Identity, locality, duplicity
By bnitz on Sep 01, 2005
Robin Wilton's posting on locality and identity caught my eye because botched ID management is a growing problem which is likely to affect nearly everyone. Here is just one example:
When the U.S. social security administration (SSA) began, it was necessary to create a unique identifier so that benefits would not be given twice to the same person or only once to two people with the same name, etc.1 This number was not to be used for any other purpose and it is usually illegal for a business to demand that an individual divulge their social security number. But many businesses do, and now these numbers are in widespread use in many commercial tracking databases. Several private credit reporting agency's use these numbers to track whether individuals have a good history of paying their debts. When I signed up for a storage shed, the individual running the business asked for my social security number in order to run such a "credit check." He intended to enter it into a laptop which was running Microsoft Windows, an operating system with many flaws which could make these numbers and names available to even casual hackers. Its no surprise that these numbers and names are widely available to identity thefts. This widespread fraud is one reason why I sympathize with bloggers who choose to use a pseudonym, and it is why my daughter's name is not mentioned on this blog. But my grandfather was the victim of identity theft and he had never gone near the internet. One thief even had the gall to use the name of a newborn baby in order to apply for medical coverage of his back surgery.
Because such fraud is widespread and because it can become impossible to use a credit card, buy a home, car or even rent a storage shed without a good credit rating, it is important that the credit rating agency records are accurate. However, since many businesses have improperly protected their customer data, these records are not accurate. Until recently individuals could not freely view their own credit report unless they had been denied credit. Congress passed a law which allowed individuals to obtain a free credit report every year. The credit reporting agencies were required to set up a method for individuals to access their credit report. They created http://www.annualcreditreport.com Access to this information was rolled out by region from west to east and this week it covered residents of all U.S. states. When I learned that Wisconsin was covered, I tried to access the website and received an access error. Why was the site inaccessible? I used netcraft to find out what the site was running. O.K. so they're using Apache on FreeBSD, it's not quite what I would have chosen for a website requiring the stability, security and scalability to serve an entire nation, but at least they weren't running something crazy like IIS on Windows 2000. But wait, I mispelled the address typed into netcraft, I typed www.anualcreditreport.com! The typo brought me just one of at least 112 imposter annual credit report websites.. For an example of how bold these imposters are, when I brought up one news article describing the imposters, the article's commercial sponsors were "free" credit report companies! The real annualcreditreport.com website can be accessed directly or through a link from a known site such as the Federal Trade Commission (FTC). But it can't be accessed from outside of the United States! That's right, even though according to American Citizens Abroad, the number of U.S. citizens living overseas now exceeds the individual populations of 25 U.S. states, this website attempts to block access from abroad. Of course web domain based access restrictions don't work. It might keep honest citizens from accessing their own credit reports but real fraudsters laugh when they encounter a website attempting to use domain as an indication of locality. During the final days of the 2004 election the president's campaign website used this method to block access from abroad. U.S. congressional websites try to keep out outsiders by requiring a zipcode.2 But even those of us who live in a country with only 24 post codes can type 54321!
When I saw these misguided attempts at "fixing" the identity fraud problem, I couldn't help but think of the song "I know an old lady who swallowed a fly..." I lost track of how many "identity" issues surround the original identity fraud issue. The problem continues because few people understand both the technical aspects of the problem and the way criminals think and behave. The identity problem is technically solvable, but as long as companies can get by with sloppy customer record keeping, it won't be solved. We may need a consumer oriented equivalent of the Sarbanes-Oxley act.
1SSA has problems of its own. One of my college friends shared a surname with a famous Beatle. My friend was listed as dead while he was a healthy 20-year-old. It took quite a while for him to convince SSA that he was alive. In the meantime his friends had a wake and a seance for him. He told us that "things are pretty good in heaven, there is no math here."
2One of my pet peeves is a website which demands a zip code. Only a couple dozen neighborhoods in Dublin have a zip code. Postal locality in the remainder of Ireland is likely to be described as something like:"Sunview B&B, An Daingean, County Kerry.") P.S. For the few non-irish speakers out there, An Daingean Uí Chúis means "The Fortress of Hussey" in Irish-Gaelic. (Don't tell anyone that An Daingean was called "Dingle" for a while, one of my favorite parts of Ireland already sees quite a few tourists!)