BOX 4.1
Identity Theft

Identity theft occurs when someone usurps a portion of another person’s personal identifying information in order to pose as that person. The information usually includes some combination of name, address, Social Security number, mother’s maiden name, password, credit card number, date of birth, driver’s license number, and employer. With this information the “thief” can open new accounts, order products, rent apartments, take out a mortgage, and/or borrow money, all under the identity of the first party. Identity theft goes beyond the theft of a credit card to the misappropriation of a person’s very identity. It constitutes fraud. From the victim’s perspective, there is no easy way to develop an audit trail that proves who actually made the transaction. Was it the person who owns or is authorized to use the account, or was it the person who appropriated the account? Note that a significant part of the problem is that nonsecret data are used by many entities for authentication purposes. An additional problem is the difficulty in revoking authenticators and identifiers when they are misused. In essence, the level of confidence required, in the vocabulary introduced in Chapter 1 of this report, is not high enough. As Chapter 7 describes, the choice of identifier and authenticator is crucial for privacy protection and better security.

Reports of identity theft have increased over time. In March 2002, the General Accounting Office (GAO), acknowledging that there are no comprehensive statistics on identity theft, reviewed data from a number of sources—including consumer reporting agencies, the Federal Trade Commission (FTC), the Social Security Administration (SSA), and federal law enforcement—all of which indicated that the prevalence of identity theft was growing.¹ Victims of identity theft pay dearly; in 1997, the Secret Service estimated that victims lost an aggregate $745 million. But victims also face nonfinancial hardships, including criminal records, difficulty finding a job, and inability to get mortgages or credit. Sallie Twentyman, a victim of identity theft, testified before the Senate Committee on the Judiciary that the confusion and frustration that resulted felt like a “financial cancer.” In Ms. Twentyman’s case, her renewal credit card was stolen before it reached her, and the thief changed “her” address and opened more accounts in “her” name.²

A survey conducted by Privacy Rights Clearinghouse and the California Public Interest Research Group found that the average victim of identity theft did not find out that he or she was a victim until 14 months after the identity theft occurred and that it took the victim an average of 175 hours to resolve the problems that occurred as a result of the identity theft.³ In January 2002, the FTC announced that identity theft was the top consumer fraud complaint in 2001, accounting for 42 percent of the complaints in the Consumer Sentinel database.

Although identity theft existed before the Internet, there is concern that it will escalate even more in the digital world. The Internet has given identity thieves easier access to more sources of information. With e-signatures and digital certificates, it will be imperative to ensure that the digital representation is authentic, or associated with the correct individual, and that the transaction can be audited. There is a dual need: to determine who the consumer is and to ensure that the personal information of the consumer is protected.

In 1998, Congress passed the Identity Theft and Assumption Deterrence Act, which legally recognized that the victims of identity theft were the individuals whose identities were stolen and not the financial institution that lost money; made it illegal to steal another person’s personal information (not necessarily documents) with the intent to commit a violation; and increased potential sentencing for violators. The act also required the FTC to establish a national clearinghouse for identity theft complaint data and to educate consumers about how to protect themselves.⁴ The FTC has held workshops on the subject. Other government agencies have also taken action regarding identity theft. For example, the Treasury Department sponsored an ID Theft Summit in March 2000. Finally, most states have passed laws that criminalize identity theft.

In response to the human and financial costs of identity theft, a variety of policy responses have been proposed. Most recognize the necessity of a multipronged effort involving the public and private sectors and employing legal and technological tools. The education of consumers is essential to ensure that they take steps to minimize the possibility of identity theft and to alert them to signs of possible theft. Public and private organizations can help prevent identity theft by reducing the amount of data that is exposed, limiting the release of information that is given at the point of service, and enhancing the security of data that are collected. Additionally, aggressive criminal investigations, prosecution, and punishment are seen as critical.

In the 107th Congress much attention was focused on identity theft. A number of bills were introduced. In the House, these include the Identity Theft Protection Act of 2001 (H.R. 220), the Social Security Number Protection Act of 2002 (H.R. 4513), the ID Theft Loophole Closure Act (H.R. 2077), and the Protect Victims of Identity Theft Act of 2001 (H.R. 3368). In the Senate, bills include the Restore Your Identity Act of 2001 (S. 1742), the Social Security Number Misuse Prevention Act of 2001 (S. 848), and the Identity Theft Prevention Act of 2001 (S. 1399).

---

¹General Accounting Office. Identity Theft: Prevalence and Cost Appear to Be Growing, GAO-02-363. Washington, D.C., Government Printing Office, pp. 3-5, March 2002.

²Sallie Twentyman (witness), “Identity Theft: Restoring Your Good Name,” testimony before the Senate Committee on the Judiciary, March 20, 2002.

³CALPIRG (Sacramento, Calif.) and Privacy Rights Clearinghouse (San Diego, Calif.), Nowhere to Turn: Victims Speak Out on IdentityTheft, May 2000.

⁴See the Web site <http://www.consumer.gov/idtheft>.