> Another concept that I don't understand is that USA's social security number has to be kept secret or otherwise your identity can be stolen. How that is even possible? Doesn't your employer needs it?
I think adopting this framing is what makes it really bad. Your identity cannot be stolen. The whole concept of "identity theft" is bullshit intented to shift blame. It only so happens that some entities are incompetent at verifying people's identity. That shouldn't even be your problem, as you have no influence whatsoever on how others check the identity of people, so you should not in any way be responsible for dealing with the consequences if someone thinks that you owe them something just because they believed someone else's claim that they were you.
> The problem with the phrase "identity theft" is that it puts the onus of security onto the consumer to secure their personal details instead of onto the bank/telcos/etc to secure their systems.
And it's really even worse than that, as you are assigned blame for something that the party blaming you is itself forcing you to do. Like, they won't open an account for you unless you tell them your SSN, but then they blame you if you don't keep your SSN secret.
It's reasonable to some degree to expect that you keep your password secret. It's a different thing altogether to take information that is unavoidably known to lots of parties, or in many cases even outright essentially public info (like, stuff you can just buy as a database) as proof of identity, and then insist that you are legally responsible for a contract or whatever they made with someone who knew your DOB or something.
It's really not much different than just throwing darts at a phone book, and then pretending that the fact they hit your name proves that you now have a contract with them ... no, it doesn't, and it's your fucking problem if you think it does.
> to their employees having their privacy destroyed
I'm always shocked at how concerned Americans are about the big bad wolf that is "identity theft". Is it really as bad as everyone thinks?
In all honesty, when your info gets leaked, don't you just cancel every credit card and bank account, get a new SSN, change your drivers license number, change your phone number and a few other numbers and move on with your life?
Is it honestly much different than losing your wallet full of cards? (which must happen to tens of thousands of people in the developed world daily)
Does anyone have direct experience on what "identity theft" is actually like?
(Honest question, I'm not American and I don't understand why it's such a big deal)
> Yeah, Identity theft is one of those crimes where the authorities don't really care.
There is no such thing as "identity theft". You can't steal who someone is, that's bullshit. It's rather some party not making sure it's actually you they are talking to, and then claiming that you are responsible for it anyway because they fell for someone else's scam.
> You had to enter your lastname and last 6 digits of your SSN. So there's a high likelyhood that it would be you.
You mean right after the database containing full list of SSNs and last names of virtually every person in the US has been stolen? Of course, there's nobody around that could guess this information. And of course, there's no way to enumerate most common last names and the huge amount of 6 digits... It probably would take literally a million milliseconds!
>I feel like we need to start differentiating between "public" personal information and more sensitive personal information (like social security numbers or other government ID numbers).
The flipside of this is that we need to make it such that simply knowing someone's Name, Address, DOB, and SSN is not adequate to fraudulently assume their financial identity and incur debts in their name.
> I wish we could stop propagating the idea that it's possible to "steal someone's identity"
Identity theft is a term that comes from the fact that you can use this information to open up a bank account or become someone digitally, not because they steal your personality.
It’s a great term because exemplifies the gross negligence and liability that comes with egregious misuse of personal data
This is exactly the fantasy that we need to dispel, not rationalize.
Nobody steals your identity. You always have your identity, and nobody else ever does. Your identity is not the few pieces of trivia a criminal can easily discover about you.
The criminal never takes or has your identity. The bank is simply neglecting to correctly identify someone.
> steals that identity to abuse it
Criminals are not abusing your identity, they are abusing the banks' careless failure to correctly identify people.
> to abuse it and leave you with the baggage
The criminal is not leaving you with the baggage, the bank is. They use willfully inept processes, because they have tricked you into believing you should bear the responsibility for the consequences of their own hubris.
> The government solution is the one that enables identity theft. Right now that means taking out credit in someone else's name etc., and we put the cost of that on some large organization or insurance company and just eat it.
How do you get back a compromised Google or Facebook or Twitter account?
If your former spouse changes your password on google and is able to answer every security question you've set up just as well as you can... what can you do about it?
On the other hand, when the change of address form at the post office goes in you can walk into the post office and say "this is my government issued ID and I still live at this location. Change my address back to my proper residence and put a hold on future address changes for that address without verification."
>however then the burden shifts to proving that person C was not really person A
First: No. The burden is on B to prove that C is A, the default should be that if they cannot quite definitively identify the counter party then tough cookies. And they need to do this while covering all expenses and time value with interest in the event they're mistaken.
Second: if only! Most identity theft is not even remotely subtle. It's people walking in with mediocre quality forged documents or minimal info literally hundreds or thousands of miles from any location C has ever visited in their lives. Or someone randomly claiming to be C via some simple 10 digit government number and an email address C has never used. Etc etc. It's not exactly mission impossible hacking-a-passport-and-wearing-full-3D-facial-prosthetics-and-voice-changer stuff we're talking about here. Standard "ID theft" is just from a financial party with all the incentives to push through acceptance as frictionlessly as possible and then simply hound whomever they can try to pin it on and feed them into "debt collection" systems until most people cave.
What the law needs to recognize is that everything about this should be literally criminal. The original criminal is the one who committed the original fraud. But everyone who goes along with it from then on out, every single 3rd party directly trying to steal money or time or whatever from the innocent victim, is an accessory to that fraud. All of them are involved, though as always they can seek (after paying their penalty) to shift expense/liability back up the chain if they can prove it. It's their fault for insufficiently verifying the original counter party, and then they've compounded it by seeking to defraud someone unrelated.
I wish we could stop propagating the idea that it's possible to "steal someone's identity". No, you cannot take my identity from me, I am who I am, you are who you are.
What you can do however, with those details, is tricking companies and committing fraud. But it should not be up to me to make sure companies are not being defrauded, the burden is on them to prevent that.
Name, contact information and date of birth are so basic level of information, that if you can commit fraud with just those details, something is seriously wrong as the company you're performing the fraud against.
Some countries even have those details publicly for you to find via public websites. So again, if that's all it takes, the company is doing something seriously wrong.
>The target was a Vietnamese man named Hieu Minh Ngo. Investigators believed he was a big-time identity thief who sold packages of data known as “fullz,” each of which typically included a person’s name, date of birth, mother’s maiden name, Social Security number, and e-mail address and password. Criminals could buy fullz from Ngo for as little as eight cents and then use them to open credit cards, take out loans, or file for bogus tax refunds. [...] He had allowed nearly 1,400 criminals to access a database containing the personal information of 200 million U.S. citizens—almost two-thirds of the population.
If two thirds of Americans have had all of that information compromised from this one incident alone, why do we use it as authentication for anything? Shouldn't the SSN be replaced/assisted by a key pair?
> [T]he recourse is the legal system for identity fraud.
Is it though? Are there sets of federal or state laws [in the United States] that say you must never misrepresent your identity to a private party (X) if they ask for it? Wouldn't their recourse just be their ToS? What if a retail store clerk asked you when buying toothpaste? I suppose the law would probably be around the fake identities themselves? (e.g. creating a fake driver's license) But that would still be up to the state to prosecute, right?
I presume there are of course laws about misrepresenting your identity to the government, but now I am curious to what extent that's the case for private parties.
> In no way was Alice's identity stolen - that's tautologically impossible.
I see this as you being too strict with your definition of "identity".
We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.
"Stolen identity" in this sense means Alice's attributes (the ones which Big Bank uses to identify a person) have been compromised by a 3rd party. It's not that all of Alice's identity has been compromised -- only a subset of her identity. Sadly that subset almost entirely consists of "something you know" (which the internet usually also knows) rather than "something you have" (like a government-issued ID) or "something you are" (biological traits).
I totally agree about the rat race. I think the credit bureaus are complicit in keeping the burden of credit identity low and the availability of credit reports high in the US, both of which lead to perverse incentives for {credit bureaus, consumers, creditors, governments, etc}. But they aren't alone. Credit card systems {VISA, Mastercard, AMEX, Discover, etc} and credit card merchants have done the same, causing the US to fall far behind other developed countries in consumer security.
Additionally, I've heard horror stories about the effort required for consumers to "prove" to credit bureaus that their identity was stolen. It sounds a lot like the insurance company's policies in The Rainmaker.
> the term came from the banking sector themselves with the purpose of doing so
As far as I can see after a bit of research, that doesn't seem to be the case. Do you recall where you first heard that idea?
> No one has stolen any one's identity.
Nobody thinks that a victim of identity theft is left with no identity. It's figurative language just like your computer firewall isn't there to keep the flames back.
Or maybe change the language? It's not possible to steal an identity; it's a fiction that is convenient for corporations handling personal information in ways that cost society.
> Also, how do they succeed in keeping this scheme for more than a few days after the identity theft is noticed and reported to the police?
Why would a stolen identity not being used to steal from the person whose identity was stolen, but just to process legal payments, be noticed in a few days? Or even a few years? Maybe at some point the IRS might find the account that used my identity and send me an angry letter, but that seems like it would be years down the line.
> Why do you consider this implication necessary? It sounds nonsensical.
Because it is implied by the definition that is implied by the concept of "identity theft".
Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice. Using that definition in the context of identity theft would then lead to the following sort of justification: Alice is responsible for paying back this loan because the person that we gave this loan to was a human and we identified Alice by her attribute of being a human to be the person we gave this loan to.
That doesn't make much sense, does it?
The whole justification for calling it identity theft, and thus blaming the identified person, hinges on the implication that whatever attributes are being used to "identify" Alice do imply that it is in fact uniquely Alice who has those attributes. It only logically works if you can say "those attributes are the attributes of the person that we made the contract with, and they are unique to Alice, therefore Alice is the person we made the contract with", not if your claim is "those attributes are the attributes of the person that we made the contract with, which are shared by a whole bunch of people, therefore Alice is the person we made the contract with".
> Counterexample: to verify an identity, the verifier must have replicated the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.
Erm ... no? Just two obvious examples:
In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.
In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.
Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?
> Note that we're speaking of identity in the context of a technical implementation.
Actually, we kindof don't. We are really talking about a legal implementation, where there really is no requirement to do anything as a "technical implementation"!?
This reminds me of LifeLock CEO's Todd Davis public challenge [1] when he revealed his Social Security number prominently on his site and billboards with overconfidence that his identity cannot be stolen but, unfortunately, he's been a victim of identity theft at least 13 times.
I think adopting this framing is what makes it really bad. Your identity cannot be stolen. The whole concept of "identity theft" is bullshit intented to shift blame. It only so happens that some entities are incompetent at verifying people's identity. That shouldn't even be your problem, as you have no influence whatsoever on how others check the identity of people, so you should not in any way be responsible for dealing with the consequences if someone thinks that you owe them something just because they believed someone else's claim that they were you.
reply