Privacy and Identity Theft

The IRS issues a woman a $1M bill in back taxes, because over 200 illegal aliens are using her social security number.

See the CNN video here

Yet another example of how a simple, static, 9 digit number (your social security number) is totally inadequate for representing your identity. The US government bureacracies (IRS, Social Security, etc) still use this outdated, trivially cloneable number. It boggles the mind that the IRS could actually track 200 separate jobs using the same SSN, issue a $1M bill, and not figure out that something is wrong.

Identity tags need to go electronic and non-cloneable. The SSN is dead. Too bad the zombies keep walking.

Martha Baer has written an engaging article describing a recent bust of an ID theft ring. Of interest are the emerging patterns that link drug abuse with identity theft.

We keep seeing increased evidence that those who live a life outside of normal society are drawn to identity theft as a “job”. In the UK, we’ve seen busts of Russian ATM skimmer gangs who are also involved in the sale and distribution of illegal drugs. This latest arrest highlights the growing links between methamphetamine users and ID thieves.

Perhaps its because meth users (“tweakers”) are so amped up that they are sometimes awake for days, and are perfectly happy to perform routine repetitive tasks such as photocopying stolen identity documents, transcribing credit card lists, and the other minutia that come with a large scale ID theft operation.

We’re all pretty aware of the lore of the Mafia, Yakuza and other mobs who expand their criminal enterprises beyond drugs and vice. Here we are seeing the blossoming of Internet mobsterism. It was bound to happen some time.

Avivah Litan at Gartner group estimates that 30% of all identity data leaks occur at universities. She attributes this to a lack of IT security discipline at our universities.

This May 21, 2006 article describes a data breach at Ohio University where over 137,000 social security numbers, and many tens of thousands of healthcare records, were stolen by Internet eCriminals.

What is shocking about this is that the servers were apparently compromised for over 1 year before this breach was discovered.

I suggest we simply face facts: social security numbers are pretty much obsolete as “secret information” that can be used to obtain any identity-related data about you.

Now, as for those medical records…. certainly universities and everyone has a social responsibility to protect that kind of personal information. Perhaps the inevitable truth that “information wants to be free” will mean that we can never trust that our personal data wont be leaked, sold or stolen.

Pundits in the Identity 2.0 world talk about YOYOI – “You Own Your Own Information”. This is a vison whereby we all control and manage the data about us, and we release it selectively to parties (like a hospital) who need it. Technically, such a model can be built, and can probably even be made easy to use. A combination of strong authentication, data encryption, rights management and secure online storage could make YOYOI a reality.

But, at the end of the day, there is tremendous inertia to keep things the way they are…. TOYI “They Own Your Information”… and TAFTSOLI “They Are Free To Sell Or Lose It”.