Does Secrecy Help Protect Personal Information?

Personal information protection is an economic problem, not a security problem. And the problem can be easily explained: The organizations we trust to protect our personal information do not suffer when information gets exposed. On the other hand, individuals who suffer when personal information is exposed don't have the capability to protect that information.

There are actually two problems here: Personal information is easy to steal, and it's valuable once stolen. We can't solve one problem without solving the other. The solutions aren't easy, and you're not going to like them.

First, fix the economic problem. Credit card companies make more money extending easy credit and making it trivial for customers to use their cards than they lose from fraud. They won't improve their security as long as you (and not they) are the one who suffers from identity theft. It's the same for banks and brokerages: As long as you're the one who suffers when your account is hacked, they don't have any incentive to fix the problem. And data brokers like ChoicePoint are worse; they don't suffer if they reveal your information. You don't have a business relationship with them; you can't even switch to a competitor in disgust.

Credit card security works as well as it does because the 1968 Truth in Lending Law limits consumer liability for fraud to $50. If the credit card companies could pass fraud losses on to the consumers, they would be spending far less money to stop those losses. But once Congress forced them to suffer the costs of fraud, they invented all sorts of security measures--real-time transaction verification, expert systems patrolling the transaction database and so on--to prevent fraud. The lesson is clear: Make the party in the best position to mitigate the risk responsible for the risk. What this will do is enable the capitalist innovation engine. Once it's in the financial interest of financial institutions to protect us from identity theft, they will.

Second, stop using personal information to authenticate people. Watch how credit cards work. Notice that the store clerk barely looks at your signature, or how you can use credit cards remotely where no one can check your signature. The credit card industry learned decades ago that authenticating people has only limited value. Instead, they put most of their effort into authenticating the transaction, and they're much more secure because of it.

This won't solve the problem of securing our personal information, but it will greatly reduce the threat. Once the information is no longer of value, you only have to worry about securing the information from voyeurs rather than the more common--and more financially motivated--fraudsters.

And third, fix the other economic problem: Organizations that expose our personal information aren't hurt by that exposure. We need a comprehensive privacy law that gives individuals ownership of their personal information and allows them to take action against organizations that don't care for it properly.

"Passwords" like credit card numbers and mother's maiden name used to work, but we've forever left the world where our privacy comes from the obscurity of our personal information and the difficulty others have in accessing it. We need to abandon security systems that are based on obscurity and difficulty, and build legal protections to take over where technological advances have left us exposed.

This essay appeared in the January issue of Information Security, as the second half of a point/counterpoint with Marcus Ranum. Here's his half.

Posted on May 14, 2007 at 12:24 PM • 31 Comments

Comments

Joe BuckMay 14, 2007 1:14 PM

There's a problem with the very term "identify theft". Just to use the term is to shift responsibility onto someone who is really an innocent third party.

Consider the case where Charlie buys something from Alice, but pretends he is Bob. Alice bills Bob's account. Bob tells Alice that he never bought anything and never received the goods.

If we call this "identity theft", then we are saying that Charlie stole from Bob, and Bob still owes money to Alice and has a damaged reputation until the matter is cleaned up. But it is Alice who was not careful enough to make sure that Charlie's purchase was legitimate. Charlie stole from Alice, not Bob, and it shouldn't be Bob's problem.

BobMay 14, 2007 1:19 PM

In particular, the government could solve the SSN issues by just posting them all on a public web site. They would still be useful as identifiers, but no longer for authentication.

Carlo GrazianiMay 14, 2007 1:21 PM

"We need a comprehensive privacy law that gives individuals ownership of their personal information and allows them to take action against organizations that don't care for it properly."

Ownership of personal information is tough. Information ownership is basically IP law, and the only branch of IP law that could conceivably be pressed into service is copyright law. However, a few years ago there was a supreme court decision that could queer the pitch.

In a 1991 case, the Supreme Court held that the white pages of a telephone directory (containing an alphabetical listing of all residents with telephone service in a defined geographic area) was insufficiently creative to merit copyright protection. The Court held that the requirement of creativity was not merely statutory, but rooted in the Copyright Clause itself.

What I think this means is that there is no hope of individuals meeting the creativity test to copyright their personal information. So copyright law is probably not going to work. Some other category of intellectual property would effectively have to be created to encompass "personal information", and a new body of law established around it.

But of course, I'm not a lawyer, so I could be way off base.

Andre LePlumeMay 14, 2007 1:23 PM

" We need a comprehensive privacy law that gives individuals ownership of their personal information and allows them to take action against organizations that don't care for it properly."

Sure, that'd work alright.

But consider what you would need to do to get it to happen. You'd need to harness the energy of millions of ordinary folk each of whom has a rather small interest in seeing this change occur, and deploy it against the organized interest of the credit bureaus and information resellers each of whom would have their very existence threatened by such a change.

So, if you want to talk economics, consider the collective action problem this represents. I would say that unless easy access to credit reports is somehow definitively tied to "the events of 9/11", the probability of this assignment of property rights has just about zero likelihood of occurring in the U.S.

skateMay 14, 2007 1:34 PM

"The credit card industry learned decades ago that authenticating people has only limited value. Instead, they put most of their effort into authenticating the transaction, and they're much more secure because of it."

I question holding up the credit card industry as a positive example of security. The credit card industry has fought hard to keep "identity theft" easy by resisting efforts to make it harder to get credit or to require notification to individuals at their current address and phone number of attempts to change their address for a new credit card. In addition, the banking industry been promoting low security "signature based" transactions over on-line PIN based transaction because the signature based transactions cost less to process.

Brandioch ConnerMay 14, 2007 1:58 PM

It's not the "secrecy" as such.

Again, the easiest way to secure online transactions would be for the bank to CALL the number it has on your bank record and ask you to authorize the transaction.

Knowing your phone number would be useless. They'd have to have your phone (or the ability to re-route calls).

This will NOT stop fraud, but it will INCREASE the EFFORT that the criminals have to expend for each and every theft.

The primary problem today is that there is almost no effort required to commit fraud.

RoyMay 14, 2007 2:06 PM

Fifty years ago, if somebody falsely claimed in writing that you were a deadbeat, that would be libel, punishable by fines and imprisonment. Fines can be cost-shifted away, but jail time cannot.

Nowadays, credit references can libel freely without remorse, or fear, not even fear of fines. The worst that could happen is an injunction asking them not to do it again, but that's not really enforceable because their computers can offshift the work to someone else's computers, and -- problem unsolved.

If we brought libel back as a consumer protection issue, the threat of jail time would scare businesses into solving their problems themselves.

BTW, I only once signed a credit card. When I got my first card somebody told me nobody compares signatures, and all I'd be doing is giving some thief a sample of my signature. The one exception was when a clerk checked the back of my card and saw no signature, then told me it was their policy to reject unsigned cards. So I signed the card with my full name, cramming it into a space about a half inch wide and an eighth of an inch high. I handed the card back with a grin, and the guy had no choice but to accept it.

@Joe Buck

You are dead right. Your identity is the answer to the question, of all the people who ever existed, which one are you? That answer cannot be stolen. 'Identity theft' was cooked up by some lawyer to frame the crimes of impersonation, fraud, and so on as not being crimes anymore, so the police and the DA would exclude them in crime reports. The authorities are not only failing badly to deal with these crimes, they themselves are the biggest part of the coverup. The big media toe the party line.

NMay 14, 2007 3:45 PM

Bruce, you seem to believe that the government has made the credit card companies liable for fraud losses, and that they have therefore invested in all sorts of technology to keep fraud low. But in fact, the credit card companies pass their losses off to merchants, in the form of chargebacks. Rather than eating their own losses, the credit card companies recover the lost money from the merchants. So merchants not only lose merchandise to fraudsters, but they also lose the money they were paid. If the credit card companies are so good at preventing fraud, why is there such a brisk trade in stolen credit card numbers in online chat rooms devoted to that purpose? When personal information is used to open new accounts, there simply needs to be a better way to make sure that the person using the information is authorized to do so. That involves authentication of the person, not the transaction. Without better authentication, stolen SSNs and other personal information will continue to enable identity theft.

X the UnknownMay 14, 2007 4:16 PM

@Carlo Graziani: "Ownership of personal information is tough. Information ownership is basically IP law, and the only branch of IP law that could conceivably be pressed into service is copyright law."

Actually, there is another very well-researched branch of IP law that might be somewhat applicable, even though it is not generally considered IP: Electronic Funds handling. For *REAL* money, nobody uses physical currency any more. It's all just interpretations of signals and electronic records. And THAT very demonstrably non-Copyrightable information is nevertheless extremely well protected and monitored.

I don't really have any good ideas how to extend this to Personal Information, but it is very clear that we have plenty of good systems for safeguarding, monitoring, and auditing electronic information, when we want to. Maybe something as simple as legally declaring that:

a) Personal Information is the property of the person in question.

b) Personal Information has a value (either a set value, indexed to inflation, or some formula based on earning potential or taxes paid, or something).

c) Any entity using said data has a fiduciary responsibility in handling that data - and is liable for the specified value upon mishandling it. Just like a bank is liable if it somehow misplaces your "money" (which is really just a number in their accounting database).

sooth_sayerMay 14, 2007 4:25 PM

Mothers Maiden Name .. the card companies and banks have gone further.

This unfortunately is due to Fed's asking banks to soup up security by providing secondary and tertiary checks.

One bank asked me "name of your first girl-friend".
Another asked "Your grandfathers profession"

I am waiting for the next shoe .. like
" name of the your mothers first boyfriend"
or
"Bust size of your kindergarden teacher were infatuated with "

I can go on .. I have complained to the customer service by writing .. but it goes to no mans/womans land.

Recently Citibank started emailing me pdf e-statements password protected by my DOB !!! My mails complaining about it, told me how to open a pdf file ..


I don't think there is a review of exposing more and more personal information inside these organizations.... that's where it's likely to be stolen from.


sooth_sayerMay 14, 2007 4:26 PM

sorry I ate a few words in the last mail .. I hope you understand it was for security reasons.

Jay74May 14, 2007 4:30 PM

I was dealing with a credit card company on the phone the other day, and they asked me some questions, but one just wreaked of a DAS error. They asked me the month of my mother's birth, and then proceeded to list 4 months I had to choose from. Why on earth they would increase my odds from 1 in 12 to 1 in 4 is beyond me.

White CollarMay 14, 2007 4:46 PM

@Bruce,

"Make the party in the best position to mitigate the risk responsible for the risk. What this will do is enable the capitalist innovation engine. Once it's in the financial interest of financial institutions to protect us from identity theft, they will."

I have some doubts about this. Let's suppose that tough Federal laws were introduced that punished companies for losing personal information. These new laws would certainly give American companies the incentive to start treating personal data more safely but isn't there a risk that some data processing will be outsourced to countries beyond the reach of the law?

Business is already very happy to outsource lots of data processing tasks so why not outsource storing personal data as well? It seems plausible that some companies might find it cheaper to avoid the risks of data storage by outsourcing that role overseas. Your idea could even increase the risk of data theft by driving the data storage role into parts of the world where business ethics standards are lower.

I suggest that legislation intended to assign responsibility for personal data storage needs to be thought out very carefully.

craigMay 14, 2007 6:10 PM

The credit card companies have managed to pass on quite a bit of the costs of fraud to merchants. While they do spend some money fighting fraud they would be a whole lot more interested in it if they bore the entire cost of the fraud. Large merchants are trying to do what they can to cut down on fraud (my grocery store offers biometric payments) but they only control a small part of the system.

AnonymousMay 14, 2007 7:26 PM

@Bruce

"Make the party in the best position to mitigate the risk responsible for the risk. What this will do is enable the capitalist innovation engine. Once it's in the financial interest of financial institutions to protect us from identity theft, they will."

FYI:
DHS Employees Sue TSA over Lost Hard Drive.
http://www.eweek.com/article2/...

AnonymousMay 14, 2007 8:04 PM

@skate: Banks push signature transactions not because they cost less to process (they cost about the same amount -- computer time and bandwidth are cheap), but because they earn the traditionally high fees that go with credit cards. In contrast, PIN debit came out of the ATM network, so they earn a much lower fee.

It again goes back to what Bruce is saying. Credit cards don't care about security as a principle; they care because it hits their pocketbook. Signature vs. PIN hits their pocketbook in such a way that the more secure transaction hurts them financially, so they prefer the insecure and more profitable solution. (Actually, debit cards are bad for consumers as far as reporting fraudulent transactions. Credit cards have stronger protections.)

Some stores are actually fighting back by suggesting PIN debit. See, e.g. http://startup.wsj.com/runbusiness/billcollect/... -- "Some of the nation's biggest retailers, such as Wal-Mart Stores Inc. and CVS Corp., have been steering customers to PIN-debit machines for years. Now, say industry consultants, analysts and some retailers, the practice is gaining steam, especially among mom-and-pop retailers that aren't easily counted."

credit card aidMay 15, 2007 1:35 AM

you're quite right on the point of credit card companies which are not so very concerned about improving security measures. The thing's that even if fraud does happen, they also have ways to draw funds as you must pay for the investigation..

HermanMay 15, 2007 2:09 AM

How typical American.
First they try to change something that works perfectly fine in the name of "progress" or "convenience" or "freedom", not realising they are creating shitloads of problems. Once the ugly truth hits home all kinds of measures are taken to circumvent and fix the problems. But actually the opposite happens, shitloads of new and worse problems are being created, and the perpetual cycle starts.

Funny how all that credit and identity theft bullshit is an almost exclusively American problem and almost unheard of outside the US. I wonder why?!?

Someone wants to steal my identity? Fine, fucking go ahead. Try to get a credit card in my name. It won't work since my bank knows me, and since I and most other people around me don't own and use credit cards in the first place. I'm not worried about "bad credit" either, because those bullshit credit reporting companies simply do not exist in most civilized nations.
Why use plastic when cash and account to account money transfers exist?

Dimitris AndrakakisMay 15, 2007 5:55 AM

@Bruce:

FYI:

"It would be impractical for the US to monitor how its border guards use the massive databases it is building on European citizens, US Homeland Security Security secretary Michael Chertoff told the European Parliament yesterday."

[...]

"He suggested the Anglo-Saxon legal principle that "it is better that a thousand guilty go unpunished lest one innocent man be wrongly punished" might be outmoded."

http://www.theregister.com/2007/05/15/...

Are these people serious ???

DougMay 15, 2007 7:02 AM

I'm perplexed by an apparent contradiction. On the one hand, you say that the party that can best mitigate risk should be responsible for the risk. Then you say that credit card security works so well because of Reg. E.

What about the scourge of infected consumer computers? An infected consumer computer leaks banking and personal data that can be used to impersonate an individual in a financial deal (e.g., take out a fake mortgage). The individual controlling the computer is not held responsible even through they are in the best position to secure the computer; the mortgage holder suffers the loss -- even though the mortgage holder bought the paper after the mortgage closed.

Are you saying that the individual whose computer was 0wned should suffer the loss? Or the mortgage holder?

Clive RobinsonMay 15, 2007 8:09 AM

@ js

"The UK Data Protection Act 1998"

Is a bit of an old toothless tabby cat.

If you go and check the DBs that some organisations have registered and what they have registered them for you would be horrified (London Transport / Transport For London being a case in point).

Also the Data Protection Registrar is not known for wealding a battle axe when dealing with transgresers so organisations get away with it...

oopsMay 15, 2007 9:20 AM

I thought Marcus had some good points, until I got to the line about the "last time [his] credit card was stolen". That doesn't sound like the guy I want to take security advice from.

C GomezMay 15, 2007 4:00 PM

Well, I don't know if his card was stolen or if his information was misused. But so what? People get bags stolen everyday and that doesn't make them idiots.

I've had my credit card accounf fraudulently charged against and my debit card charged against. In each case it was trivial to notify the creditor or bank, and they refunded or credited all the fraudulent transactions.

It was no big deal at all.

Maybe I am extremely lucky, but I find the idea that its hours upon hours of work to turn back fraud like to be largely unsupported.

Everything Bruce says is correct. Verifying identity by using secret questions like the year your grandfather was born or the house you lived on growing up are not good sources of security. I should not verify who you are by something that identifies you. Instead I need to use other factors that by definition are 100% known to only you or in your control.

"Something you have and something you know."

jxcMay 16, 2007 7:49 AM

Bruce,

From your May Crypto-Gram

>First, fix the economic problem. Credit card companies make more money
>extending easy credit and making it trivial for customers to use their
>cards than they lose from fraud. They won't improve their security as
>long as you (and not they) are the one who suffers from identity theft.
>It's the same for banks and brokerages: As long as you're the one who
>suffers when your account is hacked, they don't have any incentive to
>fix the problem.

The credit card companies and credit bureaus, in my opinion, have built a protection racket into their business model. No need to have the goons walk up to your house/business and say, this window here could be broken if I you don't pay $15 a month to keep it safe (or $10 to lock unlock "your" credit report). These business are aiding and abetting criminals, with no reasonable possibility of being "part of the crime". I'll bet pawn brokers would love that deal, "Officer, I didn't know or even think that stuff was hot. I promise never to do it again. Have a nice day!"

oopsMay 16, 2007 2:48 PM

"Well, I don't know if his card was stolen or if his information was misused. But so what? People get bags stolen everyday and that doesn't make them idiots."

No, but I didn't quote the "online" part, and the fact that this was the "last time" suggests it's happened before. It's not difficult to *not* have your credit card info stolen online.

Keith ThompsonMay 16, 2007 7:12 PM

As far as my bank knows, my first pet's name was LBoOVPYl19i9VtPi, my elementary school was called YqAizsCwT1uRF3Y3, and my favorite hobby is jVXSGuUaPW3HcQhj.

Not literally, of course, (I wouldn't post the actual information) but you get the idea.

TessrTornJuly 15, 2008 9:03 AM

Apple Inc.'s new data synching service got off to a rocky start Thursday, as some users were denied access to their accounts just hours before the next-generation iPhone is slated to go on sale.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..