Identity Theft Over-Reported

I’m glad to see that someone wrote this article. For a long time now, I’ve been saying that the rate of identity theft has been grossly overestimated: too many things are counted as identity theft that are just traditional fraud. Here’s some interesting data to back that claim up:

Multiple surveys have found that around 20 percent of Americans say they have been beset by identity theft. But what exactly is identity theft?

The Identity Theft and Assumption Deterrence Act of 1998 defines it as the illegal use of someone’s “means of identification”—including a credit card. So if you lose your card and someone else uses it to buy a candy bar, technically you have been the victim of identity theft.

Of course misuse of lost, stolen or surreptitiously copied credit cards is a serious matter. But it shouldn’t force anyone to hide in a cave.

Federal law caps our personal liability at $50, and even that amount is often waived. That’s why surveys have found that about two-thirds of people classified as identity theft victims end up paying nothing out of their own pockets.

The more pernicious versions of identity theft, in which fraudsters use someone else’s name to open lines of credit or obtain government documents, are much rarer.

Consider a February survey for insurer Chubb Corp. of 1,866 people nationwide. Nearly 21 percent said they had been an identity theft victim in the previous year.

But when the questioners asked about specific circumstances—and broadened the time frame beyond just the previous year—the percentages diminished. About 12 percent said a collection agency had demanded payment for purchases they hadn’t made. Some 8 percent said fraudulent checks had been drawn against their accounts.

In both cases, the survey didn’t ask whether a faulty memory or a family member—rather than a shadowy criminal—turned out to be to be the culprit.

It wouldn’t be uncommon. In a 2005 study by Synovate, a research firm, half of self-described victims blamed relatives, friends, neighbors or in-home employees.

When Chubb’s report asked whether people had suffered the huge headache of finding that someone else had taken out loans in their name, 2.4 percent—one in 41 people—said yes.

So what about the claim that 10 million Americans are hit every year, a number often used to pitch credit monitoring services? That statistic, which would amount to about one in 22 adults, also might not be what it seems.

The figure arose in a 2003 report by Synovate commissioned by the Federal Trade Commission. A 2005 update by Synovate put the figure closer to 9 million.

Both totals include misuse of existing credit cards.

Subtracting that, the identity theft numbers were still high but not as frightful: The FTC report determined that fraudsters had opened new accounts or committed similar misdeeds in the names of 3.2 million Americans in the previous year.

The average victim lost $1,180 and wasted 60 hours trying to resolve the problem. Clearly, it’s no picnic.

But there was one intriguing nugget deep in the report.

Some 38 percent of identity theft victims said they hadn’t bothered to notify anyone—not the police, not their credit card company, not a credit bureau. Even when fraud losses purportedly exceeded $5,000, the kept-it-to-myself rate was 19 percent.

Perhaps some people decide that raising a stink over a wrongful charge isn’t worth the trouble. Even so, the finding made the overall validity of the data seem questionable to Fred Cate, an Indiana University law professor who specializes in privacy and security issues.

“That’s not identity theft,” he said. “I’m just confident if you saw a charge that wasn’t yours, you’d contact somebody.”

Identity theft is a serious crime, and it’s a major growth industry in the criminal world. But we do everyone a disservice when we count things as identity theft that really aren’t.

Posted on November 16, 2005 at 1:21 PM36 Comments


Davi Ottenheimer November 16, 2005 2:48 PM

Interesting news from Bergstein. I remember another story he wrote recently ( that said “Consumer advocates say credit card companies make it too easy to open accounts, offering “instant credit??? and mailing out reams of preapproved applications. The critics also blame credit bureaus for not catching discrepancies in information submitted by fraudsters.”

So if we agree that identity theft is over-reported (let’s just say the FTC number in 2003 of 27 million Americans was off by 30% — we still face some staggering numbers and the fact that actually stealing and using identities still has not been addressed…

Rob Mayfield November 16, 2005 2:55 PM

“Some 38 percent of identity theft victims said they hadn’t bothered to notify anyone — not the police, not their credit card company, not a credit bureau. Even when fraud losses purportedly exceeded $5,000, the kept-it-to-myself rate was 19 percent.”

Which makes you wonder, do they have something to hide or just have too much money ? I know I’d be chasing $50 …

Adam Gates November 16, 2005 3:16 PM

My CheckCard # was stolen recently $2,600 ran up in a few days.

All at TYPED in registers (so they did not have to swipe a card).

With todays technology why couldn’t someone goto the Walmart, Petsmart, etc get the Video and see who it was?!?

I’m 99% sure Petsmart and Walmart would be all for it.

Mary November 16, 2005 4:00 PM

Happened to me last week. I lost my wallet (or it was nicked from my purse). Called and cancelled the cards, no one had tried to use them. About a week later, found out that someone did open three store credit cards in my name. It got flagged for a fraud call to me because they bought gift certificates with them right away.

Two thoughts:
1) Why isn’t there a “no instant credit” registry to match the “no telemarketers” registry? Getting credit cards wrongfully opened in your name is far more damaging than getting interrupted at dinner by phone calls. An opt-in list for customers would end the “but people like instant credit” excuse the companies use. I know that making the companies liable is best, but this seems like a decent interm solution.
2) Why would you let people buy gift certificates with a newly opened charge card?

Stiennon November 16, 2005 4:58 PM

I ran a gift certificate business for a while. Gift Certificates seem to be the first choice for credit card thieves. We had somebody on 8 Mile in Detroit that would order $800 worth of gift certificates every day or so with different stolen credit cards. We just filtered on the delivery address to avoid that one!

(And no, we could not get a single law enforcement agency to get interested.)

Chris Hoofnagle November 16, 2005 6:04 PM

Credit card fraud and “synthetic” identity theft do harm consumers. The costs from fraud are passed by banks onto consumers and to merchants.

It’s important to note that there is a difference between credit card fraud and new account identity theft. But the industry is going to try to use this distinction to fend off privacy protections. You see, they’re arguing that consumers aren’t harmed, so there’s no need for consumer protection.

Also, this argument about privacy legislation harming their ability to detect fraud is a load of BS. All privacy laws have exceptions for anti-fraud measures. That’s just a red herring that Cate and company like to use to protect the financial services industry.

Chris Hoofnagle November 16, 2005 6:44 PM

One more comment:

“It wouldn’t be uncommon. In a 2005 study by Synovate, a research firm, half of self-described victims blamed relatives, friends, neighbors or in-home employees.”

That’s a complete distortion that’s been promoted by the industry and by the industry’s academic lackeys. It borders on academic fraud. Half of all victims don’t even know how their identity was stolen! Here’s the data from the 2003 study, I don’t have the most recent data on hand:

“35% of the 26% of victims who knew the identity (or, in other words, 9% of all victims) said a family member or relative was the person responsible for misusing their personal information…23% of the 26% of all victims who knew the identity of the thief (or 6% of all victims) said the person responsible was someone who worked at a company or financial institution that had access to the victim’s personal information… Of the 26% who knew the identity of the person who took their information, 18% said the thief was a friend, neighbor, or in-home employee, while 16% said the thief was a complete stranger, but the victim later became aware of the thief’s identity. (These figures represent 5% and 4% of all victims respectively.)


Federal Trade Commission, Identity Theft Survey Report 28, Sept. 2003, available at

stallion November 16, 2005 8:42 PM

Three years ago roughly 30 employees of the company I worked for (including myself) were victims of identity theft (here defined as a third party obtaining SSN# and other personal information necessary to open credit cards or purchase gift certificates for someone other than themselves).

The CEO, who was also a victim, held an all-employee meeting and stated for the record that although 30 people had been victimized, it was actually a small percentage of the entire organization (30 people out of 500 employees), and that none of us should really be concerned if the theft may have been “an inside job” executed by a permanent employee or short-term contractor. Some scoffed at his declaration, saying he was an idiot to think a bolt of lighting strikes 30 people at once in a company of our size, others were too embattled trying to save their credit report standings to say much at all.

After a few weeks the background noise from the victims became great enough that the HR department hired an outside investigator to look into the matter. The investigator interviewed all the injured parties and after reviewing all the information he concluded that he had no clue who, if anyone, was responsible (at this point the investigation had turned inward to a current or previous employee, permanent or contract).

My point? Only that I must confess that my opinion regarding identity theft has changed since becoming a victim. I did not know anyone who had been a victim, and frankly the whole issue was pretty far outside my ken. The details of my view are largely unimportant, but I do think it would be interesting (solely from a theoretical perspective; I would not wish identity theft on anyone), to see if Bruce Schneier’s view of identity theft changed if he experienced it first-hand. (My apologies Bruce if you speak from experience).

Davi Ottenheimer November 16, 2005 10:10 PM

@ stallion

Interesting points.

The whole Ford Motor Credit fiasco makes for a good example as well. The FBI say they are still uncovering identity theft victims in that case, many years after it started becuase so much data was stolen and sold…

“How the credit bureaus helped the biggest identity theft in history”

Davi Ottenheimer November 16, 2005 10:17 PM

Well, I hate to be the one who asks, but are we supposed to think the following “nugget”, as quoted in the log entry, is supposed to help make the case that ID theft is “over-reported”?

“Some 38 percent of identity theft victims said they hadn’t bothered to notify anyone — not the police, not their credit card company, not a credit bureau. Even when fraud losses purportedly exceeded $5,000, the kept-it-to-myself rate was 19 percent.”

That’s under-reporting, no? And why does Fred Cate immediately discount the numbers as non-identity fraud? He doesn’t seem to give any reason(s)…

My experience with investigations is that you can expect a fair percentage of people to report something fishy on their statements within 30 days, but at the same time a good portion of people just pay their statement out of “good faith” and do not review the statements in 60 days, not to mention those who actually have to be informed that there might be a problem.

Glenn Willen November 16, 2005 10:31 PM

“Why isn’t there a ‘no instant credit’ registry to match the ‘no telemarketers’ registry?”

There is. You have the right, under the Fair Credit Reporting Act, to opt-out from distribution of your credit information for pre-screened credit offers. This website claims to allow you to opt-out online:

While I’m not sure I’d trust the site, you can definitely do so in writing to the major credit bureuas.

Chris Allison November 17, 2005 2:00 AM


I’m surprised to see you using the term “identity theft” so loosely, given that you (At least I’m pretty certain it was you. Maybe I’m wrong.) have previously stated that no such crime exists, that identity is integral to a person and cannot be stolen, and that so called “identity theft” is nothing more than thorough fraud.

Have you changed your stance on the matter, or are you simply using the term for convenience’s sake?

Aze November 17, 2005 2:09 AM


Great idea. I also think we should have a no-instant-execution registry, a no-instant-voluntary-car-repossesion-for-barbie-dolls registary, a no-car-windscreen-leaflet-registry a no-smoking-next-to-me registry, a no-surprise-birthday-party registry a no-surprise-bdsm-registry.

In fact, what for every possible action which could possibly be consensually legal, but which someone might not like done to them by surprise, we should have a separate registry that you have to sign up to. It’s the only way to ensure that no commercial opportunity is ever lost, which must be the highest priority. Each of these registries must, of course be run by a separate independent commercial organisation with a different sign up system so that nobody can accidentally sign themselves off all of the registries at once. After all, you wouldn’t want people to miss out on surprise birthday parties just because they don’t like the idea of being tied up by strangers.

Richard Braakman November 17, 2005 5:47 AM

“I’m just confident if you saw a charge that wasn’t yours, you’d contact somebody.”

Is this confidence based on any kind of research, or is he just making it up?

I have personal experience to the contrary. My anecdote trumps his speculation.

Anonymous November 17, 2005 9:24 AM

@ Chris

There is a difference between distortion of the statistics and a non-representative sample. For example, since Synovate’s study looked at “self-desribed” victims, the fact that “Half of all victims don’t even know how their identity was stolen” was irrelevant, as people ignorant of the crime cannot self-report – pretty much by definition. While I see your point about the two studies coming to wildly different conclusions, there is a simple explanation – that being that the samples sets of the two studies have less than 100% overlap. Considering they were conducted 2 years apart, I’d say that’s a safe bet.

Not a Credit Counselor November 17, 2005 10:07 AM

@Mary, @Glenn

“Why isn’t there a ‘no instant credit’ registry to match the ‘no telemarketers’ registry?”

the best you can do is a kludge: put a fraud alert
on your credit record:

as for the optoutprescreen link, that’s legitimated
by it being linked from the FTC’s web page, f/w/t/w

Pat Cahalan November 17, 2005 11:17 AM

There have been more than a few threads on “Identity Theft” and/or “Identity Fraud” on this blog, and reading through all of them I think I have a pretty good idea of what Bruce was trying to say with this last posting.

Admittedly, however, the lack of a solid acceptable defintion of “identity theft” has been part of the problem.

Usually Bruce is pretty good at sticking to his terminology, but on this topic at least there have been plenty of blog postings where he’s using the “referred-to” definition of identity theft instead of his own.

To put words in Bruce’s mouth, what I think he’s been trying to say in the last N threads on identity theft is the following:

(a) “identity theft” is inaccurate, it should be “identity fraud”.

(b) “identity fraud” should be defined as, “using acquired data of an individual to fraudulently create a new fiscal entity (in the form of loans, credit cards, etc.) which is in turn used to acquire goods and/or services, passing the debt back on to the victim”.

This “identity fraud” is a relatively new version of classic “fraud”, and currently has severe consequences for the victims because there are little protections built into the law for victims of this crime.

The way to solve this problem is to build protections into the law, passing the burden of proof from the victim to the financial institution responsible for creating the fiscal entity without properly establishing the identity of the requestor.

This changes the responsibility for the problem from, “Prove you didn’t open this account or pay the balance, and we’ll trash your credit rating in the meantime,” to “This is not my account, and I am not liable for this debt unless you can prove that I opened this account.”

(c) “identity theft”, as referred to by the popular media in most articles, is ill-defined, and includes simple theft as well as what he calls “identity fraud”. As such, the actual state of the problem of “identity fraud” is clouded as it includes bad data, such as, “somebody used my stolen credit card to buy a tank of gas”, which is just classic “theft”, and has very little impact on the victim, due to an established limited liability.

(d) until the issue of “identity theft” vs. “identity fraud” is clarified, misreporting of the problem is going to be an issue.

Mary November 17, 2005 11:55 AM


The problem with your examples is that they are all in-person transactions, where the person throwing the surprise-bsdm and/or birthday party must directly bear the consequences of their ill-chosen action (should it turn out not to be appreciated).

Where registries may effective and needed is when someone has a business model which requires the harassment of many unwilling people in order to reach a small number of customers.

Some people enjoy being able to open new credit cards to make purchases they cannot currently afford, therefore stores make it easy for their customers to do so. However, retailers set the barriers to fraud so low that, in order to please the instant credit wanters, the general public is forced to leave themselves open to the risk of identity fraud. And these companies are shielded from their victims, who have no recourse. (As was mentioned above, the fraud watch lists are all voluntary.)

If you could just walk into your local Gap, and force the staff there to deal with the reality of the Gap credit card they allowed someone to open in your name, it would be a different matter. If you tell all your friends that you hate suprise parties, and they throw one anyway, you can opt out of ever seeing them again. Right now, there is no way to opt out of the instant credit world.

Daedala November 17, 2005 12:24 PM

I don’t have time for a thorough trashing of the ID theft article you linked to, but it is at best a really incompetent misrepresentation of the data and at worst a willfully malicious one. Especially the bit about half of victims blaming friends/relatives/etc. — about half of victims don’t know who stole their identities. Many studies have shown this. That “half of victims” is really “half of victims who know who did it,” which is a much smaller number. I don’t know exactly; I haven’t run the numbers. The Synovate survey was deeply flawed anyway; I’m pretty sure it’s the Javelin study I’ve bitched about in the past, because they say that Synovate collected the data (see my comment above).

Not only did that study obfuscate the fact that people who know how their identities were lost were likely to have had it personally stolen from them, the study’s conclusions were confused by the idea that constantly monitoring accounts online meant that online stuff was safer. Catching id theft/account fraud/whatever faster is better. Catching most crimes faster is better That doesn’t mean that online banking is safer, but the study concluded just that.

A critical view of that study (Bob Sullivan is usually pretty good about this stuff):

A mainlining-the-koolaid view:

Another good article by Bob, about the semantics war:

Further… Um, piglet is right. You haven’t been calling for distinguishing new account creation vs. existing account fraud in “identity theft” in my hearing. I’m pretty sure, because I would have argued with you. 1. The banking industry really wants this distinction to become important so they can avoid being responsible. 2. While knowing what’s really going on is important, there is really very little difference (IMO) to consumers. Both crimes take advantage of insufficient authentication & authorization mechanisms in the industry. Both cost money, time, etc. to fix. One of the major hurdles in both of them is clearing the credit record.

Finally, “identity theft” is one of those terms where the definition is being batted around… The FTC definition is, “Identity theft occurs when someone uses your personal information without your permission to commit fraud or other crimes.” Note that those “bad” studies that include account fraud in identity theft figures are done for the FTC…. The law defines identity theft as including account fraud.

What, frankly, is wrong with this? Again, I think it’s an attempt to obfuscate the issues. “All you people who had $x stolen by someone using your credit card…legally, you might have been a victim of identity theft, but you weren’t REALLY a victim. Whiners. ONLINE SHOPPING AND BANKING ARE SAFE. Not to mention, cheap for us.” And it complete ignores the problems of business accounts, which are hardly protected at all.

“Identity theft??? is a bad term, of course. It’s all a failure of authentication, not identity. It’s fraud; I don’t lose my identity if someone buys a house in my name. But that’s the term in use, and those working hardest to change the meaning of the phrase have an agenda we need to be really wary of.

What I say does not represent the views of my employers, my friends, my cats, or myself.

Daedala November 17, 2005 12:58 PM


“For example, since Synovate’s study looked at “self-desribed” victims, the fact that “Half of all victims don’t even know how their identity was stolen” was irrelevant, as people ignorant of the crime cannot self-report – pretty much by definition.”

This misses the point. You can know that you were a victim of a crime — money was stolen — without knowing who committed it. And, in fact, one of the most serious problems with ID theft or whatever you want to call it is that it’s extremely difficult to trace who committed the crime, or find out where or how your information went walkabout.

I think the wildly different conclusions have more to do with the funding source, myself. Studies later than the 2003 FTC/Synovate study validate its claims regarding this.

What I say does not represent the views of my employers, my friends, my cats, or myself.

erasmus November 18, 2005 4:53 AM

Only a small proportion of fraud is directly identity related. Yet the British government is rushing to classify every crime it can as “identity theft” to part-justify the imposition of an ID card.

British Prime Minister Tony Blair claimed on 25 May 2005 that: “abuse of identity actually costs this country billions of pounds a year” . I have here a letter from the UK minister who is pushing for National ID cards, clarifying how his department had derived an annual figure of £1.3bn for the cost to the UK of ‘identity fraud.’ (~$2.2bn US)
Compare – he ‘estimates’ an operating cost of £~0.5bn ($.9bn) for an ID card & database – before capital costs and interfaces. The economic choice is obvious, isn’t it?

Well, no. He confesses to have no clear definition of identity theft or identity fraud. In his break-down of that £1.3bn he rehashed a cabinet office report that used double counted figures, wild guesses, and classified all card fraud figures as ‘identity theft’.
For example, they multiplied up by 5 the total officially reported costs of fraudulent insurance claims and made an assumption that 1/4 of them are identity fraud, arriving at £.25bn. Meanwhile that same govt department has said that private sector insurance fraud was so unclear it was difficult to quantify the scale of the problem, and that the issue has not been a political priority for some time! (Insurers believe most fraud is due to false or inflated claims by valid policy holders.)

All of these fraud figures are in the public domain here. My own reckoning of impersonation-related crime, using the same base figures, indicates its value is probably an order of magnitude less than the government figure.

When a government choses to conflate ID cards with fighting ID theft, a simple matter of definition can have sweeping repurcussions.

Davi Ottenheimer November 18, 2005 11:25 AM

@ Daedala

I agree 100%.

“And, in fact, one of the most serious problems with ID theft or whatever you want to call it is that it’s extremely difficult to trace who committed the crime, or find out where or how your information went walkabout.”

I would just add that if you are trying to build security around consumer data, you are also faced with the virtually insurmountable task of trying to rule out false negatives due to the pervasively weak controls used by the Payment Card Companies and the Users themselves.

Thus, the merchants and retailers become sandwiched into a rather sticky situation that they are expected to control, but actually have little or no influence over.

For example, a huge percentage of CC customers will contact a merchants and say “fraud” for legitimate reasons. The merchants will contact the retailers and say, did you leak? The retailers will spend countless hours/days searching and testing to find any sign of a leak, when in fact the problem is that just about anyone, anywhere, might have stolen the victim’s “identity” and committed “fraud”.

Personally, I think arguing about whether to use the term identity fraud or identity theft is silly since it doesn’t help anyone who is actually trying to fix the system and protect consumers from crime (that’s the goal, right?). It’s like listening to people who think they can win the “crackers not hackers” argument.

piglet November 18, 2005 1:53 PM

Daedala and Davi, I do think that we should get the terminology right. It isn’t the same whether somebody steals your legitimate CC number, or whether they open a new CC account in your name. In both cases, the victim loses money, but there’s no reason to classify both cases as “identity fraud” instead of “credit card fraud”. It doesn’t help understand and solve the issue. The same is true for online banking fraud, in which case I’m criticizing Bruce for the very loose terminology he has been using.

“Identity theft can be as simple as a single disputed credit card charge, or as complex as an imposter committing crimes in the victim’s name, or obtaining government benefits and big loans using the victim’s Social Security number.” (Bob Sullivan) A useful classification should distinguish between those very different cases.
“Industry groups argue that simple credit card fraud, when a fraudulent charge is spotted and disputed on a credit account, isn’t ID theft. Exclude those victims, and the total number of victims is quite a bit smaller, they argue.” But those cases are still fraud and should appear in the appropriate statistic. And neither are those victims legally worse off than ID theft victims, on the contrary. I simply don’t see why a strict terminology should hurt the victims.

piglet November 18, 2005 2:02 PM

And I might add: confounding utterly different (with respect to the means and the potential damage) kinds of fraud will only serve to trivialize the worst cases. Aren’t we all in some way “ID theft victims”?

TR November 22, 2005 4:26 PM

I have been reading some very interesting stories and points of view, and would recommend that all of us to take a quick look at a website that deals directly with Identity Theft Restoration. It puts the power back into the hands of the people. You will find it extremely interesting. The Url is
I have come to find from being a victim of ID Theft, that it’s not a matter of “IF” you become a victim of it, but “WHEN”. I never thought it would happen to me!

Beck December 16, 2005 2:09 PM

In reply to the earlier question, “How come we never hear about corporate identity theft? or do these surveys include corporations?”, please visit where we measure exposure of corporate brands to fraudulent online use within trademarks and domain names.

Adriana D'Acha December 16, 2005 9:40 PM

There is a company called DolEx Dollar Express a money transmitter co.that knowingly hiring illegal aliens with stolen identity (Identity Theft) DolEx even tell these people if you want to work in DolEx they have to bring “Good Papers” meaning Identity Theft names.DolEX has more than a thousand illegal aliens employees working under assume names of stolen identity.If you want to know more about this story call me at 480-510-3951

dave macaly September 27, 2006 11:47 AM

YESTERDAY I WAS WLAKING DOWN THE STREET, and this dog bit my butt and got away wut my wallet, i said dog get back here, and chased him. He jumped over the brooklyn bridge onto this boat and this fishing dude took my wallet and said, i ****** you over and i jumped towards the boat and fell in the water and lost my other wallet that this turtle stole from me. now i owe so much money to the state in isnt even funny. Who should i call?

Geoff September 27, 2007 9:30 PM

Identity theft is a somewhat misleading term as a victim does not actually lose their identity. However, they run the very real risk of someone impersonating them, stealing their financial and other assets and ruining their reputation

Identity crime consists of two major components: identity fraud and identity theft. As these terms are often interchanged in the literature the Australian Centre for Policing Research (ACPR) recommended the following definitions be adopted for use under Australian jurisdictions:
Identity crime is a generic term that describes identity-related offences where a false identity is used to commit or facilitate a crime.
Identity fraud is where a false identity is used to gain a financial or other illegal advantage
Identity theft is where a pre-existing identity is stolen or assumed. (ACPR 2006: 9-10).

Australasian Centre for Policing Research (ACPR) 2006 Standardisation of definitions of identity crime terms: A step towards consistency

eddz1949 May 14, 2010 1:58 AM

It is really bad to realize that you’re identity was stolen and used by the fraudulent people in committing crimes and using your credit before you knowing it.

You really have to pay attention to any suspicious activity or signs that may prove to be an indication that you are targeted for identity theft. Always be careful. Good thing there were people who can stop this crime.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.