ID Theft and the 18-24 Set

Matt Rose has an interesting post, “What is Higher Education’s Role in Regards to ID Theft?:”

A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most likely to experience identity theft. The report does not investigate why this age group is more susceptible, so I’ve started a list…

It’s worth looking at. I’ve suggested the random slinging of SSNs about as part of the applications process, but would like to add applications to rent property. The stock forms demand absolutely everything you need to steal an identity, with the possible exception of mother’s maiden name. The maiden name is more useful for account-takeover fraud, which is less damaging to young people, since they’re unlikely to have rich accounts to drain.

EU Courts Rule Against PNR Sharing with USA

The European Court has ruled the US/EU treaty on data sharing around air travelers is not legal. (I’m not saying “about air travelers” because I read Ed Hasbrouck, and thus know that PNRs contain data on more than just the travelers.) That’s not why I’m posting. I’m posting because of this choice quote from the New York Times, “European Court Bars Passing Passenger Data to U.S.:”

“The planes will continue to fly and the security data will continue to be exchanged,” [DHS Spokesman Jarrod Agen] said. “There wont’ be any lowering of the data protection standards or effect on passengers or disruption to air traffic in the near term.”

Of course not. The data protection standards can’t get any lower, unless maybe we posted it all on the internet.

Words of Wisdom

We live in a society of laws. Why do you think I took you to all those
"Police Academy" movies? For fun? Well, I didn't hear anybody laughin',
did you?

-- Homer Simpson

Marge Be Not Proud

(Adam In Seattle)

I’m in Seattle this week for some work-related stuff, and have some free evenings. If you’re in Seattle and would like to get together, drop me a note.

The SSN Is Also A Poor Identifier

oswald-social-security.jpgThere’s an idea floating around that a major problem with SSNs is their dual use as identifiers and authenticators. (For example, Jeremy Epstein, “Misunderstanding the risks of SSNs,” in RISKS-24.29) This is correct, but the phraseology leads to people trying to solve the problem by saying “if we just used SSNs as ID numbers, and made them all public, we’d be fine.”

This is dangerously seductive and wrong.

  • They’re too short: 30% of all possible SSNs have been issued.
  • They lack a check digit. Between these two, you should never design an identifier like this, because any keying error is acceptable, and likely to affect a two people.
  • They’re externally issued. This one is a little subtler, and I will argue by analogy. Mastercard and Visa, who understand risk management, make up their own numbers. They do this so that they can control when the numbers change, rather than being controlled. Seems like good database design to me.
  • As a design principle, compartmentalization adds to resilience. (Kim Cameron had a good post on this, “IBM Researcher Rejects UK Identity Card Scheme.”)

Not only is the SSN a poor identifier, but the use of the SSN as an authenticator will end up living on, even if we published them all, as Pete Lindstrom has suggested. What Lindstrom hopes is to stop the use of SSNs as authenticators, but that’s not done by publicizing them. If we want to stop the use of SSNs as authenticators, we could pass a law to do that. So why not work for that law, rather than one we hope will cause the courts to impose negligence penalties in accordance with our hopes?

Related to the resilience of a system, national ID numbers are inimicable to liberty. The English understood that what a government wants to control, it must first enumerate, and called the enumeration “The Doomsday Book.”

So, using the SSN as “just an identifier” is a bad idea. Publishing a list of them is a baroque and convoluted way to reach a useful goal, although it has great value as a publicity stunt.

(Lee Harvey Oswald’s SSN card via “Examination of Handwriting and Fingerprint Evidence” report to the Select Committee on Assassinations. Note the useful identifier.)

Maybe they can borrow a few million from the IRS

[T]he VA’s inspector general, George Opfer, said that the agency had been unable to formally notify the affected veterans because “we don’t have 26 million envelopes.”

via the Bradenton Herald
Now that the funny part is out of the way…

Asked the cost for preventing and covering potential losses from identity theft, [VA Secretary] Nicholson estimated “way north of $100 million” and did not rule out a total as high as $500 million.

I’m curious what is meant by “covering potential losses” here. It sounds like an effort fraught with peril, or at least imprecision, unless you just want to give an insurance policy to 26.5 million people, not caring whether their losses are due to this theft or some unrelated one.

Compartmentalization of Identity

ss-global-identity-deployed.jpgKim Cameron has a post, “IBM Researcher Slams UK Identity Card Scheme” in which he writes:

He couldn’t be more right. My central “aha” in studying the British government’s proposal was that the natural contextual specialization of everyday life is healthy and protective of the structure of our social systems, and this should be reflected in our technical systems. A technology proposal that aims to eliminate compartmentalization rejects one of the fundamental protective mechanisms society has evolved. The resulting central database, where everything is connected and visible to everything else, is as vulnerable as a steel ship with no compartments – one perforation, and the whole thing goes down.

It’s a tremendously important point. Our lives are naturally, usefully, and importantly segmented. In 1959, Erving Goffman discussed this in the (still important) “Presentation of Self In Everyday Life.” (Wikipedia article, or some excerpts…I know. Books. Get over it, there’s some useful stuff stored that way.)

His basic thesis is that we play roles: “school principal” or “mother” or “doctor” or “bribe-accepting Congressman,” and that each of these roles has its own quirks and presentations, and it is useful and important to separate them. An identity system that doesn’t support that in powerful ways is far less likely to be adopted.

Jangl, Private Phone Numbers

jangl-logo.jpgSiliconBeat has a story, “Jangl’s new angle on phone calling:”

Jangl is a new phone service that, initially anyway, will allow people to anonymize their phone numbers the same way they can their email addresses when posting on places such as craigslist. When you sign up with Jangl, you get access to disposable phone numbers that you can share with friends or strangers with whom you transact business. The phone numbers forward to your real number and anonymize in both directions.

Seems like a very cool idea. There’s lots of devils in the details, but I generated a one-shot email address to sign up for some one-shot phone numbers.

Sign Design


I came across this sign while I was attending a software design methodology course at an IBM building in London.

After wondering several times why each time I tried to go to the toilets I ended up in the restaurant, I looked carefully at the sign.

Which way would you go at a glance? Which way do you go, knowing that problem exists? The answer may be grokked from the picture, or, read “To Restaurant/Toilets Sign” at This is Broken. (Via Sivacracy.)

A small, but hopeful sign in state breach legislation

A bill sits on Illinois governor Rod Blagojevich’s desk. If he signs it, Illinois will take a step toward meaningful central reporting of breach notifications:

5 		    (815 ILCS 530/25 new)
6 		    Sec. 25. Annual reporting. Any State agency that collects
7 		personal data and has had a breach of security of the system
8 		data or written material shall submit a report within 5
9 		business days of the discovery or notification of the breach to
10 		the General Assembly listing the breaches and outlining any
11 		corrective measures that have been taken to prevent future
12 		breaches of the security of the system data or written
13 		material. Any State agency that has submitted a report under
14 		this Section shall submit an annual report listing all breaches
15 		of security of the system data or written materials and the
16 		corrective measures that have been taken to prevent future
17 		breaches.

(emphasis added)
Unfortunately, this requirement only affects state agencies. After the VA fiasco, it would seem imprudent for the Governor not to sign this.
I am not a lawyer, but I’m optimistically thinking that such reports are not exempt from disclosure under Illinois’ Freedom of Information Act.

Marketing Privacy as a Feature

nsatt.jpgPaxx Telecom has issued a press release that they’ll hand over records only when given a court order:

The recent revelation first made by USA Today that the National Security Agency (NSA) has been commandeering phone records of tens of millions of ordinary Americans has shocked those who cherish their privacy and do not agree with unnecessary snooping by their government.

At Paxx Telecom, our records are secured offsite and we guarantee never to turn over any records to the government or anyone else without a court order. All our customers need do is dial a short access number in front of the number they want to reach. As a result, the local phone company will show only the connection to Paxx Telecom. It will have no record of the actual number the customer talked to”, he said. “In addition, we keep call records on our servers only temporarily to give customers access to verify proper invoicing, after which the calling information will be extinguished.

Via the excellent Canadian Privacy Law blog. New AT&T logo from Lucky225.

Never say die?

I’m not sure what to expect out of this story of a guy who, left behind in a crazed state and presumed to have died, overnighted above 8000 meters on Everest and was found alive the next day, prompting a rescue effort expected to take three days.
(Note that this is a different climber from the one who really did die after being left behind as beyond hope a few days earlier.)
Update 5/27/2006: He made it. Said to be suffering severe frostbite and cerebral edema (HACE).

Make that 12% of Adults

Rob Lemos convinces me that the better number is “One in 8 (or 9) Americans.” I buy his statement as long as we discuss adults, rather than Americans. Kids are at risk from ID theft, too, even if this incident doesn’t touch them. (Assuming none of the vets has an overlapping SSN, a stolen SSN, or an SSN with digits transposed.)