The White House made a big statement about (digital) identity theft on Friday, with U.S. Secretary of Commerce Gary Locke announcing a public-private sector effort, National Strategy for Trusted Identities in Cyberspace (NSTIC). “The administration hopes to see a robust trusted ID market in the U.S. in three to five years,” according to PC World.
The trusted ID technologies described in NSTIC would allow online users to dump passwords in favor of credentials that can be used on multiple websites. The Obama administration hopes that multiple trusted ID technologies will emerge, officials said.
In order to justify this initiative, the Commerce Department presented faulty “logic” which was regurgitated by PC World:
- There’s a lot of identity theft: (an estimated 11.7 million Americans over an unnamed 2-year period or 8.1 million in 2010)
- The cost is “high”: (about $110,000 a year to manage 500 employee IDs and an unknown/unlinked FBI report asserting it is a “dominant and pervasive financial crime“)
- The problem is our online login: (Locke: “The fact is that the old password and username combination we often use to verify people is no longer good enough.”)
- Online identify theft is hurting online commerce: (Locke: “[The Internet] will not reach its full potential — commercial or otherwise — until users and consumers feel more secure than they do today when they go online.”)
Because the only example of identity theft is online logins, Locke implies (guilty by association) that digital identity is the primary (if not sole) source of identity theft. Also, he implies that identity theft happens because someone figures out our login and password. Thus we need a government-shepharded system of digital identity management.
First, the evidence presented does not support this claim. Logical fallacy.
Second, is there evidence that can support the implied claim? I don’t think so.
According to Javelin Strategy Research, identity theft and its financial impact both fell dramatically in 2010. It dropped from 11.1 million to 8.1 million adults (there’s the unnamed source for the Commerce web site statement) and “[t]otal annual fraud decreased from $56 billion to $37 billion, the smallest amount in the eight years of the study.”
Moreover, Javelin writes that the reason for the decline had nothing to do with “the Internet” per se but instead lies with the folks who manage our data:
One likely contributing factor was the significant drop in reported data breaches according to industry reports: 404 in 2010 with 26 million records exposed, compared to 604 in 2009 with 221 million records exposed.
What constitutes data breaches? Loss of laptops, loss of private records on USB drives, data stored in copy machines, unauthorized data access on internal networks (intranets), data loss due to negligence of third-party providers. Examples range from AT&T’s iPad-related data breach last year (relatively narrow) to the recent Epslion data breach (extremely wide).
The breach of Epsilon, the world’s largest email service provider, has put the customers of at least 50 major companies at risk from targeted phishing attacks, aka spear phishing, which use fake yet personalized emails to trick people into disclosing personal information, including passwords and financial details.
In an ironic twist for a company entrusted with sending an estimated 40 billion emails per year, the Epsilon breach apparently stemmed from the company having itself been spear phished.
Those data breaches — loss of personal information through business negligence — are costly. From Javelin’s consumer-friendly version of its fraud report:
[C]onsumers who received breach notifications in 2010 had more than four times higher risk of identity fraud than did those who didn’t receive these types of notifications.
This Department of Commerce measure will do nothing to counteract data breaches.
According to Javelin, the greatest fraud was “new account fraud.” What we don’t know — it’s not stated — is how personally identifying information was collected to open those new accounts. However, much like murder, it’s the people we already know who seem to be our worst enemies:
Friendly fraud – fraud perpetrated by people known to the victim, such as a relative or roommate – grew seven percent last year, with consumers between the ages of 25-34 most likely to be victims of this type of fraud. People in this age group are most likely to have their Social Security number (SSN) stolen—with 41 percent of fraud victims in this group reporting theft of their SSN.
In addition, there’s nothing in the official statement (or PC World story) about credit card theft … something that has been a “problem” for financial institutions for decades.
Where do you hand over your credit (or debit Visa) card to someone and have it “disappear” for 5-10-15 minutes (or longer)? Bars and restaurants. I’ve not seen publicly-released data that show either the degree or type of credit card theft. Some, of course, is related to data breaches; for example, in 2009:
A payment processor responsible for handling about 100 million credit card transactions every month disclosed today that thieves had used malicious software in its network in 2008 to steal an unknown number of credit card numbers.
Again, this is not the consumer’s fault and no “online identity system” would have helped.
Finally, there’s the big question: what do we mean by “identity theft”? Is it someone using your credit card number? Or is it someone who has created an entirely new identity based on your SSN, credit history and the like?
I’d argue that these are very different degrees or types of “identity theft” and that they should not be lumped into the same category. My guess is that most lay people, when they hear the phrase, think of the latter … but that the greater economic loss is the former. Javelin concurs; from its consumer-friendly version of its fraud report:
Most individuals are familiar with the term “identity theft,” which is widely used by media, government and consumer groups and by nonprofit organizations. However, it is important to distinguish between identity theft and identity fraud because the terms have different meaning…
True identity theft occurs after the exposure of personal information; typically someone’s personal information is taken by another individual without explicit permission. Identity fraud is the actual misuse of information for financial gain and occurs when criminals use illegally obtained personal information to make purchases or withdrawals, create false accounts or modify existing ones and/or attempt to obtain services such as employment or health care.
Don’t get me wrong: I think there’s an important place for alternatives to website-specific logins. It’s why I use OpenID (anyone who has a WordPress.com account has an OpenID) and it’s why I pay for things online with PayPal when given the chance. [Note: I do not use Facebook as a login, ever, but I will use Twitter OAuth.]
This is a call for arguments about behavioral change or new government initiatives (earth to people in DC -> we’re spending money we don’t have, diligence is required) based on sound evidence rather than a logical fallacy that rests on emotional hijacking.
Oh, and about those online IDs? Why won’t my bank let me create a password with special characters like PayPal does? The unanswerable question.