Re: Identity theft protection?

[David Farber <dave () farber net>]

Begin forwarded message:

From: "Ed Gerck, Ph.D." <egerck () nma com>
Date: May 16, 2009 6:50:39 PM EDT
To: dave () farber net
Cc: ip <ip () v2 listbox com>
Subject: Re: [IP] Identity theft protection?

[Dave, for P if you wish]

IP'ers,

I feel that it is time to see real solutions to this problem,
rather than let the discussion continue to be dominated by a special
choice of language.

The terminology itself deserves some attention first, before anyone
considering to "buy protection".  In fact, as discussed below, we
should refuse to buy such  "protection" and, instead demand that those
holding or using our identifiers be held responsible for their misuse
(as Calif. now does with medical records) -- not the victims.

There is indeed a long-established and legal term, "impersonation
fraud", which is wholly adequate to describe what is often called
"identity theft".  Was this just a change of fashion?  Following an
opinion by  N. Bohm, who used to provide legal work for banks in
London,  I suggest that we need to take a good hard look before
"buying protection" against "identity theft".

"Impersonation fraud" as a term focuses attention on the fact that the
criminal is deceiving someone in order to gain advantage by claiming
to have some valuable characteristics or authorizations in fact
belonging not to the criminal but to some other person.  The person
deceived is the primary victim in contemplation when this terminology
is used.

"Identity theft", by contrast, suggests that the victim is the person
impersonated, because his or her "identity" has been "stolen".

This way of looking at things implies that the losses which arise out
of the impersonation fall on the person impersonated, rather than on
the person deceived by the impersonation.

"Identity theft" as a label is attractive to, for example, banks who
may wish to suggest that losses must be carried by their customers
because they failed to take proper care of their "identity".

The use of the term "identity theft" by an organization trying to sell
"protection" against it to the very victims should be illegal. At the
very least, it should alert us to that organization trying to pass the
blame and the loss to victim.

Furthermore, the fact that people got used to talk in dumbed down
soundbites such as "identity theft", instead of using well-established
words like "impersonation fraud", does not mean that any legally
relevant conclusions can be drawn from the misuse of technical terms
like "theft" in the soundbite (as might be wrongly asked: If identity
theft is a crime, mustn't identity be property?).

Finally, "identity theft" is not a theft, and the victim may not even
have been remotely at fault as in terms of negligence.

BTW, Bohm and I are not alone in this opinion. Bruce Schneier [private
comm.] also prefers to use "impersonation fraud".

Cheers,
Ed Gerck











-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com