Wednesday, August 04, 2004

Shhh! Part 2

Privacy. How long before it's an alien concept, a quaint reminder of "simpler" times? I'm sure a lot of us recall the descriptions in 1984 of the cameras in every room, watching people all the time - or at least reminding them that they might be being watched, they never knew. Now such cameras, while not (yet) in our homes, surround us. We are recorded at the bank, tracked in the supermarket, scanned as we pass by corporate offices, scrutinized at government facilities. We are observed, measured, tabulated, indexed, and filed.

All the while being told the audacious lie that it's for our own benefit. No, it's not for our benefit at all. So following over the next few days, several items about some aspect of privacy. Who has it and who doesn't.

This time, what happens economically when you lose it. It's called identify theft and it's sloppily and selfishly aided and abetted by corporations and government agencies more interested in their own power and benefit than the public's. USA Today said in mid-July that
CNET's noted just how much identity theft has grown. "Though solid numbers are hard to come by, identity fraud has been called the fastest-growing crime in the United States, affecting millions of Americans at a cost of billions of dollars a year. The Federal Trade Commission estimates that 10 million Americans become victims of identity fraud a year, while researcher Gartner places the annual number at around 7 million," the article said. "The Social Security Administration says reports of misuse of Social Security numbers have leaped from about 11,000 in 1998 to 65,000 in the 2001 fiscal year.
Jane Black, who's had a biweekly column on privacy issues in Business Week, wrote last year
[i]dentity theft skyrocketed 81% in 2002, a statistic so shocking that it seemed unreal - until it happened to my sister. Last weekend, she had her wallet pinched. Within six hours, the thieves, clearly professionals, had charged $5,000 to each of her credit cards and wiped out much of her bank account by using her debit card to "purchase" limousine services from a nonexistent company. ...

My sister immediately put a fraud alert on her account with the credit bureaus to prevent anyone from opening new lines of credit. But experts say she'll still have to check her accounts monthly for the next several years. And many credit companies don't always perform every check before issuing new cards. Despite the alert, if criminals do obtain a new line of credit, the onus is on her to prove it was identity theft.
And now, a CNN report for August 3 says that a
2003 study for the Federal Trade Commission determined that in the previous year, 3.2 million Americans' personal information had been stolen by thieves who opened new accounts or loans. On average, victims lost $1,180 and spent 60 hours resolving the problem.
In response to the growing problem and associated outcry, a new law enacted in July
toughens penalties against identity thieves. Congress passed the legislation "in response to evidence that the problem is growing rapidly as more Americans use the Internet to shop and manage their personal finances. The Identity Theft Penalty Enhancement Act adds two years to prison sentences for criminals convicted of using stolen credit card numbers and other personal data to commit crimes. Violators who use that data to commit 'terrorist offenses' would get five extra years," reported.
The law, however, is little more that a PR stunt and will be largely ineffective. Heightened penalties for identity theft will be of little use when the opportunities continue to be so great. What it really does is get government and corporations off the hook by appearing to do something while still leaving consumers twisting in the wind, subject to ever-more common and intrusive demands for personal information from those same corporations and government agencies. As Robert Vamosi, a senior editor at CNET recognized more than a year ago,
there's a mistaken impression that identity theft is carried out merely by rogue hackers.

That's not the case. If your credit history is stolen from a database, the thief is less likely to be a hacker than to be an employee of the company that owns the database.
And Black has noted how our social security numbers, which she accurately describes as "gold mines for thieves," are plastered all over documents we routinely carry with us - and in some cases actively urged to do so.
[T]he numbers are widely used as ID and passwords by banks, brokers, even the IRS. ...

The incident [with my sister] prompted me, as well as my friends and colleagues, to open our wallets. Each of us found at least one piece of ID, and sometimes as many as three, with our Social Security numbers printed in plain sight. Health-insurance and prescription-drug cards were the worst offenders. Mandates that we carry these cards are the equivalent of forcing us to walk around with thousands of dollars in cash and jewelry. ...

So why do health plans, among others, continue to put people at risk? "It's a lazy way for companies to assign customer ID numbers because the Social Security number is easy for people to remember," says Beth Givens, executive director of the San Diego-based Privacy Rights Clearinghouse. "But by doing so, they are shamelessly putting people at risk."
(Full disclosure: Yes, my health cards have the SS# on them. For that reason, I have stopped carrying them unless I have cause to think I'll need them. And I am prepared to do full-bore legal battle with any hospital that tries to deny or limit treatment because I can't produce proof of insurance on demand.)

In a follow-up column, Black says
BW Online readers say the U.S. government is the worst offender. ...

Although the SSN was originally created in 1936 to track workers' earnings and eligibility for Social Security benefits, federal statutes today mandate that it's used for everything from issuing birth certificates, food stamps, and Medicaid, to identifying all military personnel and veterans. (Click here for a complete list of legal uses of the SSN.) [Link in original.]
Black notes that all military personnel and anyone in their family over the age of 10 is required to carry that SS#-containing ID at all times.

The USA Today story mentioned that
[t]he San Jose Mercury News today ran an editorial on the new law. "... The epidemic won't be stopped until the credit card and credit reporting industries beef up their safeguards to thwart identity thieves before they prey on innocent victims," the newspaper said.
Vamosi would go further:
I say the Federal Trade Commission should step in and mandate strict new policies regarding the handling of credit bureau information. Such rules might resemble the Health Insurance Portability and Accountability Act, which sets forth guidelines for the handling of medical information by health care providers, and the Gramm-Leach-Bliley Act, which outlines privacy rules for customer information at financial institutions.

In addition, companies that access credit bureau reports should be held liable for any abuses and thus be encouraged to audit their employees' activities.
Of course, any such suggestion would be bitterly and vociferously opposed by the credit and financial industries who would bleat forth predictions of total economic doom should they be held liable for the security of the information with which they're entrusted. They even do their best to restrict the use of a so-called "security freeze" by the simple practice of never, ever, letting consumers know the possibility exists.

Consumers in four states - California, Texas, Louisiana, and Vermont - can "freeze" their credit reports, meaning no one can access them until they "unfreeze" them. They can be unfrozen for a particular purpose (for example, if a new landlord insists on a credit check, they - but no one else - can be given access) or for a specified time (say maybe, a week if you're shopping for a car), at the consumer's discretion. The downside is that there's a fee charged for each freeze and unfreeze but the upside is that at least theoretically, without not only your other personal information but also a PIN number, no one can obtain credit in your name.

Very few people have made use of the option largely because almost no one knows about it and the credit bureaus have fought freezes as "draconian," insisting against all evidence that current protections are sufficient.

Still, some progress is being made. In California, a law went into effect on January 1
that requires all corporations to remove Social Security numbers from ID cards. It also mandates that they be removed from correspondence and forbids companies requiring people to transmit a Social Security number over the Internet unless the connection is secure or the number is encrypted.
And another law in California
could have broad consequences when it goes into effect on July 1. Called SB 1386, the legislation requires all companies - even if they're not located in California - to notify their California-based customers of any security breach involving those customers' personal information.
And last year, IBM, declaring it shared its employees' concerns about identity theft and privacy protection, notified health insurance companies with which it had contracts that unless social security numbers were no longer printed on cards issued to their employees, the company would no longer do business with them.

But welcome as all these efforts are - and as welcome as Vamosi's proposal to actually make the companies liable for their own security failures is - they fall far short of what's needed. First because they exempt the biggest offender: the government. (Following the link above to the list of changes over time in what SS#s are used for, it was bitterly amusing to note how many times there was some declaration against a national ID card even as more and more of what we do became tied to that one number.)

What's more, they are all more or less after-the-fact approaches, addressing security of data after it's been collected. What we should be doing is focusing on the collection. Corporations and government should be required to demonstrate the need - not the desire or the convenience, the need - for any information requested. As a direct result of that, no private organization or business, no state or local government, would be allowed to demand or even ask for your social security number unless it was required by federal law to supply it to some federal agency. And we should look at those reporting requirements to see how many of those are necessary and how many of them are, again, simply convenience. Unless a convincing case for necessity can be made, out it goes.

Oh, the howling would be deafening and the sermons of impending doom of all we hold dear would darken the skies. But if we're to be serious about privacy, it's the only way to go.

No comments:

// I Support The Occupy Movement : banner and script by @jeffcouturer / (v1.2) document.write('
I support the OCCUPY movement
');function occupySwap(whichState){if(whichState==1){document.getElementById('occupyimg').src=""}else{document.getElementById('occupyimg').src=""}} document.write('');