The "I'm Not the Criminal You're Looking For" Card

This is a great idea:

Lawmakers in Iowa are proposing a special "passport" meant to protect victims of identity theft against false criminal action and credit charges.

The "Identity Theft Passport" will be a card or certificate that victims of identity fraud can show to police or creditors to help demonstrate their innocence, Tom Sands, a state representative of the Iowa House and supporter of the proposal, said in an e-mail interview Tuesday.

I wrote about something similar in Beyond Fear:

In Singapore, some names are so common that the police issue He's-not-the-guy-we're-looking-for documents exonerating innocent people with the same names as wanted criminals.

EDITED TO ADD (4/7): Of course it will be forged; all documents are forged. And yes, I've recently written that documents are hard to verify. This is a still good idea, even though it's not perfect.

Posted on April 6, 2006 at 1:13 PM • 50 Comments

Comments

ZwackApril 6, 2006 1:28 PM

So, how long before identity thieves start faking these too...

No, really, I'm NOT the one that you want... see.

Z.

Pat CahalanApril 6, 2006 1:47 PM

Well, the problem they're trying to solve isn't actually "making it harder on the bad guys", it's "the costs to the victim are too high, so this may lower the victimization aspect".

It's not a solution to the underlying issue by any means, but it certainly would be nice for those victims who may otherwise be hauled off in cuffs in front of their kids...

jmrApril 6, 2006 2:16 PM

Zwack, would that be the "I'm REALLY Not the Criminal You're Looking For" card?

Paul JohnsonApril 6, 2006 2:18 PM

> So, how long before identity thieves start faking these too...

Why bother faking them? Just claim you have been the victim of identity theft. Then when the police come to arrest one of your identities you just blame the other one.

jayhApril 6, 2006 2:24 PM

Despite its problems it makes sense, both to the victim, and to the police who don't have to go through a long validation process which already has been done before.

Really would be a good idea for the innocent victims of TSA lists as well.

J.D. AbolinsApril 6, 2006 2:27 PM

The "identity victim certificates" could be useful if their limits are understood and they are used to tell the police and creditors to check further before jumping to conclusions.

Among other things, being the victim of identity theft does not automatically mean one is innocent of everything done in one's name. A spendthrift running up high bills on his own could also be an identity fraud victim. Which charges are the real person's and which are by the crook would need to sorted out. Or an identity victim has been/will be committing crimes. (In the "work at home money transferring funds" scams, the victims are also, usually unwitting, participants in crimes.) The identity theft victim certificates cannot be taken as certificates of verified innocence in all matters.

Another challenge is the ability for the police and others to determine that a certificate is valid. The certificate alone usually might be enough, but it may prevent, as Pat Cahalan mentioned, the identity theft vicim being immediately hauled off in cuffs in from of the kids. (Maybe not prevent the person being ordered to prone out on the ground, with officer safety concerns and such.)

I need to look further at the Iowa proposal to see if it addresses these issues.

By the way, one tip for identity theft victims I have run into is to try to get their identity listed as "secondary" aliases for the theif rather than primary aliases.

DApril 6, 2006 2:49 PM

Community Chest: "You have been the victim of identity theft. Move your token back twelve spaces and find a random person off the street to take your place on the board. If rent is avoided while this stranger plays your piece, go to jail and allow him/her to leave with your money and property."

GPEApril 6, 2006 2:57 PM

> So, how long before identity thieves start faking these too...

I'm sure not long. A possible solution would be to code the card with a random (large) number and register that with a central database. The card could be scanned to verify the number. I don't see the need to store any personal information on the card. The verification would simply be to establish the card validity. Along the lines of my symphony ticket - the ticket taker scans the ticket barcode which causes the scanner to flash a big, friendly "OK" message to the ticket taker, assuming the ticket is valid for that night's concert. A forged card wouldn't have this random number or the number wouldn't be registered. This, of course, now makes the valid card (and the card holder) a target, but it might go far in minimizing a victim's suffering at the hands of hit-and-get identity thieves.

Davi OttenheimerApril 6, 2006 3:20 PM

"In Singapore, some names are so common"...

...that it's hard not to ring the *Wong* number?

I know, old joke, but it somehow seemed appropriate.

ChrisApril 6, 2006 3:32 PM

TSA already does this. I have a business acquaintance whose son has the same name as someone on the terrorist watch list. (Oddly, it's a very run-of-the-mill American name.) Anyhow, they have issued him some papers to clear him and told him to get to the airport of couple of hours early before he flies. Apparently, it routinely takes the kid an hour or more to get through this process at the airports. If the terrorists really did attack us because they "hate our way of life," they sure are doing a good job of destroying it. (wink)

Andrew2April 6, 2006 3:37 PM

Something like this already exists in Utah. It's a letter from the Bureau of Criminal Identification certifying that the named individual is, in fact, not the same person as one who has a criminal record. It wouldn't help with identity theft, and it hasn't done much for me either.

You see, there happens to be an individual with the same first name, last name, and birth date as myself who has a habit of stealing things. I know this because I've had my drivers' licence twice suspended, and have even been fired when my employer saw some scary results on my background check. Due to a perverse, unintended consequence of the Fair Credit Reporting Act, my ex-employer was not interested in the fact that I could prove I was not the Andrew in question, even after I obtained the letter. The information coming from the background checking agency was considered the only reliable source of infomration, and if I had a problem with its accuracy I would have to talk to the agency.

I was eventually able to drive across three counties and obtain the letter from the BCI (for a fee) and get the reporting agency to send an amended report. Unfortunately, my employer's payroll system couldn't seem to handle the fact that I had been unfired and deactivated my file, canceling my check, every payday. After about a month of this, I left the company.

another_bruceApril 6, 2006 3:38 PM

i don't think it's a good idea at all. it puts the onus on the victim to prove, with an internal "passport", that he's not the perpetrator. the onus should properly be on the police/creditors to determine that they have, uh, the right wong. i don't need to show you no stinkin badges!

EluredApril 6, 2006 3:40 PM

>I'm sure not long. A possible solution would be to code the card with a random (large) number and register that with a central database. The card could be scanned to verify the number. I don't see the need to store any personal information on the card.

If there's no personal info tied to the number or card, the only requirement to circumvent validation would be to obtain a valid number and duplicate the number onto a forged card. If an identity thief were to be able to do this without the original cardholder's knowledge, they could use a forged card with that valid number for who knows how long.

JakeSApril 6, 2006 3:40 PM

Why not just give every citizen one of these passports *before* their identity gets stolen?  You could call it, say, a "national identity (theft) card".

HalfApril 6, 2006 3:53 PM

For these cards to be a 'good idea' isn't it necessary that they be very few in number?

Don't they represent an extremely attractive honeypot to the bad guys?

AveryApril 6, 2006 4:13 PM

I would have to guess that these things would have an ID # linking them to some police data bank. If you get pulled over by to police you hand them this with your license and they can verify the card against their database. It's a reciept that can be used to index current police investigations, not verification of those investigations.

If their database so easily hackable that you could create the cards and modify the system records so that you look like the victim then little things like identity are meaningless as criminals can just create identities and accounts on the fly.

Nick LancasterApril 6, 2006 4:14 PM

This strikes me as a fix-it for broader problems of how we handle identification and authentication in general. It does not, as pointed out in other posts, put the burden on improving the system to reduce error, it simply allows errors to continue.

Might as well rely on the Jedi Mind Trick.

"These aren't the droids you're looking for."

JilaraApril 6, 2006 4:24 PM

>i don't think it's a good idea at all. it puts the onus on the victim to prove, with an internal "passport", that he's not the perpetrator.

Just like you would have to do now?

I wonder when we will reach a point where all of this will become meaningless, because there will be so many false hits, forged papers, etc. It seems like we're getting closer to this point, and may be hitting it sooner than we think. Solution? Um, that's a good question.

Jeremy WoodApril 6, 2006 6:16 PM

You're all overlooking the real solution here: Unique names. The historical practice of giving people "recycled" names can no longer be tolerated. There are already mechanisms in place to transition to the new, brighter future in human naming. ICANN will simply have to start registering people's names. If you're quick, you will be able to secure your current name. Then, you would be the ONLY Bruce Schneier.

If you're not so quick, you might get Bruce235 Schneier39082.

GPEApril 6, 2006 9:28 PM

>If there's no personal info tied to the number or card...

There would be a need to somehow associate personal information with the number in a database and the number on the card, but my suggestion was that there wouldn't be a need to store any personal information *on* the card, as opposed to what the credit card companies do with credit cards. The card would serve to establish the person carrying the card isn't the person for whom the authorities are looking. If the card is lost or stolen than the number can be revoked, a new card issued and the card holder doesn't have to worry about a missing card floating around with his or her personal information embedded in it somehow.

I haven't had my identity stolen, per se. But my identity has been "confused" with a deadbeat with the same name. I fought with the State of Alaska for close to two years trying to get $40,000 worth of back child support off my credit report. I have no children. And it almost took a DNA test to make my case. My social security number didn't seem to mean a thing to the Alaskan social services. Same story in a fight with a local hospital which sued me for delinquent bills related to gallbladder surgery. I had to show I still had my gall bladder before they dropped the suit and paid my attorney fees. There are other such incidents related to this deadbeat spanning the past 20 years. The "hassle" of getting one of these cards pales in comparison to the problems related to clearing your name.

Colin HartApril 7, 2006 12:58 AM

>>> So, how long before identity thieves start faking these too...

Soon, I'd say. What's more they'd fake them in advance, something like this story:
http://www.schneier.com/blog/archives/2006/03/...

If I printed an official-looking one up right now I'm sure most people would accept it as genuine, even if they didn't know whether such things existed.

It's the ID Card argument in reverse isn't it? "I'm not him and here's a card with my biometrics to prove it" (which are stored in a database somewhere). And what if a corrupt employee gets paid to add records to the database and send out "get-out-of-jail-free" cards............. sounds familiar

MKPApril 7, 2006 1:18 AM

Intentions are good. But where are we heading to? While the use of technology is aimed at simplyfing things, in reality things are getting more complex.
I see this as another patch work.
Isn't something really wrong in the way "Application of techology" has evolved?

HonestApril 7, 2006 2:40 AM

How is this a good idea? Your identification system is a bad one if it can not distinguish between two individuals.

If someone else is constantly being stopped by the police and questioned because he matches the criteria they just have to make those criteria more specific.

Seriously Bruce, I do not see how you can advocate this.

Henning MakholmApril 7, 2006 5:45 AM

"So, if I understand you correctly, you claim that the signature on the contract is not yours, that you were in Hawaii the day it was signed, and that you have never even been to the state where you asked us to deliver the goods. Well, can you show me an Identify Theft license to back that up?"

MsbApril 7, 2006 6:34 AM

"Seriously Bruce, I do not see how you can advocate this"

I advocate it as well. Biometric National Identity Cards have their own sets of issues. Even if we assume that governments do not have malicious intent, there is no natural law stating that criminals cannot infiltrate the government and subvert the system from within. And then, if you have blind faith in the system, you have the societal equivalent of a self-immune disease. Not a pretty thought to consider.


On the other hand, the card Bruce is talking about can save innocent people a great amount of harassment, intimidation and even physical abuse.

IDCardApril 7, 2006 6:55 AM

Some people will think the generalised ID card may be the solution...

Like in France, the problem is that the first thing which get stolen when someone gets homeless is his ID card.
He could go to the police to report the stealing, but without an ID card he will not be taken seriously: if he does not have an ID card, he is probably illegally in the country.
And even if the police can check who he is (they know him for the last few years - he is not dangerous) there is no point giving him another ID card: it is going to be stolen again within few days.
The problem is, in a country where ID cards are part of the history (nobody could imagine going out on the street without it), that without an ID card you are nobody (you can not draw a bank check without showing your ID card to the person behind the till - or when filling an official paper, show the ID card to confirm the signature - you cannot find an official job without "proving" your ID).
Now, why the ID card is stolen? Well, maybe some people find a use for it...

LeoApril 7, 2006 7:32 AM

For the criminal, the best part of identity theft is that the law enforcement will be pursuing someone else. Thus, the cost of breaking the law becomes an externality to him/her, and the crime becomes hugely profitable. An exonerating document reduces this advantage for the perpetrators, and thus is positive to reduce the prevalence of this offences.

Bruce SchneierApril 7, 2006 8:13 AM

"Intentions are good. But where are we heading to? While the use of technology is aimed at simplyfing things, in reality things are getting more complex.
I see this as another patch work.
Isn't something really wrong in the way 'Application of techology' has evolved?"

It definitely is another patch. But I think in this case it's a good patch.

Bruce SchneierApril 7, 2006 8:18 AM

"i don't think it's a good idea at all. it puts the onus on the victim to prove, with an internal "passport", that he's not the perpetrator. the onus should properly be on the police/creditors to determine that they have, uh, the right wong. i don't need to show you no stinkin badges!"

True, but the police/creditors might take a while doing it, and while the process is going on you'l miss your flight or be denied credit or whatever. The point of the card is that once the police determines that they have the wrong person, they can write a letter saying, basically: "We've already been through the process with this guy, and it's the wrong person."

No, it's not perfect. Yes, it's a patch in a medeocre system. But if you've got the same name as someone on the No Fly list, you really want one of these all the same. (And, if you ARE someone on the No Fly list, you also want one of these. But that's a given.)

AnonymousApril 7, 2006 8:20 AM

@jayh, @Bruce:

"Really would be a good idea for the innocent victims of TSA lists as well."

There was an article in the Miami Herald documenting that a gentleman here in Miami has a document from the US Federal Atty stating that he is not the criminal that everyone is looking for. He has to do business in South/Central America.

Every time he passes US Customs in Miami, *even with the letter* he is stopped and searched for over 30 minutes. He has been jailed at least twice. Most of the times, the letter is ignored because it has to be verified and vetted just in case this is a counterfit letter.

How does handing out thousands of these letters *help* anyone, even those with identity theft.

It's just *another* thing to verify and check, wasting everyone time....

NicApril 7, 2006 8:36 AM

It seems that the world also needs an "I am Not the Terrorist You're Looking For" card. See A"Playing The Clash made me a terror suspect" www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=382039&in_page_id=1770&in_a_source=
(The daily mail wouldn't lie would it?)

AnonymousApril 7, 2006 8:38 AM

"i don't think it's a good idea at all. it puts the onus on the victim to prove, with an internal "passport", that he's not the perpetrator. the onus should properly be on the police/creditors to determine that they have, uh, the right wong. i don't need to show you no stinkin badges!"

True, but the police/creditors might take a while doing it, and while the process is going on you'l miss your flight or be denied credit or whatever. The point of the card is that once the police determines that they have the wrong person, they can write a letter saying, basically: "We've already been through the process with this guy, and it's the wrong person."

See how we are being blackmailed into a letting/encouraging Police State USA to grow.

shoobe01April 7, 2006 9:02 AM

"We've already been through the process with this guy, and it's the wrong person."
That points out the issue perfectly. (As some stated above) the 'process' is too onerous, slow and unreliable. Even with inconsistent state-by-state ID, how hard can it possibly be to simply provide a reasonable validation path? And forget cute computer scanners, just read numbers into the distpatcher and see if what comes back matches the ID card.

Don't forget that height, weight, eyes, hair and photo are adequate (not great) biometric identifiers. I cannot recall an identity theft case, and hardly any confused identity cases, where even these DL-level biometrics matched up in any useful manner. I've seen people of opposite sex confused by the government for months. This seems like a validation step they are forgetting about.


As far as the other fun part, pointless procedure adds a lot to everyone's burden: A business associate and I were trying to fly somewhere on business recently, and united kept cancelling flights. So, we called around and moved to Midwest. The plane leaves in like 20 minutes, so we need to rush. Somehow, TSA thinks any last minute booking is inherently bad, so we get Secondaried. I have to all but strip down to get thru security. Okay, but the other guy had to go thru security three times (luggage, etc.) and EVERY TIME he had to have a secondary screening. Its an empty security checkpoint. The same people do the same screening, 30 seconds apart, and there is no other reason to suspect him.

GPEApril 7, 2006 9:30 AM

"i don't think it's a good idea at all. it puts the onus on the victim to prove, with an internal "passport", that he's not the perpetrator. the onus should properly be on the police/creditors to determine that they have, uh, the right wong. i don't need to show you no stinkin badges!"

Should be, but the reality is quite the opposite - especially in regards to creditors. In my case, I was a responsible person and easy to track. Heck, my name is in the phone book. It was much easier for the creditors to push the verification task onto my back and let me do the leg work to prove they had the wrong guy. They made the validation an externality. The fact they might loose in court and be forced to pay court costs is just a cost of doing business to them. In the case of debt collectors, it is even worse. They are the metaphoric pit bull locked on to your leg and care even less that they may have the wrong person. They're just after the money any way they can get it.

In my opinion, the "I'm Not the Criminal You're Looking For" card shouldn't be an ID card. It shouldn't have and ID information imbedded in it. It would only have to be used in limited, specific circumstances and probably wouldn't need to be carried around in most cases.

Another improvement to this idea would be to have the associated number expire after a number of months/years to cover cases where the owner had slipped over to the dark side, so to speak.

MSBApril 7, 2006 9:46 AM

@Msb

"On the other hand, the card Bruce is talking about can save innocent people a great amount of harassment, intimidation and even physical abuse."

We have a collision of handles here -- I've been identifying myself as "MSB" (all uppercase). I agree with what you said about the value of the card.

Grey BirdApril 7, 2006 11:16 AM

@ GPE et al: Dealing with someone else's bad credit _is_ a real headache. Just after my wife and I moved into our house we started getting harassing phone calls from creditors. They were leaving nasty messages on our answering machine, and when my wife answered the phone and told her (the creditor) that she had the wrong number and "No, no one by that name lives here" didn't help. She accused us of covering for the person they were after and lying about her not even being some one we knew. We told them to look in the directory and see that it was our number but that didn't work either. This woman my wife spoke to called so often we recognized her voice before she finished the first word. We finally contacted the phone company. They told us that the number hadn't been used for several years before we got it, but they did allow us to change to another number for no charge. After going through all of that for someone who isn't even using my name makes me understand how _any_ relief from this kind of harassment would be welcome to victims of identity theft. Personally I think if the card has no personal information on it, but is tied to a database that does it could be useful. Especially if the database isn't available on the internet but by phone or a closed network.

Alun JonesApril 7, 2006 11:16 AM

So, let's see, you have an established identity system that's been broken by the theft and reproduction of documents that establish your identity, and the fix is ... to stick another identity system on top of it, with new documents to steal and/or reproduce.
How many levels of abstraction do we go to on this one?

AnonymousApril 7, 2006 1:23 PM

This is just a clever way of forcing people to carry id cards. Eventually everyone will have a card stating who they really are because of identity theft, and then the national id card scheme will be implemented without anyone being the wiser.

Wim LApril 8, 2006 4:06 PM

To be honest, I don't see how this proposal helps at all. Even if we simplistically assume the population is divided into "good guys" and "bad guys", what's to stop a "bad guy" from getting one of these cards? Deliberately leak your SSN, then get an "identity theft license". It'd probably be only marginally harder to get a "not a terrorist license". Even the "good guys" will be likely to want to do this ahead of time if at all possible, to save trouble down the road. "Bad guys" will just be another face in he crowd, until they decide to blow something up.

(And I'm not touching on what I think is the greater issue, which is that such a card erodes even farther the presumption of innocence on which our justice system used to be based. The obvious implication of such a card is that we are all presumed guilty from the start, and need to have special evidence if we want to be able to argue our innocence.)

JMApril 9, 2006 12:15 AM

My identity was stolen, I tracked down the people that did it, because they kept buying pizza's with my personal checks and had them delivered to their house. I told the detective where they were. His response was "do you want me to break down the door?" Well DUH??? Of course I do, you moron (I didn't say this). If we just enforced the present state and local laws, you would not have to worry about this. ENFORCE THE PRESENT LAWS! Well DUH....

meApril 9, 2006 2:05 PM

Most of these comments sound eerily familar . . . reminds me of how easily everyone bent over after 9/11. Only a few commentors are asking serious questions about the potential negative repurcussions.

If everyone gets this card before they have their identity stolen, then it merely becomes another name for a national id system. If only victims of id theft have this card, then don't you realize the id thief will be able to apply for one as well?

Once I have stolen your id, then all I have to do is go to the court house in the county in which you were born, and obtain a copy of your birth certificate, and in the same manner obtain anything else which I want so that, in fact, I will be able to prove that it is you who are pretending to be me.

The clerk at the community college took my word that I was Jo Blow when she took my picture and issued a id card. My local driver's licence bureau let me use THAT as a means of documention to obtain a state driver's licence.

A smart thief with chutzpah never gets caught. Thankfully, there really aren't too many of those types.

Jeez JVD, you really still trust Big Corp in this day and age?

The basic problem is how easy it is to steal id in the first place, not band-aids after the fact. You heard the one about shutting the barn door after the horses have already escaped?

meApril 9, 2006 2:23 PM

Your proposal is a "Feels Good To Do Something" Answer.

Your brain is not a hat-rack.

Richard BraakmanApril 10, 2006 5:34 AM

@JM
Once you had their address, you could have simply reported that you walked past there and thought you smelled marijuana. That door wouldn't have lasted an hour!

jmrApril 10, 2006 12:50 PM

@GPE

If the identity the person was given in the first place was secure, why do we need this security on a new piece of identity?

If we assume for a minute that the government has the right to require the ability to uniquely identify the people within its borders, then the "I am not a criminal" flag would be best implemented as simply an attribute of the persons ordinary, secure, identity.

That would probably need to be implemented using the following tables:

IDCardTable:
CardID
PersonID
Status (Valid, Invalid, Stolen)

People table:
PersonID
Name (Not Nullable)
Address

Criminal history table:
PersonID
CriminalActivityID
Status (Cleared, Suspect, Convicted)

Criminal activity table:
CriminalActivityID
Name (Nullable)
Description (Nullable)

Now, you can check the status of a Card, verify that the card belongs to the Person, verify that the Person has already been Cleared of a specific Criminal Activity.

If your card gets stolen, you would have to go through some lengthy check to get a new card issued, which would implicitly make the old card invalid.

pand0raApril 12, 2006 11:55 AM

I have read through about half of the posts here and I have not seen anyone address the positives and negatives of using a smart card with a digital signature for validation. Combine that with a pin number that only the user knows and I would think that should provide decent validation.

DavidTCApril 17, 2006 5:58 PM

It could work. But not as a card. But only if it's designed to solve exactly one problem. Specifically, you getting confused with someone else identity.

If at any point, you are ever confused with Person X, the government should do a lot of checking, and put you in a database. Not to verify who you are, but to verify that you are not Person X. The person who incorrectly thinks you're X would have to input, into a publically accessible page, X's address or SS number or some other personally identifably information, and a code you know, at which point it would pull up the photo of you and say 'This person is not Person X'. (And, hey, they don't even need to record any personal information about you. They'd need info about the other person for matches, but would never have to actually display it to anyone.)

It should be a LEGAL requirement to do this by law enforcement people as soon as they have you in custody, if you tell them to. (By 'custody', I mean 'in the police car', not 'after going through two hours of booking'.) Law enforcement agencies should be typing in the arrest warrant number or whatever instead of the address.

And a legal requirement for credit agencies to accept, via fax, a notorized copy of a driver's license (To compare with the photo online.), and the burden of proof is now on them to associated those two identities in any way.

This, however, could not solve 'identity theft', which is someone else delibrately getting confused with your identity. This is not an error on the part of the people who think you are you, because you, indeed, are you. It is an error on the part of the people who were delibrately confused by the other person into thinking he was you, and that error must be corrected there.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..