock's business model is based more on the fear of identity theft than the actual risk.
It's pretty ironic of the credit bureaus to attack LifeLock on its marketing practices, since they know all about profiting from the fear of identity theft. Facta also forced the credit bureaus to give Americans a free credit report once a year upon request. Through deceptive marketing techniques, they've turned this requirement into a multimillion-dollar business.
Get LifeLock if you want, or one of its competitors if you prefer. But remember that you can do most of what these companies do yourself. You can put a fraud alert on your own account, but you have to remember to renew it every three months. You can also put a credit freeze on your account, which is more work for the average consumer but more effective if you're a privacy wonk -- and the rules differ by state. And maybe someday Congress will do the right thing and put LifeLock out of business by forcing lenders to verify identity every time they issue credit in someone's name.
This essay originally appeared in Wired.com.
Posted on June 17, 2008 at 6:51 AM
• 73 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I don't get it. Who needs congress for that? If someone tries to collect a debt from me, they have to prove that I opened that account, applied for that credit card or signed for that loan. If they don't check the identity of their customers, how can they ever collect anything?
@ Marc B.,
"If they don't check the identity of their customers, how can they ever collect anything?"
Unfortunatly most people are very very easy to find.
Also it is not easy to prove you did not do something. Unless they keep a detailed daily diary most people cannot tell you what they did a week ago let alone three months ago.
As for forcing you to pay they don't have to unless you are one of those extrodinarly lucky people who will never have to borrow money or use a financial service.
They simply blacklist your name, in most parts of the world that effectivly cripples you as regards living effectivly in the modern world (/hell) we have built around ourselves. You then have the job of trying to sort it all out that at the very least can occupy the better part of a month of your life and even then you have to keep chasing it up for years as bad credit records have a habit of re-appering faster than weeds in your back yard.
"As for forcing you to pay they don't have to unless you are one of those extrodinarly lucky people who will never have to borrow money or use a financial service."
Or, try to open a bank account, get a job, rent an apartment, or ANYTHING ELSE that credit reports are ab^H^Hused for.
Sorry, I'm not American, I am from a country with an sophisticated financial system.
Are you guys telling me, that banks and other lenders can file disputed claims with credit report agencies in the USA? Here in Germany they would be shut down immediately, if they tried to report disputed claims. Only claims, that are undisputed or confirmed by court can be put onto a credits record here.
I have never understood why these "Credit Bureaus" are allowed to sell for a profit my personal information but I can not even make them correct the information they have.
I cancelled a credit card (it was joint, I got divorced, I was instructed BY THE COMPANY ITSELF to close it) 7 times with CapitalOne and they still show it open. I complained to the credit bureaus and they all said "nope, nothing wrong here".
And class-action lawsuits are the legal equivalent of those little "As Seen On TV" stickers - you can see from across the room that this litigation is CRAP.
@Marc B: I agree with your opinion, they should have to prove I am the debtor, but the laws are all geared to protect companies at the expense of individuals. They can file liens against you, keep you tied up in legal knots and you cant sell your house, buy a car, get a job (which seems contradictory if they want you to give them money) until you get them to admit you are not the perp; or you pay up just to get your life back.
Right. Any creditor can report a delinquent account to a credit bureau.
I'll assume that the claims must be made in good faith pursuant to FACTA.
Our system basically requires the consumer to use his time and or money to dispute discrepancies in his report. It's a lot easier to get something attached to one's report than having something removed.
> Also it is not easy to prove you did not do something.
You completely miss the point. You don't have to prove *anything*, the *lender* has to prove that you *did* something.
(Except that you have this bizzare system in USA where financial institutions can freely share personal information about you and so it only takes one unsubstantiated claim of dept to ruin you. That doesn't make it right, though, and I'm guessing Marc doesn't live in US and doesn't know about this crap.)
> They simply blacklist your name, in most parts of the world
That would be USA, not "world".
You guys are telling me, that creditors in the US don't really know and don't even care who they give their money to, but simply try to collect it from the guy with the SSN, their debtor told them? And if he does not pay, they blackmail him with a bad credit history?
That's simply disgusting.
If I were in your shoes, I would scream for the introduction of a decent ID and its mandatory use in the financial system. Not try to block it for some strange reasons from the frontier days.
With a decent ID, it could really be the duty of the creditor to prove that you are the debtor. Because as I understand, it's quite difficult to prove the identity of a business partner in the US right now.
It's better than Pet Rocks that people purchased for $10's in mid seventies; adjusted for inflation it's not a bad buy.
However Bruce you should have commented on yet another company having "all" your credit/debit #'s .. 4 digit Pins are easy to break.
So you might have protected your identity but reduced your security!
@Stine: I found the Fair Credit Reporting Act and I think the relevant clauses are:
"knows or has reasonable cause to believe that the information is inaccurate''
"Definition.--For purposes of subparagraph (A), the term 'reasonable cause to believe that the information is inaccurate' means having specific knowledge, other than solely allegations by the consumer, that would cause a reasonable person to have substantial doubts about the accuracy of the information.''
Well, that's different here. A mere dispute in writing is enough, so the claim is not undisputed and can't be reported to anyone unless confirmed by a court.
I remember receiving several mailings from Bank of America suggesting that I sign up for one of their programs, complete with apocalyptic stories about identity theft and how paying $100 a year would save me from it. I decided that their service was absolutely worthless.
So maybe banks just don't want any competition from LifeLock or others.
"LifeLock's business model is based more on the fear of identity theft than the actual risk."
Of course. We're a nation of frightened little sheep now. Fear sells, just as it also gets TV ratings, and wins elections.
The last time I had to call to activate a new credit card, the salesperp was extremely agressive about how important it was that I should enrol in their identity theft protection scheme. She even went as far as to claim she, personally, had been a victim. I mean, come on, that's one hell of a coincidence isn't it, given the relatively low odds of a serious identity theft occurring?
When she finally got it through her stubborn head that I wasn't taking the bait, she tried to leave me with the impression that I was sure to have my details stolen and life ruined. Disgusting conduct if you ask me.
Europeans have this nauseating sense of righteousness about everything.
I as a lender shouldn't have to spent $50,000 in a court get a bad credit history entry on someone who refuses to pay $1000.
So Herr Marc, your system stifles "real" credit rather than help it.
Next time you call Europeans "advanced" just remember less than 100 years ago your ancestors carried the money in a wheel barrow to get a loaf of bread.
Bruce - this was an interesting piece, but I found it surprising that you were defending the practices of a company who's founder, Robert Maynard resigned from the company due to allegations that he, himself had stolen identities http://www.phoenixnewtimes.com/2007-05-31/news/...
I agree that the company has some beneficial attributes to its business practices, but the company itself has been steeped in branding problems making it difficult, at this point to take seriously as a "Trusted Partner"
Don't scream about ID's too loudly .. last time you guys had "decent" ID's the whole world had to come around and redo them for you .. without the stars and and all.
We as American's don't like ID's that much .. we like names better :-)
I have a credit freeze -- wonderful little mechanism. But I realize that they are not for everybody.
"And it's hard to get any data on how effective LifeLock really is."
A LifeLock competitor, Debix, recently published data on the effectiveness of their product.
We have of course a simplified procedure to establish a claim by court. You don't need a full lawsuit for that.
Please scroll down to the table at this link:
The first column is the claimed debt (plus costs), the seconds is the fee for the simplified court order and the third is the fee for the attorney, if you use one (all amounts in Euro). This can be spared if you do it yourself - it's only a one page form.
If the claim gets disputed, you can go into a full lawsuit just by sending in one part of the form - or you can tick off a check box from the beginning, then the court will open a lawsuit automatically if the dispute is received.
PS: And yes, German lawyers work for that paltry sums, because it is so easy to file for a court order.
Even more frightening than financial identity theft is criminal identity theft. I realize they are both crimes. The distinction is that, in the latter, a criminal ID thefts someone to get a license or other identifying paperwork, and then commits a crime. It could be as simple as getting a driver's license in someone else's name and then committing a crime, getting caught in the act, and showing the license to the police. The thief gets out of jail, misses his court date, and the cops go after the guy's name on the license, i.e., you.
Next: the cops show up at your house w/ a warrant for your arrest.
Don't worry, within 48 hours, it's very likely that the whole mess is cleared up and you're discharged from jail. But it's an inconvenience at best.
Oh yeah, and that can happen anywhere, even in the "advanced" European countries.
For financial ID theft, I think freezing one's credit is a very good idea, esp if you're at above-average risk.
"I have never understood why these "Credit Bureaus" are allowed to sell for a profit *_my personal information_* but I can not even make them correct the information they have." (emphasis added by me)
It's simple. In the eyes of the law it isn't YOUR information.
The topic was the focus of some discussion in this thread:
In essenence the idea is that a company that puts your data into the "Giant Database (TM)" now owns the data, and can do with it what they like because it is now theirs and not yours.
I don't think that is how it should be, but unfortunately that is currently how things are being run. As has been pointed out in this thread, it is often because the entity being protected is not the consumer, but rather the corporations who lobbied for the laws before these problems were apparent and interesting to the general public.
Why don't the credit agencies just offer the fraud alert service beyond 90 days for a fee? This would cut LifeLock and similar companies off at the knees AND make the credit bureaus more money. Seems like a pretty simple solution to me.
>> "We have of course a simplified procedure to establish a claim by court. You don't need a full lawsuit for that."
I have heard of half-pants, half-shirt, half-ass .. but never a half-lawsuit.
Have you guys figured out how to make a girl not full-pregnant too?
This is mumbo jumbo of arguments/legalities and justifications; there either is a deterrent or there isn't.
Your system appears not sophisticated but sophistic.
Call it what ever you like. I call it balanced and well established. It simply works. 1.3 million times a year in Germany.
If your claim is well founded you can get it confirmed fast, cheap and reliable and start to collect. If it is not, the addressee of the claim will tell you by disputing it. Then it is on you if you want to sue or not.
Last I checked, Equivax had my work history starting two years before my date of birth. The credit bureaus clearly don't do even basic sanity checks on the data -- it's just an ass-covering service for lenders to be able to say that they checked out a prospective borrower, kind of like, "we're secure, we have a firewall!"
"Next time you call Europeans "advanced" just remember less than 100 years ago your ancestors carried the money in a wheel barrow to get a loaf of bread."
Don't worry, you septics have that to look forward to.
..I come from a country with a disastrous financial system.
We do have something like a SSN, but nobody uses it, most of the people never even got their number/card.
You can't do a single thing with just an id, or just a SSN. You have to have somewhere around 8 more pieces of "official" papers.
If your phone receipt matches your name, and the address matches your voter's id, all the easier.
It seems nearly impossible to get your first credit card. But once you get one, you'll receive too many phone calls offering yet another credit card.
(We don't have a Do-not-call list, BTW)
Why do banks so easily deny to give a cc to someone that doesn't already have one?
Because they won't be able to charge anyone at all if he wasn't who he said he was.
The trafficking of personal data without our knowledge or consent is, in a sense, a form of theft. After all, I would never reveal to casual friends, let alone strangers, my salary, bank and mortgage balances, medical details, or anything else I consider private. Neither have I authorized the broadcast of that private data.
To marketing people, our personal data is a goldmine. To merchants, who collect and sell the information, details about our lives have intrinsic value. To info-traffickers, our most intimate detail is their bread-and-butter.
Once our private particulars leak out, they’re free as flies and reproduce just as quickly. There’s no retrieving them, no protecting them, no regulating their use or abuse. Like anyone else, organized identity theft rings can obtain the juicy data for efficient, high-volume rip-offs.
@Marc B ..
Your argument is shallow. If I am a deadbeat of course I will dispute the claim.
What have you done except made it even MORE difficult to collect.
You will only pass step 1 if the deadbeat is either brain-dead or just dead, for all others you have to sue to collect and report.
As has been reported here most banks in the otherworld maintain private blacklists. You can't go to another bank and open new account without a reference either -- at least that's the way it was 25 years ago in West Germany.
Peter Lynch once lamented that New-Jersey State had more banks than England, I bet Germany has fewer banks than England; so my dear Mr. Sophisticated pants .. you have an archaic system run by clubs. US system is much bigger, more open and is far more advanced than anything your government will allow .. or your people be able understand.
You know the German banking system so well. There were 2.079 fully licensed banking institutes in January 2008. How many are there in the US with four times the population?
OT ramblings in response to OT ramblings...
Regarding the "Germany/Europe/whatever is better than the US system," my experience is that western Europe and the US have financial systems that are *approximately* equal, if one can get over the "narcissism of small differences" that crowds out rational discourse. There are some aspects of the (for eg) British financial system that we in the States could incorporate to our benefit, of course, and the same is true the other way around.
My point is that the name-calling really isn't necessary, nor is it desired.
Regarding the sub-prime mess, it is indeed a serious concern, and a consequence, ironically, of economic advancement and the perturbations that follow (i.e., high securitization of mortgages before risk-assessment has a chance to catch up). It's a temporary blip in the big picture, and we'll all get past it relatively unscathed (yes, even those people who bought houses that they couldn't afford).
Lastly, the anti-Americanism really isn't helpful either. It reinforces the "snobbish European" image that some Americans have and doesn't contribute a thing of relevance to the discussion.
When I put a fraud alert on my credit, I only had to do it once for all three agencies.
It seems that if you do it at one agency, it will, as a courtesy, alert the others for you.
The 90 days is a freebie and it can be extended seven years if there is evidence that someone actually tried to steal your identity.
It was actually far easier than I thought it would be. Granted, TransUnion and Experian make it difficult to find the process on their website.
They provide lots of information *about* fraud, but don't tell you how to request your fraud alert short of phoning them up.
Equifax' on-line form to request a fraud alert is here and they will alert the other two agencies for you: https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp
@Marc B. and @sooth_sayer
According to the FDIC (US Federal Deposit and Insurance Corporation), the US has 647 financial holding companies and 27,511 financial institutions (some of which are owned by the holding companies).
I fail to see what relevance the number of financial institutions has to do with anything.
A smaller number of quality institutions trumps a larger number of poor ones.
Any number of financial institutions being properly ran and governed is better than any number with lax regulation.
@ Garrett G.:
There is nothing anti-American about me. I'm over there quite often, really love the country, like almost every individual American I ever meet - this or that side of the ocean, been in NYC a number of times and traveled the West extensively from San Diego to Yellowstone National Park and Seattle to New Mexico. I have to admit, that I can't stand the current president and administration, but a large majority of Americans agrees in that.
And then there are number of things that really amaze me, and your banking system is among them. Personal checks were essentially abandoned here in the 1970s - since then we use direct transfer of funds from checking account to checking account, for business and private purposes. Only here and today I learned, that you have no way to defend yourself against unfounded financial claims.
Bruce mentions time and again how security is about psychology and the people. Of course that factor has been overlooked far to long. But some parts of a system are relevant to security too.
In Germany we simply have no identity theft. None. Just not existing. And our ID card and a financial system where everyone always knows, who one is dealing with, probably is the reason.
"And maybe someday Congress will do the right thing and put LifeLock out of business by forcing lenders to verify identity every time they issue credit in someone's name."
Yeah. That's a great idea. Solve problems that were created by poorly thought-out regulations with, wait for it....more poorly thought-out regulations.
The economic understanding in that prescription is astounding. Go get 'em!
@ Marc B.
It's not the ID card, it's just the financial system. We'll hand out $5,000 loans if just a little bit of data matches up, as long as that's not done in Germany, you won't find yourself with the fraud.
"your system stifles "real" credit rather than help it."
Considering how much the credit industry has been hurting the American economy lately, I'll say that anything that stifles credit is a good thing.
@Marc B: No, it is not true that "... a large majority of Americans agrees in that..." anymore than a large majority of Germans agree that Angela Merkel is a bad leader.
And I have plenty of ID, adding another one wont help if the financial institutia are not motivated to actually check ID before issuing finances. If you decide to loan someone money without even finding out who they are first and they default, you should lose your badly thought out investment.
Finally why does the whole country have to suffer when a bank issues credit to people who were not creditworthy at that level? Have the banks take a loss or fail as appropriate, the government bail out the people who lose money that was covered by the FDIC and the people who defaulted go bankrupt. Its the system we have and it works fine. They signed the form, they knew the risks; I have yet to see any verifiable claims that someone put a gun to these people's heads and made them borrow money they couldnt pay back.
> They simply blacklist your name, in most parts of the world that effectivly
>cripples you as regards living effectivly in the modern world
Bullshit. America is not the world. In most parts of the world such identity theft doesn't even exist, it's mainly an American problem.
> In Germany we simply have no identity theft.
> None. Just not existing. And our ID card and a
> financial system where everyone always knows,
> who one is dealing with, probably is the reason.
So ein Unsinn! Why is there a German word for it then, and why are there informational web sites about it Germany? Take a look here:
The last one has a good quote (translated):
"Contrary to the US, identity theft in Germany is not always a punishable act. Only the use of the stolen data is..."
Lawyer costs in Germany are much lower than in the US. Yes. When and if a lawsuit is necessary then the costs are much more manageable - I know that from personal experience - usually providing a fair playing field. That is true.
And it may be that there is LESS identity theft in Germany than in the US, but of course it happens there as well. Claiming that it doesn't is uninformed and silly. Do some research the next time, please.
Look, I'm German myself. I feel similar to you about the US, having lived there for many years. But what annoys me the most about Europeans and fellow Germans especially is their patronizing attitude towards America. "We are SOOOO much more sophisticated." Sigh. Just give me a break.
To the Americans here: Not all Germans/Europeans are smug like that. Don't let the look of some taint your picture of the whole.
I think a big problem here in the U.S. is the "legal person" status given to corporations. Corporations aren't real people, but they have lots of money that can influence lawmakers. Is this just a U.S. thing?
The Credit Bureaus are also responsible for the issuance of so called "instant checks" by major credit card providers or their ilk in the branding business. These are instant fraud magnets but with a credit lock, they can't. I just started receiving these again after a two year hiatus.
"Yeah. That's a great idea. Solve problems that were created by poorly thought-out regulations with, wait for it....more poorly thought-out regulations."
The assumption that all regulations are necessarily poorly thought out is the assumption of an idiot. It makes no more sense than saying that because laws against recreational laws are poor public policy all laws, including those against murder and theft, must also be poor public policy.
"The economic understanding in that prescription is astounding. Go get 'em!"
The economic understanding you exhibit is the reason that the United States has lost the lead in the world economically, technologically and politically.
All companies like LifeLock are doing is engaging in a form of extortion - "pay us or bad things might happen to you". And so you advocate legalizing all extortion as the solution. Yeah, that's the smart move.
"laws against recreational laws" should be "laws against recreational drugs"
"The assumption that all regulations are necessarily poorly thought out is the assumption of an idiot."
The regulations in question, banking regulations, are poorly thought out. Just look at the problems they've caused.
"including those against murder and theft, must also be poor public policy."
You're confusing 'laws' with 'regulations.'
"The economic understanding you exhibit is the reason that the United States has lost the lead in the world economically, technologically and politically."
"All companies like LifeLock are doing is engaging in a form of extortion - "pay us or bad things might happen to you".
Well, by that logic, insurance companies, safety products companies, or your local university are all engaged in extortion. They can all make their case that if you don't pay them money now, bad things might happen to you in the future.
Your confusion lies in your mistaken belief that LifeLock is threatening to bring about these bad things itself. It isn't, and that's a necessary element to meet the definition of extortion.
(Such as dictionary.com's : "To wrest or wring (money, information, etc.) from a person by violence, intimidation, or abuse of authority; obtain by force, torture, threat, or the like.")
Again, the fact that some regulations are poorly thought out does not mean that all regulations are necessarily poorly though out. Am I talking to a 13 year old?
Regulations are a form of law. It's not a matter of confusing things. It's a matter of comparing related things.
Insurance doesn't offer to protect me from theft. Insurance compensates me for losses I may incur, generally from a variety of sources, criminal or accidental. Law protects me from theft. Insurance companies, on the other hand, don't offer to protect me from theft.
Companies like Lifelock aren't offering to compensate me for damage to my credit rating. If they were they'd compensate me for things like my own failure to pay my bills on time, the same way health insurance compensates me when I fall of a ladder through my own carelessness. (There are companies that do offer such credit insurance, by the way.) They are offering protection. That's what makes it extortion. That's also why it is the business of Congress. It's about protecting people from the actions of others, from the actions of criminals and the negligence of the credit reporting companies, just as laws against theft and assault do.
Or do you believe that all law enforcement, all police forces and courts should be in private hands and available only to those who pay them?
There's nothing in the definition of extortion that requires the extorter to also be the one who threatens. Gangs and other criminal organizations often extort by offering protection from the threats of others, not by making the threat themselves. That's usually considered a failure of public law enforcement, often requiring new legislation (as in, say, action by Congress) and expanded law enforcement to do away with both the extortion and the separate threat.
The solution to problems that are caused by poor regulation or a lack of regulation is not to pretend that it's not a problem. The solution to these kind of problems is good regulation.
The web site you posted the URL to wants me to send them a letter with copies of my identification papers. They want me to print out their form, fill it out by hand, and send it in, but they had me fill out the information on the web site first.
Is this some site that exists to phish for your email address?
Wow, some people got up on the wrong side of the bed today or something...what's with all the snide remarks?
I agree with you (and Bruce) in general. In fact, if you remove the word regulation from your post you end up with a nice and simple philosophy: the solution to problems is good.
But seriously, I have one word to describe the process in question: bugfix. Bugfix seems like the most common model when it comes to the economics of progress. It might be less idealistic than scrap-and-replace, but it also has a more certain reward.
"Or do you believe that all law enforcement, all police forces and courts should be in private hands and available only to those who pay them?"
President Lincoln had some pretty good arguments for why private militias should end (and did subside) in America.
An excellent example of this was the competition between private militias in Wisconsin around the mid 1850s. As the story goes, the Irish militia refused to declare war on the federal government (to force abolition of slavery) and was subsequently stripped of weapons by German and Polish militias. The Irish then sent a ship on a fund-raising boat to Chicago to re-arm. The boat sank in a horrible storm on lake Michigan on the return trip and all perished, completely and permanently devastating the Irish security presence. So, one of the problems with private militias...
LifeLock is an identity theft protection company. They monitor your credit so if someone tries to change your address or if creditors start to report delinquent payments, then the member is alerted buy mail, e-mail or by text message.
LifeLock also blocks a person's credit from being tampered with. The credit monitoring service is well worth the fee LifeLock charges if a person has credit they wish to remain in good standing.
So I give LifeLock a thumbs up because for me I have better things to do than to remember to contact creditors every three months to block my credit.
@Garrett G et al.
A German comes on here, expresses legitimate (if somewhat ignorant.. but I assume he's asking questions hoping to get to understand more and you should too) shock at the way the American legal/financial system works and then we get all sorts of Nazi references. Next the German gets accused of anti-americanism. Hmmm..
Looking sites like Groklaw (http://www.groklaw.net), I am mostly astounded that the American legal system provides anyone at all with any justice whatsoever (which I have to admit it quite often does). The German fundamental assumption is that, if someone behaves wrongly, you can quickly go to a court and get it efficiently sorted out. For example, the SCO case has already been settled in Germany. In the US, even after all these years before the court, no effective action has been taken and many people claim that SCO will simply escape with no consequences through bankrupcy.
The trick is, that at the point where the person disputes the claim they make it much more serious. Up until that point, they can claim to simply be unable to pay / not understand etc. After that point they are clearly trying to commit fraud. Where there is a swift, effective and cheap system of justice, this is a serious risk.
Even more clever, in the US system the default assumption is that both sides pay their own costs. If you have a 500 dollar claim, you won't recover it due to costs, even if you use small claims courts. In many other legal systems, the default assumption is that the loser will pay if clearly to blame. This has a great influence both on debt reclaimation (you tend to get your debt repaid if you have the correct proof of it) and on "identity theft" (the debt reclaimation agencies don't dare to go forward without a decent case).
Overall, this system means that people tend to do things a bit more conservatively and a bit more solidly since they have reason to expect to be checked by a court and belief that that court will benefit them if they have taken care. There have been quite famous cases where, for example, companies have failed to reclaim debts because the security of their systems and encryption they were using was deemed inadequate for the task.
Now, Mark's seems to think that the difference is the ID. The truth is that ID does provide some quick fix, but it is a very brittle fix. In the end, with forged ID cards, the courts end up relying on other evidence anyway. E.g. was the person at the location where the transaction took place. The same lower rate of identity theft (or let's better say "fraud" based on assumed identities) can be achieved in other countries without ID cards but with legal systems more similar to the German one. Even England, which is quite close to the US in other aspects, serves as an example in this case.
P.S. interesting German vs. US article http://math-www.uni-paderborn.de/~axel/us-d.html
the cultural gap is quite large.
I was disappointed that Bruce didn't mention credit freezes in your article. I think that if you have a freeze, most of these services become unnecessary.
That's why I've been chasing lifelock around the web, every time there's a post or article about them, I'm there to make a comment about how much I think they mislead people.
I was really happy to see that Bruce weighed in as well (since my 1000 stings of the bee don't compare to his howitzer).
Schneier's article actually does make mention of credit freezes, toward the bottom.
"the fact that some regulations are poorly thought out does not mean that all regulations are necessarily poorly though out."
I never wrote that all regulations are poorly thought out. I wrote: "...Solve problems that were created by poorly thought-out regulations with, wait for it....more poorly thought-out regulations."
The regulations in question were and continue to be poorly thought out. And Bruce's proposed regulation is poorly thought out.
"Am I talking to a 13 year old?"
Ah, taste the ad hominem. The last bastion of a weak argument.
"Law protects me from theft."
Well, no. There already exist laws against theft, yet theft still occurs. Obviously laws do not protect you from any and all thefts occuring. Laws offer remedies and provide deterrence, but they don't offer protection in the sense in which you're using the word.
"[LifeLock] are offering protection. That's what makes it extortion."
No, it's not extortion unless the entity in question at least makes threats of the use of force by his own means, or by means which he controls.
There's nothing immoral nor illegal about the protection that LifeLock is offering.
"There's nothing in the definition of extortion that requires the extorter to also be the one who threatens."
Sure there is. If someone makes no threat, but simply takes your money by means of unlawful force, then that's robbery (or theft), not extortion.
"Gangs and other criminal organizations often extort by offering protection from the threats of others, not by making the threat themselves."
No. That's not extortion. Again, the extorting entity must control or have reasonable contributory control over the source of the threatened use of unlawful force. If the gangs were in collusion, that would satisfy the 'contributory control' clause. Your example ("threats of others") implies they are not in collusion.
"The solution to these kind of problems is good regulation."
Well, if you include in your definition of "good" an absence of a violation of individual rights, then you'll be hard-pressed to formulate a regulation that won't take second place in quality of results to the best solution that hundreds of millions of people voluntarily choose through a free market. To think that a bureaucrat or group of bureaucrats can formulate better decisions for what people want, need, and most importantly, what is good for them, is to engage in a degree of hubris that all central planners suffer from.
It's also to be wrong.
Bruce says "But that includes things like someone stealing your credit card and using it, something that rarely costs you any money ". He can't possibly be that naive, can he? Fraud consistently costs the consumers in the long run. No one is magically absorbing those costs without passing them along to the consumers. No one.
LifeLock is based on a faulty business model. NO ONE can protect you from ID theft unless you are willing to commit yourself and your identity to secrecy.
You need to become "Classified" and only YOU should have your sensitive data, not storing it on any company server where it is vunerable to hacker attacks and data breaches.
This is why LifeLock is faulty, and cannot do what it claims to do EVER.
There is a new service out there that has taken notice and created a way for individuals just like yourself to become "classified." Even the government doesn't have a right to your identity. Only you own it. It's you.
Here's the service slated to launch on June 23rd. 60 Day Money Back Guarantee ( A Real Guarantee) plus a 1 Million Service Guarantee as well.
I am the Vice President of LockDown My ID http://www.lockdownmyid.com
We back up our claims with 2 trusted guarantees you can feel secure about.
Plus... we DO NOT store your personal sensitive information. We put YOU in Control because giving power of attorney over to another company such as LifeLock defeats the purpose of identity theft prevention.
We give you TOTAL PRIVACY CONTROL.
We believe it's an American tradition, wouldn't you agree?
Anthony Tomei/ Vice President
LockDown My ID LLC
"This is why LifeLock is faulty, and cannot do what it claims to do EVER."
My gosh. Correct me if I'm wrong, but if that claim is true, then it sounds as if they're engaged in fraud.
What say you, Leo? Will a fraud conviction satisfy your thirst for corporate blood? Or will you be satisfied with nothing less than extortion charges?
Most importantly, are you ponying up your fees to lockdownmyid.com ?
Huh, you're right. I missed it the first time, but even then he talks them down. Credit freezes are the best possible defense against ID theft and I'm surprised that Bruce isn't more proactive about them.
What I don't understand here: Isn't it in the own interest of banks and credit bureaus to verify the ID of a person before giving him money? Checking an ID costs a few minutes at maximum (that is, if the person has an ID - but I understand that even in the US, most people do), but the bank will lose the money if giving a credit. Sure, they will only lose money once for each social security number. But on the other hand, if they refuse doing business with the victims of identity thefts, they lose even more money. So sure, in Germany, banks ask for an ID because they have to. But I think they should even do so out of their own interest, at least if they do not have a pre-established relationship with their customer.
The reason all of this is stacked against the individual is because we have a poor lobbyist (no lobbyist, actually) up in D.C. making sure that our interests are being taken care of. The banks and credit bureaus are out there making sure that the government firmly understands how important it is for big business that individuals not be able to get in their way.
The credit report of Todd Davis "remains spotless??"
Yeah, I guess it has been about 7 years since his last bankruptcy.
Bruce, you said the text of the law reads that:
"who asserts a good faith suspicion that the consumer has been or is about to become a victim of fraud or related crime."
That sentence in the law actually starts with: "Upon the direct request of a consumer, or an individual acting on behalf of or as a personal representative of a consumer..."
Doesn't that mean LifeLock, not being the consumer or an "individual" should not be placing fraud alerts for people?
If it said "a company or firm acting on behalf..." it would give LifeLock more wiggle room.
@ John Q. Public:
I believe the law says that an organization can place the credit alert on a person's behalf.
What's the procedure for verifying the identity in US? What makes it troublesome? Apparently it involves something else than just asking to see an ID which works perfectly in some countries.
J. Q., in the US, corporations are legally a person, so it's okay.
"What's the procedure for verifying the identity in US? What makes it troublesome?"
Part of it is the lack of a national ID, so every clerk who might have to verify an ID needs to be familiar with 100+ different types: state driver's licenses, state ID, passports, military ID, green cards ... and on and on.
The other part is that the people who would be verifying IDs have incentives to look the other way, and none to verify. They get paid on commission (bank tellers included), and aren't penalized for failure, so if you can provide something that doesn't have "Kodak" stamped across it, you'll generally pass.
Schneier wrote, "And maybe someday Congress will do the right thing and put LifeLock out of business by forcing lenders to verify identity every time they issue credit in someone's name."
If a bum on the street says "Hey buddy, can you spare a dollar," and I give him one, then that's ok, but if an FBI agent sits on the street dressed as a bum and says "Hey buddy, can I borrow a dollar, I promise I'll be here tomorrow and pay it back," and I give him one without verifying his identity, then Schneier thinks I should be thrown in prison? Or is it ok if I understand that the "lent" dollar is really a gift, and Schneier would just want an actual crime to be my sincere belief that the bum will pay me back?
Does Schneier think it makes any difference if the bum/agent says his name is "Bruce Schneier" and he wants to borrow ten thousand dollars from me? Why isn't it just entirely my own problem if I'm stupid enough to lend him ten thousand dollars? Schneier can call the cops if I have the audacity to harrass him later about "paying me back" for money I lent to some bum who said his name was "Bruce Schneier." If I announce that he owes me money, he can sue me for libel. If somebody else repeats the accusation, he can sue him, too. Some others have pointed this out, but it's frustrating that so many more refuse to accept the concept of equality under the law, and want the law to treat particular libelers (credit bureaus) specially just because they're big. Schneier himself also seems to be rejecting equality under the law, and wants to treat particular lenders specially if they're big, since he probably doesn't really think I should go to prison if I lend a dollar to an unverified bum on the street.
How does Schneier expect me to verify the bum's "identity" in compliance with such a law, anyway? This requires a government-endorsed database of humans' "identities." But isn't Schneier opposed to this? Or has he changed his mind, and now supports ID card programs and other government endeavors, current and planned, to inventory humans?
Un-inventoried humans are already second class citizens; in practice, prohibited from driving, flying, providing or using important banking services, or traveling across many national borders. It's all but impossible for them to be employed without breaking the law, and the situation is getting even worse. Schneier wants to add borrowing money to this list of prohibited activities? (Technically, he wants to outlaw lending, not borrowing, but the effect is the same.)
Besides this, does Schneier want the database to be published, or not? If not, then it has to be checked online, thus enabling government omniscience of all lending relationships. If the database is published, then identity checking can be done offline, but there's now an official public list of authorized borrowers, i.e. all people who have chosen to submit to this kind of inventorying. Everybody who declines to place himself on the list thus becomes subject to public scrutiny as "not one of us," a potential enemy of society, a nonconformist danger to the collective.
I can't understand how somebody who's otherwise as reasonable as Schneier can have such totalitarian fantasies. He could at least clarify what exactly he's advocating, by writing and publishing a draft of the law which he wants Congress to pass. (A constitutional citation of the authority under which Congress could pass the law would also be in order, and no "general welfare" or "interstate commerce" nonsense either.) Let's see it.
Another frustrating mudleheadedness is the claim by some people that they "own" information about themselves, and credit bureaus should be restricted in their propagation of that information. The sentence "Bruce Schneier, the famous Big Cheese of Counterpane, lives at 123 Main St, his phone number is 456, and he owes The Government $1000 in delinquent taxes" is not under copyright. The claims expressed therein can't be copyrighted. Why do so many people wring their hands so much over the possibility that I might say that sentence, if it's true? The "privacy" argument is absurd, as is made clear if "his phone number is 456" is replaced by "his master encryption key is 789;" surely Schneier would concede that it's his job to keep his private information private, not whine to The Government if somebody else discovers and publishes it. But if I say the original sentence, and it's false, then Schneier can sue me. Even more frustrating is the claim that people should have the right to force the bureaus to correct information in their records if it's wrong. So we have thought police now; if I believe that Schneier lives at 123 Main St, and it's not true, then Schneier should have the right to forcibly reeducate me, in order to prevent the possibility that I might say something false about him in the future? Or maybe it doesn't matter what I believe, but only what I type into my computer. Being able to force correction of records requires seeing the records in the first place, and the people who advocate the former naturally advocate the latter also. Mr. Schneier, I hereby demand that you search all of your digital information for any information associated with my name, and send me a copy. In fact, I hereby demand that everybody do this.
The IRS does not even check your credit or current address. If you send in a bogus tax claim they will just pay it. We have Lifelock and it won't help you with the IRS .We called the IRS to find out why we had not received our tax refund. We were told a check was sent out a month before we mailed our Taxes. For several thousands of dollars more then we were even supose to get. They said they rec'd our amended.(which was not on an amended form, just reg. tax forms) So know we have a long investigation (by Mail) to prove we are who we are. We did have our Id stollen about 1 1/2 yrs ago which is when we signed up for lifelock. So now that we need protection and help in an area we never thougt of, liflock does not cover it. How could LifeLock help when Its the IRS fault for not doing any background checking. It is the way of the system. It is out of control....Know that we have been checking there are other companies that are alot less per year to do the same thing as lifelock so unless LifeLock gets busy and does something to help us we will not stay with them.
Thanks for the venting session.
My credit card number was stolen locally, by a waiter or someone in a restaurant.
The perp bought a computer and had it shipped (UPS) to a vacant lot in Ohio - I have lived in SC for 40+ years and intend to die here.
My bank caught the change of address and contacted me. The resulting issue has taken about 12 months to finish, but I have my money back.
A few years ago I hired a company out of Georgia, who for a reasonable expense, spent the better part of a year getting the credit companies to listen to the truth of their errors on my accounts and make the changes.
I don't know of a more arrogant lot than the credit agencies that will accept falsehoods as truth quicker than I can blink. At the same time it takes me months and months to get them to consider making correct the lies that are in their systems with little or no success. At the end of all that I have to hire a company to do that work for me.
I joined Lifelock for a number of reasons other than the one mentioned here, and will try it for a year or so, with the caveat that they are not perfect, but I get a lot less junk mail and stuff on the internet or phone.
Since I am 70+ years old I don't have the time or energy to deal with the ongoing hassles that the credit companies put me through.
I have had my credit cards stolen twice as a result of hackers breaking into banks and getting my credit card numbers. In addition I have had my personal information, SSN, DOB etc stolen from Bank of America. In every case these were banks that I had never done business with and I have no idea how these banks got my info. Basically it is impossible to keep your personal info private. The best protection we have in NJ is that state law allows you to put an indefinite freeze on the credit services so they cannot give any information out on you. Although somewhat inconvenient if you want to get a credit card or loan, it certainly seems to be effective since I have not suffered any adverse impacts as a result of my information being stolen.
Services like this are classic examples of fear mongering - the selling of myths that widens the boundaries of panic and grows the markets for those who sell and deliver solutions.
There are evil people in the world and bad things do happen "occasionally". However, the television and media manufactured theme park we call America isn't real - controlling human beings through fear is as old as antiquity.
"You ever watch CNN for longer than, say, 20 hours in one day? I gotta cut that out. Watch CNN. It's the most depressing thing you'll ever see, man. "WAR, FAMINE, DEATH, AIDS, HOMELESS, RECESSION, DEPRESSION, WAR, FAMINE, DEATH, AIDS." Over and over again. Then you look out your window - (crickets chirping) - where's all this sh*@ going on, man? Ted Turner is making this sh*@ up. Jane Fonda won't sleep with him, he runs to a typewriter: "By 1992 we will all die of AIDS. Read that on the air. I don't get laid, nobody gets laid." ~ Bill Hicks
It is time to wake up America - for we really are living in 1984 (George Orwell book).
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.