Business your connection to The Boston Globe

Let's focus on the theft, not the identity

Identity theft is a nasty crime with a catchy name -- too catchy for our own good. Identity theft, though important, isn't the root problem, and focusing on it may distract us from real solutions.

And we need solutions badly. For a month or so, we've fretted over the news that careless database companies had sold crooks a couple hundred thousand Social Security numbers. Meanwhile, Boston College warns about 120,000 graduates that a computer hacker may have gained access to their personal information by raiding a computer that contained the alumni database.

It's bad enough that crooks can steal our personal data, or even purchase it. But it gets worse: They can often find the same stuff with Google. At least they can if they're as smart as Latanya Sweeney, an associate professor of computer science at Carnegie Mellon University.

In a paper she will present this week in California, Sweeney describes a program of hers that scans Google search results for files containing names and Social Security numbers. In her test of the software, Sweeney tracked down 140 job hunters who had posted resumes on the Web. For some odd reason, they included their Social Security numbers -- easy pickings.

Sweeney's motives are pure; she wrote another program to e-mail the 140 people and warn them of the threat. Nearly all cleaned up their resumes. Sweeney has proposed a service called Internet Angel that would automatically scour the Net and alert people if their Social Security numbers are online.

That number is the supreme prize for identity crooks, because so many public and private institutions use it as a primary means of identification. Combine a Social Security number with other data freely available online, and you can work up a fake identity with ease. Say you had my Social Security number. Next, you could go to, an Internet telephone book, and get my street address and telephone number. Then go to, and you've got my date of birth. In 30 seconds, you've got the makings of a first-class fake identity.

Lucky for me that a Google search won't turn up my Social Security number. But as we've learned, there are companies that will cheerfully sell it to the highest bidder. Shame on them. Thanks to the ChoicePoint fiasco, state and federal legislators are designing a host of new laws. One idea is a federal law modeled after the California statute that forced ChoicePoint to inform California residents their data had been stolen. Massachusetts Democratic US Representative Edward J. Markey wants to give the Federal Trade Commission the authority to impose data-security standards on database companies.

Worthwhile ideas, no doubt. And yet, because they're focused on the unjust appropriation of someone else's personal data, such ideas aren't good enough. They address the supply of unguarded personal data, but we can also undercut the demand.

After all, why should you care if someone goes around claiming to be you? It's no skin off your nose -- unless this poseur logs onto a credit card company site, sets up a new account in your name, and saddles you with the cost of a new spring wardrobe.

That's not identity theft, according to computer security expert Bruce Schneier, author of ''Secrets and Lies." It's just plain theft -- ''impersonation leading to fraud," he said. ''I think when we call it identity theft, we lose the battle."

In Schneier's view, it's impossible to eliminate impersonation, especially when somebody is stealing money online. On the Net, nobody knows you're a thug. Any conceivable authentication method can be faked -- even biometric data like fingerprint scans.

''I think this whole problem is being solved wrong," Schneier said. ''People are focusing on authenticating the individual," and that's hopeless. Instead, he thinks our only hope is to focus on transactions, not people.

Indeed, that's how credit cards work. At a store, the clerk scarcely bothers to glance at the signature on the card. Order something over the phone or online, and the merchant scarcely bothers with personal authentication. But behind the scenes, the credit card companies use sophisticated computer programs to analyze each transaction, flagging any that seem odd. Try making an unusual purchase -- say, a $1,500 Persian rug on eBay -- and there's a good chance you'll get a phone call from the bank to confirm the order. Or consider ATM cards, which usually place tight limits on the amount of cash you can withdraw per day. That protects the cardholder and the bank; your identity has nothing to do with it.

These systems are far from perfect; credit card companies still lose millions to fraud. But confirming transactions is far easier than confirming identities. So Congress should take a look at a promising proposal called ''do-not-issue." Modeled after the ''do-not-call" list that has helped stamp out the curse of telemarketing, do-not-issue would let people block credit-reporting agencies from issuing credit reports without permission.

Identity thieves like to open new charge accounts, using the victim's identity and good credit rating. Banks or merchants order credit reports before opening these accounts. But if there's a do-not-issue flag next to the victim's name, the agency must drop a dime before sharing his data. The would-be victim blows the whistle, and the crook gets nothing.

Do-not-issue isn't a cure-all, either, but it tackles an aspect of identity fraud that's usually neglected. In an age of ubiquitous computer networks, we'll never cut off the supply of sensitive personal data. But by limiting what crooks can do with our secrets, we may be able to dry up the demand for them.

Hiawatha Bray can be reached at

Today (free)
Yesterday (free)
Past 30 days
Last 12 months