The current debate over personal information in public records ignores the real causes of identity theft, experts say.
From the Summer 2007 issue of The News Media & The Law, page 7.
By Nicholas Coates
In April, a federal task force studying identity theft released a plan aimed at slowing the problems caused by identity theft. As part of its plan, the task force suggested federal agencies and industry limit or eliminate the use of Social Security numbers on documents and for identification, and to restrict access to publicly available information.
Those views are shared across the country, as state and local governments have pulled millions of documents from public view to prevent identity fraud and identity theft, denying reporters access to critical information.
But legal and financial experts say solving identity theft is not as simple as it appears. Although many support pulling personal information from public records, especially on the Internet, others say the fears of identity theft are overblown.
They say the focus on information in public records ignores the real culprits: sophisticated organized criminals and hackers engaged in identity theft in developing countries, weak cybercrime laws in those countries, questionable banking practices, toothless federal laws guiding the industry, and an overreliance on Social Security numbers.
“Identity theft is a perfect crime because you have a convergence of issues,” said Jody Westby, chair of the American Bar Association’s privacy and computer crime committee. “Cybercrime laws are weak, thieves are difficult to track and trace, the information they steal is too easy to take and use, and there are international jurisdictional issues that are hard to prosecute.”
What is identity theft?
The nonprofit Identity Theft Resource Center divides identity theft into four categories: financial identity theft (using another’s name and Social Security number, mother’s maiden name, passwords and personal identification numbers to access credit and bank accounts); criminal identity theft (posing as another when apprehended for a crime); identity cloning (using another’s information to assume his or her identity); and business/commercial identity theft (using another’s business name to obtain credit).
Once a thief gets into a victim’s accounts, the thief may use the victim’s credit for online purchases or to make counterfeit cards, said Larry Lopez, head of a Cambridge, Mass.-based private investigation firm, Strategic Research. More likely, though, the thief has aggregated information from multiple thefts and sells the data on an Internet auction site.
High-profile breaches in the last three years have raised the public’s awareness of identity crimes.
The Privacy Act of 1974 limits the ability of security and intelligence agencies to maintain dossiers on people. So agencies and departments like the FBI, CIA and Justice Department contract with private corporations that aggregate public and private information on people to gain access to vast stores of information.
One of the world’s largest aggregators, ChoicePoint, has dossiers on at least 200 million people that contain information from records such as credit reports, criminal records and real estate records. In February 2005, ChoicePoint revealed that records of 163,000 people it held were compromised months earlier when hackers breached its systems pretending to be legitimate business customers looking for details listed in the databases.
A month after ChoicePoint’s announcement, another major database corporation, LexisNexis Group, experienced a breach where the personal information of at least 310,000 people was exposed.
Seisint, a Florida-based subsidiary of LexisNexis, first notified U.S. Secret Service officials when it believed its Accurint systems were compromised. Government and law agencies and commercial organizations use the systems to conduct investigations into people and businesses.
Federal prosecutors said six American men in their teens and 20s accessed the Accurint databases by hacking into computer systems, using Trojan horses and social engineering (pretending they were someone authorized to use the systems). Once they gained access, they took user IDs and passwords and then made illegal entries in the Accurint database.
Meanwhile, hackers pulled off a massive breach of TJX Companies’ computer network in December through its wireless network. Investigators have estimated at least 45.7 million people had information from credit cards, debit cards and bank accounts stolen, including Social Security numbers and driver’s license numbers.
As these highly publicized breaches have made identity theft a major concern for many lawmakers, much of the scrutiny has turned to the availability of public and court records online.
The fight over online access
Self-proclaimed public advocate Betty “B.J.” Ostergren devotes her days to mining the Internet for state court documents, marriage and divorce records, tax liens and military discharge papers. The retired insurance claims agent then posts the Social Security numbers and signatures of well-known people on her Web site, The Virginia Watchdog (www.thevirginiawatchdog.com), to demonstrate the ease with which the information can be found over the Internet.
“A lot of these records that have been protected in the four walls in the courthouse are now being put online recklessly,” Ostergren said. “I’m an advocate of records being open and available, but records should be taken off the Internet. I wouldn’t drive across the state to a courthouse and I don’t think someone sitting in an Internet café in Nigeria is going to drive to a courthouse in Virginia.”
Government officials have also advocated restrictions.
In May, Betsy Broder, assistant director of the Federal Trade Commission’s privacy and identity protection division, suggested government agencies should, among other things, restrict access to publicly available information online and physically when she testified in front of an Ohio commission studying identity theft.
But the FTC’s Web site does not mention data stolen from public records as a major method of how identities are stolen.
Instead, it says personal information is predominantly stolen through:
· dumpster diving: rummaging through trash for paper with personal information on it;
· skimming: stealing credit or debit card numbers by using a special storage device when processing cards;
· phishing: pretending to be financial institutions or companies that send spam or pop-up messages to get victims to reveal personal information;
· address changing: rerouting billing statements to another location by completing a change of address form;
· old-fashioned stealing: stealing wallets and purses, stealing mail (including bank and credit card statements, pre-approved credit offers, and new checks or tax information), stealing personnel records, or bribing employees who have access; and
· pretexting: using false pretenses to obtain personal information from financial institutions, telephone companies and other sources.
There have been some cases of identity theft occurring from public records. For instance, an Ohio prisoner pilfered the personal information of 10 people after obtaining traffic tickets from a court using blank subpoenas from a lawsuit he filed.
Court officials told reporters that the victims’ Social Security numbers were redacted, but police investigators said they could still see the numbers.
Last year, eight people were indicted after federal investigators uncovered a five-state identity theft ring that culled Social Security numbers and other personal data of hundreds of state residents from public records posted on the Hamilton County, Ohio, clerk of courts Web site.
Records spanning tax documents to medical records were located on the Web site if they were part of files related to criminal cases, land disputes, tax liens, civil lawsuits and traffic tickets. Bank account balances and account numbers would also be posted online if they were related to domestic-relations cases.
According to federal grand jury indictments, members of the ring made phony identification documents, opened credit accounts and fashioned counterfeit checks.
After the concerns surfaced, the Hamilton County clerk decided last year to block Internet access to 25 million pages of documents until officials developed a new method of keeping personal information private. The documents were still available for viewing at the courthouse and the Web site still provided case summaries.
‘We have to learn to adapt’
However, three studies accepted by identity theft experts point to the majority of information being stolen from those closest to it.
The Federal Deposit Insurance Corp. released a report in 2004 saying that “industry analysts and security professionals estimate that 65 to 70 percent of identity theft is committed with confidential information stolen by employees or participants in transactions or services.”
Two researchers from Michigan State University confirmed 1,037 instances of identity theft and found nearly half of thieves stole information from mail and trash and by stealing purses and from friends and relatives, while another half stole information from businesses.
A survey last year from CSO magazine, a trade publication for security professionals, revealed that one-third of those polled said thieves stole confidential information, including customer records. When the business was able to identify the attack’s source, it determined insiders committed more than half of the crimes.
Still, the high-profile breaches have led to the popular belief that most identity crime occurs on the Internet, said Adam Dawson, head of the Los Angeles-based private investigation firm Dawson Ryan Associates and a former reporter for The Orange County (Calif.) Register and the Los Angeles Daily News.
As the debate on how to stifle identity crime continues, Dawson said he has seen the strangling of public records and publicly available information growing in the last two decades. Dawson said the crackdown has choked the ability of reporters and investigators to keep tabs on government and private industry.
Washington state Archivist Jerry Handfield said he has not seen an uptick in identity crime as his office has overseen the posting of 26 million pages of public documents online in the last two years.
“It’s a constant effort to educate people that stealing information from public records online is not an epidemic,” Handfield said. “The push for restricting access is not a new issue and it is not a terrorism issue.
“As technology has evolved throughout history, the new technology is often used to perpetrate fraud. We have to learn to adapt to technology, not make all records secret.”
‘Rules with loopholes’
When the debate about identity theft focuses on the accessibility of records, it may downplay the effect of legislation making it difficult for consumers to sue creditors and reporting companies for bad information. That minimizes their incentive to fight identity theft in other ways that would make availability of information in public records a nonissue, experts say.
The powerful credit and banking lobbies have long fought against strong federal laws and subsequent agency rules regulating their businesses, said Westby, the bar association committee chairwoman who is also chief executive of Global Cyber Risk, a privacy and cybercrime security consulting firm in Washington.
“They want weak laws and rules with loopholes so they don’t have to do anything,” Westby added. “They consider any law that requires them to do something a burden to business.”
The primary federal law steering consumer credit rights is the Fair Credit Reporting Act (FCRA). Its main consumer protections allow people the right to access and correct mistakes on credit bureau reports and the right to have their personal information protected.
FCRA requires a business or person who denies credit or a lease based on information in a person’s credit report to provide a notice to the applicant. If a creditor or landlord does not provide a notice, the person can sue for damages in federal court. For deliberate violations of FCRA, the person can request punitive damages.
FCRA also allows people to bring civil suits against credit bureaus that do not fix mistakes on credit reports that came from general mistakes or identity theft problems. The FTC and other federal and state agencies can also bring suit for noncompliance with FCRA.
However, standards for proving liability are extremely high and allow creditors and credit bureaus to remain virtually unchecked, Westby said.
And if companies do follow the provisions of FCRA, the law prohibits consumers from suing them for libel or invasion of privacy.
A 2003 law, the Fair and Accurate Credit Transactions Act, amended FCRA and allowed people to place alerts on their credit histories and obtain a free yearly report to check for errors. But the law also said federal standards pre-empt state laws, which calls into question whether states with tougher identity theft laws can enforce them.
Twenty-eight states and the District of Columbia will have security freeze laws in place for all residents by September allowing consumers to freeze access to their credit reports. Ed Mierzwinski, consumer program director of U.S. Public Interest Research Groups, believes those laws are the best way to make creditors and credit bureaus more accountable for identity theft.
Thirty-five states and the District of Columbia have enacted security breach laws notification laws, some stronger than others, that require companies to notify customers when their information has been infiltrated.
Last year, the credit bureaus supported a credit-freeze bill that tried to establish a federal law that would have pre-empted every state credit freeze law, but it died in the House Financial Services Committee, Mierzwinski said.
In April, another credit-freeze bill was introduced that is similar to current California law. Mierzwinski believes that the bill would again pre-empt stronger state laws.
Norm Magnuson, vice president of public affairs for the Consumer Data Industry Association, said it is not clear the credit-freeze bills now under discussion would pre-empt state laws because they could change as legislators discuss them.
However he said his association, which represents the three major credit bureaus Experian, Equifax and TransUnion is concerned about states passing their own credit-freeze laws because they are confusing and expensive for companies and consumers.
“Consumers should have the same benefits and protections wherever they live,” Magnuson said. “If we have to follow one set of rules, it’s easier for business to operate and consumers to know what laws apply to them.”
Magnuson said his main concern with the state credit-freeze laws, which allow consumers to put holds on their credit, is that they would overburden credit bureaus and slow down the economy.
“I believe in the market economy,” said Magnuson. “Putting certain restrictions on credit bureaus can disrupt the economy.”
But Mierzwinski said the industries really want toothless federal laws and rules so they can continue to make vast profits and escape liability for inaccurate credit ratings and scrutiny when hackers breach consumer data.
The government has strengthened some privacy protections, as in an FTC rule that went into effect in 2002 that requires financial institutions to have a security breach notice plan protecting personal consumer information, Mierzwinski added.
Nevertheless, Westby believes the credit, banking and reporting lobbies have successfully convinced Congress to limit the states’ ability to create stronger privacy and consumer protection laws. The lobbies have also swayed agencies like the FTC to maintain rules in their favor.
“They have misconstrued many of the issues,” Westby said. “They’ve been putting false information out there and the result is that there is a lot of confusion on Capitol Hill.”
Creditor practices have also inflated the importance of the data that legislators and other government officials are now seeking to strip from public records, according to banking and loan industry experts.
When it comes to granting credit and loans, the credit and bank industries have overused Social Security numbers as the primary, if not only, authentication for lending, said Richard DeMong, a professor at the University of Virginia. That has been driven by the computer software creditors use to access to credit scores and histories in order to furnish credit instantaneously.
“A lender once told me, ‘All you have to do is give me your Social Security number and I can decide whether to grant the loan and at what interest rate in 15 seconds,’” DeMong said.
Broder, the FTC official, agreed that government and businesses place too heavy an emphasis on Social Security numbers.
“We’re trying to get away from the gratuitous use of Social Security numbers and trying to tell private industry that’s a good idea as well,” she said.
Tough to investigate
The difficulty in prosecuting identity theft is the single biggest reason why the crime continues to be a problem plaguing governments, industry and consumers, Westby said.
An arrest is made in less than five percent of all reported cases nationally, according to 2005 data from the Identity Theft Resource Center.
When identity crime occurs off U.S. soil, as Westby believes it often does, the key to finding thieves and matching evidence to their crimes relies heavily on cooperation and communication between international law enforcement agencies.
But that help rarely comes for a number of reasons, Westby said.
In identity theft cases, few foreign investigators are interested in looking into identity crimes because laws in the U.S. and abroad are not structured the same that is, what may be a crime is the U.S. may not be or be a lesser crime abroad, Westby said.
And when foreign investigators do become interested in identity crimes, they seldom have adequately trained staff to probe and prosecute crimes, Westby said.
If a joint investigation is opened, however, the next hurdle is collecting evidence because hackers can move in and out of computer systems in minutes, while investigators need days and weeks to find footprints in the vast computer systems. On top of that, there are competing rules of how evidence can be collected in each jurisdiction, meaning that what may be admissible in one country may not be in the United States.
A Seattle Post-Intelligencer investigation revealed in April another potential cause: the mass restructuring of local FBI offices following the Sept. 11 attacks. The FBI is the government’s second-most prolific investigator of identity theft crimes, but the newspaper wrote that at least 2,400 agents were transferred to counterterrorism units, and fraud units have not been restocked.
Dawson believes that there are legitimate concerns about identity crime and said he believes some information, such as medical records, should remain private.
But Dawson said the realities of the crime do not justify the steady decrease of once-public information such as department of motor vehicle records, voter registration records and changes in mailing addresses.
“If someone wants to find information about someone, then they are going to find ways to do it,” Dawson said. “People who say the solution to identity theft is to restrict or eliminate access, that’s sort of like burning down the house to get rid of the ants.”