On the Record

By Jim McKay, Justice and Public Safety Editor
Government Technology
July 27, 2005

You call "identity theft" a misnomer, saying that the fight against fraud might be more effective if we thought of it as impersonation rather than ID theft. Could you elaborate on why?

"Identity theft" doesn't make sense as a term. Your identity is the only thing about you that cannot be stolen. The real crime is fraud due to impersonation. Even worse, by calling it "identity theft," we naturally focus on the wrong solution: making personal information harder to steal.

We need to make personal information less valuable, harder to use. By calling the crime what it really is, it's more obvious where the solutions lie.

How should we go about doing that?

It's simply too easy to use identity information to commit fraud. Someone shouldn't be able to complete a form in a magazine and open a credit card in my name. Someone shouldn't be able to guess my password and make large monetary transfers in my name. Financial services needs to slow down and take security more seriously. Europe is a good model here -- identity theft is less of a problem because it's harder to use personal information to commit fraud.

Of course, banks and credit card companies are going to oppose any limits on their business. They like the fact that it's trivially easy to get a credit card. But they're not bearing the full costs of identity theft.

Why is personally identifying information easy to sell? Who should be protecting it, and who isn't protecting it properly?

Personally identifying information is easy to sell because there are no laws against selling it. If we're serious about making it harder to sell, we need to make it illegal to sell. It really is that simple.

The Europeans have comprehensive data protection laws. Information collected for one purpose can only be used for that purpose. It cannot be used for other purposes without going back to the individual and asking permission. That kind of personal privacy regime will make it very hard to sell personally identifying information. Businesses won't like it, though, so it's unlikely to happen in the United States.

Of course, personal information is also easy to steal. So making the information illegal to sell is only part of the solution -- we need to also make organizations responsible for the security of the data they're entrusted with.

What's the role of the federal government in this? What about the role of state governments? Is it a matter of passing different or better laws?
The one thing I would like to see government do is make financial institutions liable for fraud. Until banks bear the costs of losses, they're not going to fix the problems. It's basic economics.

Why are European countries doing better at fighting fraud than the United States?

I've already given some examples. In general, Europeans are much better at balancing personal security with the needs of business. In the United States, at least under the current administration, we largely ignore individual interests in favor of corporate interests.

Europe doesn't have the same notion of "credit rating" that we have in the United States. European banks have different procedures to open bank accounts and credit cards. There are different rules about account holders accessing their resources. The U.S. financial industry views these as inefficiencies and impediments to business, but they make European citizens safer.

Government is a seller of personally identifying information. Should that practice be stopped? If not, what should be done to assure that government doesn't abuse or misuse personal information?

Government should both stop selling personal information, and pass laws regulating the security and privacy of the personal information it is entrusted with.

Since total security is not feasible or even possible when it comes to governments, do you think we also should replace the term "security" with something like "managed risk"?

Total security isn't feasible or possible for anything, but it's still a useful word. I think we're better off replacing people's unrealistic expectations of security with more realistic ones ... ones based on risk. The key is to remember that security is a continuum, and not all or nothing. Security is a trade-off.

As for the term, I like the word "security." And in general, I think we're all better off by limiting business-speak and not creating more of it.

Is security too often viewed as a technical problem and not a people problem? What's the solution?

The first solution is to stop looking for "the solution." Security is primarily a people problem, but technology plays a huge role in it. You're certainly right that there is a widespread belief that technology can "solve" security problems. My latest book, Beyond Fear, directly addresses this issue.

Should software companies be liable for producing software replete with security holes? What will it take to get them to do a better job of fixing these security holes?

The only thing that will get software companies to sell more secure software is for it to be more expensive for them not to. Capitalism works, and it's simply wrong to expect private corporations to act as charities. The trick is to make it in a corporation's financial interest to sell secure software. Competition is only partially effective for several reasons, and more incentive is required. Either liabilities or regulations will directly affect a software vendor's bottom line.

earlier story: Recommended Reading: Getting Smart About Information Security
later story: Does Trusted Computing provide security for users or from them?
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..