Schneier on Security
A blog covering security and security technology.
« Forge Your Own Boarding Pass |
| How to Steal an Election »
November 2, 2006
Insider Identity Theft
CEO arrested for stealing the identities of his employees:
Terrence D. Chalk, 44, of White Plains was arraigned in federal court in White Plains, along with his nephew, Damon T. Chalk, 35, after an FBI investigation turned up the curious lending and spending habits. The pair are charged with submitting some $1 million worth of credit applications using the names and personal information -- names, addresses and social security numbers -- of some of Compulinx's 50 employees. According to federal prosecutors, the employees' information was used without their knowledge; the Chalks falsely represented to the lending institutions, in writing and in face-to-face meetings, that the employees were actually officers of the company.
Posted on November 2, 2006 at 12:15 PM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Spell check Bruce - "indiser"
This is way beyond insider identity theft. This is a company embezzling from its employees.
This is a new twist on the maxim that the greatest security threats come the inside. How can you possibly defend yourself against a creep like this?
This is a horrifying breach of trust and without question, Chalk should be punished but did anybody notice the sentence that the Feds are threatening him with?
"165 years in prison and $5.5 million in fines"
Does it really make sense to put a white collar criminal in jail for the rest of his life? I say not, especially when you consider the cost to the taxpayer. My understanding of Federal prosecutions is that 99% of defendants plead guilty to bargain down the sentence to something manageable. You may say to yourself "good" but in borderline or tricky legal cases the defendant cannot fight because they are risking their life if they do. That does not seem like justice to me.
> Does it really make sense to put a white collar criminal in jail for the rest of his life?
I would hazard a guess that a great many of these sorts of white collar crimes have a much greater net negative impact on society than a single murder or robbery.
Think of all of the consequences of this sort of massive theft -> all of the stress, heartbreak, and *work* created for all of the victims, and all of the related consequences... Some of the larger "white collar crimes" have led to suicides, divorce, health consequences, you name it.
I would argue that people in these positions of authority and trust deserve far *worse* consequences for these sorts of actions than someone who beats up a passerby and steals a wallet.
Kill someone while stealing their purse, and you take an innocent life and ruin several others. Steal the financial security of dozens or hundreds or thousands of people, you're at least partially responsible for the consequences, which can cascade into a massive amount of misery.
I agree that some of those sentences are crazy. I understand that if you cause irreparable damage to somebody's retirement benefits and credit history (Enron?), you should get a tougher sentence, though. But then again, in some parts of the world the usual sentence for murder is 15 years.
If they can collect the $5.5 million, that should pay for his stay in prison. It seems excessive, but ...
I live in a state where people are serving 25 to life for petty crime like stealing a bicycle, thanks to the "three strikes" law. If this guy robbed more than three people, he's in a similar category. Perhaps the only way to get support for more humane treatment of petty criminals is to subject corporate execs to similar measures if caught.
>You may say to yourself "good" but in borderline or tricky legal cases the defendant cannot fight because they are risking their life if they do. That does not seem like justice to me.
The same can be said about penalties for murder, rape, and other violent crime. You can argue that 25 to life is excessive, and it only encourages a defendant to take a plea of manslaughter with 15 years because otherwise it's "risking their life."
I think this guys should be afforded a fair trial, and the punishment should follow the decision of the jury.
I actually wrote about this awhile ago. See the link for the article.
Don't you just love the modern legal system?
Instead of paying restitution to the victims, the new way (~1930+) is to fine in the name of 'society', which in reality goes to bureaucratic coffers. And as for jail, the victims then have to pay taxes to support that.
The way to seek justice is to have the crooks pay back their victims, or the credit agency plus damages and administrative costs, as opposed to springing the costs on the victims and pocketing the money to build new statues outside the courthouse.
If the crooks can not pay back their victims then they will have to work and repay in time. Yes, that's right, I support indentured servitude to pay restitution to the victims of your crime.
That is real justice. What we have today is nothing but judicial racketeering.
"Yes, that's right, I support indentured servitude to pay restitution to the victims of your crime."
"Indentured servitude," huh? "De facto slavery" is more like it. Unless you've got mentally disordered people who are stealing for kicks, the perps are unlikely to have the money to make a viable restitution up front. Which, presumably is why they were stealing in the first place. You're not going to find prison work that affords the kinds of wages that would allow someone to pay off, say $100,000.00 in anything approaching a reasonable amount of time. And if you could, there would be an immediate outcry that those jobs should go to the law-abiding. Most of American society would gladly sell out the theives' targets in order to keep the theives themselves locked up longer.
So while I understand the sentiment, and see the attractiveness, I doubt that you could make it really workable in practice - in that in the end, the people who you're intending to benefit would still see only a small fraction of their money returned to them.
I also think that you would have a movement to, in effect, bring back weirgeld (I'm positive that I mispelled that), as targets of other crimes would start demanding civil actions be taken against criminals in the name of judgements that would then force the convict to work for repayment. There's already one case in which a man was exonerated after having his assets liquidated to pay a judgement in a rape case. I don't have the article in front of me, so I have no idea how the question of the money is being handled.
This illustrates a major problem in many employee/employer interactions - while employers are free to implement a number of measures to defend themselves against criminally-minded workers, it's hard to get a job without forking over enough personal information to allow someone to steal your identity. In effect, employers are in a position to DEMAND trust from potential employees. While a number of current laws expose employers to liability for such actions, the very nature of corporations tends to insulate the people in charge from the justice system.
Given that it's next to impossible for ANY organization to protect sensitive information from all insiders - (After all, if the guy who maintains the database isn't allowed to know what's in it, how can he be sure the data stays intact?) - you're going to have instances of this sort of thing. Given that most corporations aren't about to give rank-and-file employees the ability to monitor the actions of corporate officers, about the only defense that most will have are draconian punishments that would give the more casual crook reason to think twice.
"How can you possibly defend yourself against a creep like this?"
By being able to put a freeze on your credit report before you actually get taken to the cleaners.
This solution is so simple and obvious, it's no surprise that it's got fierce opposition.
'"Indentured servitude," huh? "De facto slavery"'
'You're not going to find prison work that affords the kinds of wages that would allow someone to pay off, say $100,000.00 in anything approaching a reasonable amount of time.'
I think you misunderstand my meaning of 'indentured servitude'. You are indentured only in the sense that you can not quit from repayment. You are not put in a prison and asked to do makeshift work. You choose what you can do. House arrest or some sort of monitoring would accomplish the same goal without all the disgusting elements of being confined to a cell.
'And if you could, there would be an immediate outcry that those jobs should go to the law-abiding. Most of American society would gladly sell out the theives' targets in order to keep the theives themselves locked up longer.'
Right! Because keeping people from being employed is a great means to achieve real growth.
Next, I suppose you will be telling me that the welfare system fosters real growth, and that we should keep people from being employed otherwise we'll have nothing to do. The reductio ad absurdum of this doctrine is to go back to the cave days of self-sufficiency, a complete disintegration of the division of labor, and mass starvation.
'So while I understand the sentiment, and see the attractiveness, I doubt that you could make it really workable in practice - in that in the end, the people who you're intending to benefit would still see only a small fraction of their money returned to them.'
How so? If the criminal has to pay back what he stole, the administrative costs of trial, jury (if needed), lawyers (for both sides) and the costs of monitoring repayment (not that much different than debt collection services), then were is the problem.
The only one I see is that it goes against the grain of today's methodology of jurisprudence.
'I also think that you would have a movement to, in effect, bring back weirgeld (I'm positive that I mispelled that), as targets of other crimes would start demanding civil actions be taken against criminals in the name of judgements that would then force the convict to work for repayment.'
Falsely claiming victimhood and trying to get a piece of the pie is a crime in itself. It is fraud, and the one who brings it up should be subject to pay restitution to the victim, which in our case can be a criminal too.
Identity Theft has clear victims, as the name suggests.
'While a number of current laws expose employers to liability for such actions, the very nature of corporations tends to insulate the people in charge from the justice system.'
Bingo! That is because the laws governing corporations have taken a nose since the 1870s and especially the 1930s. Most liability has been transferred to customers, employees, bond-holders, and non-board share- holders. The incumbent managers have almost entirely insulated themselves from liability issues (except in the case of arbitrary political pressures - like Enron, Worldcom, etc.).
The reasons are exactly the same - rather than make restitution to the victims of random crimes, a whole framework of regulations was constructed on utilitarian grounds so as to 'scientifically' minimize such occurrences. What it failed to do was to minimize the crimes, what it did do was shift the beneficiaries of crime, raise market barriers to entry, halted innovation by restricting different organizational structures, and most importantly (in our case) increased the occurrence of crime drastically.
'Given that most corporations aren't about to give rank-and-file employees the ability to monitor the actions of corporate officers, about the only defense that most will have are draconian punishments that would give the more casual crook reason to think twice.'
Why the need for draconian punishments? Isn't returning the spoils of your crime a good enough reason not to engage in crime?
I honestly have no idea how this idiot and his nephew expected to get away with it.
If these jokers are convicted, an "appropriate punishment" would be to monitor the credit reporting requests of their intended victims. For at least 15 years.
The purpose, of course, is to prevent the identity theft they were trying to do in the first place.
Thanks for the feedback. I suspected my last post would provoke a strong response.
I am not trying to deny the real damage white collar crime can do, but I do suggest that attempts to deter by punishment are mostly futile. Please read further; there will always be people in positions of reponsibility with desperately difficult problems.
The "three strikes" idea is lame - especially when the cost to the taxpayer is concerned.
I have no easy answer to dealing with compulsive petty criminals and I do not think that a CEO committing mass ID fraud is comparable. The CEO should be punished severely in comparison to petty thieves.
I suggest that being prosecuted by the Feds and prosecuted by local law are different things. The stakes may be high but losing the gamble for a 25 year sentence is not the same as losing the gamble for a 165 year sentence, especially, if your are below (say) 25 years age.
Here goes; now we get to the meat.
How many CEOs decide, in cold blood, to committ mass fraud, pension fund raiding, share price manipulation ... I suspect that the answer is few or none.
The real question is what capability for fraud does a *desparate* CEO have when faced with personal bankcruptcy, humiliation and failure.
For me, this is the crux of the matter. Most people who think they are at least getting by in life will not committ crime for money. Bear in mind that the percieved difference between 'getting by' will vary enormously between different levels of society. A poor person faced with the prospect of failure and starvation may committ serious crime to stay alive. A CEO faced with bankruptcy has much, much greater opportunity for crime due to their relatively privileged position. My heart goes out to the truly poor and desperate but please think about the next line:
Rarely has a CEO taken on a job with the intention of fraud.
It is only when (ostensibly) successful people feel cornered and desperate that they do stupid and destructive things. Punishing the law breakers afterwards may make you feel better but it will not stop the next company failure and associated risks.
What use will "freezing your credit report" be after being defrauded?
Sorry, I just don't get it.
Until we have a clear recognition of the need for privacy, even within company records, then there will always be a risk that identifying information can be misused.
The question was what can be done as a defense. I read that as "ahead of time". The answer is to freeze your report. That way, if someone subsequently steals your personal information and tries to obtain additional credit in your name (for example), you are contacted and can say "Nuh-uh. I didn't apply for that mortgage, loan, yacht insurance policy, etc".
You are 100% correct that if you can only do the freezing after being defrauded, then the protection is not only worthless but insulting. That, though, is precisely what is favored by various opponents of the approach I was advocating.
IMO, a better solution would be to give those to whom the personal information pertains a property right in that information, or at least (as you favor, I think) a set of EU-style rights over it. I do not think that is realistically obtainable, near-term, in the USA. The credit report freeze defense, while second best, is attainable, I think.
"Punishing the law breakers afterwards may make you feel better but it will not stop the next..."
So, not punish them? Then on top of not solving the problem, we don't even get to "feel better." We are humans; revenge is in our blood.
Anyway, you seem highly sympathetic toward CEOs.
Ah. I see. You are, in effect, referring simply to mandatory seizure of assets and then garnishment of any wages until the debt is paid. That's not really comes to mind when I think of "indentured servitude," which, for me, implies that the convict is not free to chose what work they will perform, and would preclude any attempt to leave current employment without permission.
You know, some kind of strong authentication framework that replaces the weak identification we currently use would solve this use of "identifying information" by replacing it with something stronger, possibly cryptographically strong. However, there are many privacy problems that are inherent in that as well. Anyone got an idea that could allow privacy as well as strong authentication/authorization? Perhaps a pseudonymous system, akin to Ebay?
"I honestly have no idea how this idiot and his nephew expected to get away with it."
Yes, how indeed. Any calm, rational person would forsee the consequences of their actions. IMO, Chalk was almost certainly in a distressed, confused state of mind when he started defrauding his own employees.
I cannot help but think about the Nick Leeson story (trader who single-handedly ruined Barings Bank http://en.wikipedia.org/wiki/Nick_Leeson). It is important to understand that Leeson did not start out with the intention of being a crook but once he made some mistakes, he become more and more desperate to get out of the financial hole he had dug for himself.
It seems that some people lose all sense of judgement when faced with financial problems.
"... you seem highly sympathetic toward CEOs."
No, I'm not. As I said, Chalk deserves punishment. I do question the trend towards ever longer sentences because I doubt it will prevent further financial stupidity by people in positions of trust. Personally, I think it makes more sense to understand the psychological pressures that might make a CEO do something so stupid and build checks and balances into a system that mitigate the risks.
It's understandable that after scandals like Enron that the authorities have tried to frighten off fraudsters wiht stiff prison sentences. Unfortunately, I doubt this will do much good in the long run for the reasons given above.
It's a good thing Founders and CTOs are compensated so well, or else we could see some huge problems!
Yes, credit bureaus take our personal information and then sell them, charge us to review the information (more than once a year, only thanks to a new law), and often have errors that are simply too hard to fix. Heck, one of my reports doesn't even have my correct birthdate, something that's pretty odd since people pay them money for information about me, yet they can't even get this most basic date correct.
I understand where you're coming from, but you sort "bait-n-switch"ed the thread.
Fundamentally, the concept of judicial punishment can be about revenge, restitution, correction, or quarantine, or all four, or some combination thereof. The implementation of judicial punishment in this country is based upon how a particular electorate evaluated those four factors with regards to a particular definition of a criminal activity at a particular moment in time, instead of any consistent evaluation of what's the proper response in general to criminal activity or the economic impact of the response.
If you want to talk about what judicial punishment *ought* to be (that's really a subject for an entire blog in and of itself), that's fine, but your original post didn't seem to be about the fundamental nature of judicial punishment, but the specific nature of this incident.
You asked a specific question, "Does it really make sense to put a white collar criminal in jail for the rest of his life?", and provided a specific opinion, "I say not". Arguing that point one way or another is actually going to depend entirely upon the question of the nature of judicial punishment.
So clear the table and start at the beginning :)
Actually, I've often thought that white collar crime might be one of the few cases where punitive sentencing as a deterrent might be a good idea.
For violent crime, I think it pretty clearly doesn't work - people don't kill one another after a careful analysis of (likelihood of being caught) x (likelyhood of conviction) x (negative utility of likely sentence) vs. (likelyhood of escaping) x (positive utility of so-and-so being dead). They act on impulse, and then do stupid self-defeating things that lead to their being caught. Reading about other murderers sentenced to life or executed has no deterrent effect.
People who hold up convenience stores don't think these things through either - they need some money right now, so they can buy drugs or groceries or pokemon.
White collar crime is a special case - these folks do take their time, consider the risks, possible outcomes, etc. It's usually not a crime of desperation either; Ken Lay wasn't doing so badly for himself that he desperately needed an extra few hundred million to make the rent and buy groceries...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..