From: <ama2022@columbia.edu>
  To  : <cpc@emoglen.law.columbia.edu>
  Date: Sun, 17 Apr 2005 11:59:40 -0400

Paper 2: Preventing Identity Theft by Empowering Individuals

The paper is also attached as a word file.

Preventing Identity Theft by Empowering Individuals

Andrew Ahern

Identity theft is a significant and growing problem.  According to
studies conducted in July of 2003, 7 million people (13.3 per
minute) had their identities stolen in the previous 12 months[1].  
Victimization rose 80% between 2002 and 2003[2].   The cost to each
individual is approximately 600 hours of their time, and the total
loss to the business community is $40,000 - $92,000 per crime[3].
	Many parties with divergent interests combine to create this
problem.  Identity thieves are often highly organized criminals,[4]
 and they use numerous tactics, including “phishing,” to obtain
sensitive information.[5]   Businesses are involved (1) as data
collection agencies, such as ChoicePoint, that gather and sell
sensitive information about consumers, and (2) as lenders,
creditors, and other businesses that are exploited by identity
thieves.  The role of individuals is also important, as their
actions may increase or decrease the chance they will fall prey to
identity thieves.
        Any solution, to be effective, must address all of these
aforementioned actors.  Greater enforcement mechanisms for
apprehending criminals are needed; greater responsibility (and
liability for breaches) must be imposed on companies that gather
and sell consumer information; and companies that are ultimately
exploited by identity thieves should also be held accountable. 
Addressing such other facets of the issue are topics for another
paper.  The scope of this paper is limited to examining the problem
from the perspective of individuals.
	As with other rights and liberties, the increasing infringement of
individuals’ identities stems from the failure of legal protections
to keep pace with technology.  No direct language in the
Constitution protects identities, or even privacy, because such
concerns were non-existent in the 18th century.  Identity in the
18th century was based upon face-to-face transactions with familiar
parties; no “right” was recognized because one could not fathom
“identity” being stolen.  The digital economy has generated the
reality of rapid and far-reaching transactions between faceless
parties.  The very meaning of identity has changed, and individuals
have lost control of their own identities.  It is time for the law
to recognize a right in one’s identity, and for individuals to be
empowered to protect it.
	Where in our legal landscape should the right to one’s identity be
located?  Identity could be considered a liberty "so rooted in the
traditions and conscience of our people as to be ranked as
fundamental."[6]   It certainly can’t be less fundamental than
marital privacy, which belongs in the “protected penumbra” of the
due process clause.[7]   Perhaps its embodiment could be found in
state constitutions, many of which grant more explicit recognition
of privacy.[8]   However, the most appropriate and effective legal
protection would recognize a property interest in one’s identity. 
A property interest in one’s identity would reach both state and
private actors and prevent its misappropriation without its owner’s
consent.
	To provide real protection for this new property interest, it must
be well-defined.  Individuals must be able to actively monitor and
protect their identities.  A secure central website (Virtual
Identity Management, VIM), maintained by an independent government
agency, could serve as the focal point for empowering individuals. 
VIM would organize each individual’s identifying characteristics,
including social security number, credit card numbers, address,
email address, etc.   One’s VIM account would become, in essence,
one’s identity – it would be the virtual representation of each
individual’s protected property interest.
       Every individual would have secured access to VIM, and could
monitor and update their data while ensuring no unwanted changes
have been made.   No companies could gather, transmit, or sell
protected information without individual approval.  Requests for
information, such as credit reports, would be channeled to the
individual through VIM.  Individual would be told who was asking
for what information, and could decide whether to disclose.  These
protections are similar to those sought by Diane Feinstein in a
recent legislative proposal.[9]    If a loan was created using your
identity, VIM would notify you instantly; if a credit account using
your identity at a different address than the one registered with
VIM was opened, flags would be raised.  If your data was breached,
companies would be required to notify you through VIM, as is
already required in some contexts.[10]    VIM would enable
individuals to reign in the “virtual identity;” through VIM, you
could monitor and control everything that your virtual identity was
up to in cyberspace.  Your virtual identity would become your
property, just as your actual identity always has been.
	Of course, there remain a number of practical questions that must
be answered before VIM could be functional and efficient.  Younger,
more tech-savvy individuals would likely be more interested in
participating than those who are less technologically inclined. 
Perhaps the government could act as a trustee of VIM accounts for
people not actively involved.  Second, how much personal
information should an individual be permitted to restrict?  For
instance, must companies obtain consent before distributing e-mail
addresses?  (This could provide anti-SPAM protection). 
Additionally, breaches to VIM itself must be dealt with.  VIM
should be extremely secure, but in the event a VIM account (and
with it, your identity) was hijacked, an individual must be able to
regain control quickly and efficiently (otherwise, another layer of
complication had been added without any real protection). 
Permitting individuals to change their identifiers, including
social security numbers, would be extremely beneficial in this
regard.  Finally, those fearful of government control over data
might be horrified at the prospect of the government amassing all
individuals’ data in one place.  VIM should be insulated from
subversive government use.  Considering private companies are
already amassing all of society’s data, it is better to have a
system that puts control of this information back in individuals’
hands.
        Technology has eclipsed current law’s ability to protect
identity.  Society needs the recognition of a property right in
identity, and the creation of a vehicle to empower individuals to
actively protect this property right.  The scariest aspect of
identity theft is how little control a person has over their
identity; VIM would enable individuals to regain this control.

FOOTNOTES

[1]  Identity Theft Resource Center,
http://www.idtheftcenter.org/facts.shtml.
[2]  Id.
[3]  Id.
[4]  Shadowcrew:  Web Mobs, http://www.baselinemag.com.
[5]  Josephn Menn, L.A. Times, Identity Thieves have Many Sources 
besides Data Brokers, March 22, 2005
[6]  Griswold v. Connecticut, 381 U.S. 479 (quoting Snyder v.
Massachusetts, 291 U.S. 7, 105).
[7]  Griswold v. Connecticut, 381 U.S. 479
[8]  See, e.g., California Constitution “All people are by nature
free and independent and have inalienable rights. Among these are
enjoying and defending life and liberty, acquiring, possessing, and
protecting property, and pursuing and obtaining safety, happiness,
and privacy.”
[9]  http://www.feinstein.senate.gov/legislation/idtheft.html
[10] Robert Lemos, CNET.com, Banks ordered to tell customers about
breaches, March 24, 2005.


Preventing Identity Theft By Empowering Individuals.doc

-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list