a blog about things that I've been thinking hard about

A New and Better Name for Identity Theft

21 October, 2005
identify "theft": actually, "negligent identification"

An "identity thief" opens a credit card account in your name.

Now, supposedly, you owe money to the credit card company.

Who is responsible for preventing this identity "theft"? Is it your job to "get your identity back"?

Actually, the credit card company is falsely accusing you of not paying the bill.

Because you did not sign up for the credit card.


The "Theft" of Identity

One morning a letter arrives in the post: a credit card bill from a credit card company that you have never had a credit card with. What can it mean? Do you really owe them money?

This is the modern crime of "identity theft". Some person has signed up for a credit card using your details – using your "identity" to borrow money, and arranging for the real "you" to be responsible for the repayments.

But does it make sense to talk about "stealing" someone's identity? Is it a thing that can be stolen?

On the one hand, an identity is not a concrete object like a car, or an item of jewelry. On the other hand, we live in a society where we believe in the existence of stealable abstractions. Music downloaders "steal" music by downloading it without the permission of the copyright holder. Hackers "steal" passwords using keyloggers and trojan horses.

These examples of stealable abstractions are stealable because there is an explicit or implicit agreement that they are something "ownable". Control over the distribution of music gives the copyright owner control over the income they expect to receive by selling copies of said music. Knowledge of a password represents ownership of the right to access some resource on a computer system.

Ownership of a stealable item implies the necessity of doing something to "protect" it. The copyright owner is expected to prevent the indiscriminate copying of their copyrighted content. And if you are given an account on some system with a password, there is a clear expectation that you will not reveal that password to other people unless you are happy for those other people to have free access to whatever it is that the password protects.

If we talk about "identity theft", then we are talking ourselves into believing that there is this thing called our "identity", which is capable of being taken from us. This identity seems to consist of certain personal details, including our name, address, mother's maiden name, national identity number. These details are treated as some kind of "super password", and if someone demonstrates to, for instance, a credit card company, that they know the full "password", then apparently they have the right to borrow (and spend) money on your behalf.

But there is another point of view.

Negligent Identification

If a credit card company issues a credit card to a fraudster, then that is a contract that the credit card company has entered into with the fraudster. It is not a contract with you. It is not a contract with your "identity", because, under the law of any country I am aware of, your "identity" is not something that can enter into a contract independently of your own real "self".

If the credit card company then starts asking you to repay money on the fraudster's credit card, it is the credit card company's error, and it is an error which is wasting your time, causing you stress, and possibly costing you money. It is not just the fraudster who is committing a crime against you, it is the credit card company. The credit card company's actions are not as deliberate as those of the fraudster, but they are engaging in a profitable business activity at your expense. Their crime is one of negligence, because they have failed to properly identify the person (the fraudster) that they entered into a contract with, and they have failed to take reasonable steps to make sure that they are not sending bills for payment to the wrong person.

Thus my proposal for a new term: negligent identification. "Negligent identification" is a better term than "identity theft" because it more accurately allocates responsibility for the victim's losses. If you are a victim of "identity theft", then this presents you as a victim of the actions of the fraudster, and the credit card company is just an innocent go-between. But if you are the victim of "negligent identification", then this more clearly highlights the cause of your problem, which is that some company has listed you as owing them money, even though you never entered into a contract with them.

The Solution

So next time your democratically elected representative proposes new legislation in your country against "Identify Theft", just say "No!". Tell your representative that your country needs legislation against "Negligent Identification". Tell them that the organisations which bill people wrongfully and persistently should be held responsible for their actions.

Tell them that the perpetrators of Negligent Identification should be made to pay for the losses and the stresses that their wrongfully billed victims suffer. (They don't need to be punished as severely as the real fraudsters, but the level of compensation for victims needs to be sufficient to make those organisations think about creating better processes for entering into contracts and making sure that they send their bills to the right people.)

When that happens, then a lot of the "identify theft" problem will just go away. The companies that currently send bills to the victims of negligent identification will suddenly think of simple schemes for double-checking who it is that they have contracted with. If the signed-up account details includes a billing address, they might actually send a letter to that address asking for confirmation of your signup. They might use a credit check company that actually bothers to check the identification procedures of their customers as hard as they check the creditworthiness of the creditors listed in their creditor database.

Bruce Schneier's View

What I have written here is somewhat similar to what security expert Bruce Schneier has said about mitigating identity theft (and see this more recent interview).

Just in case you think my article is nothing more than a rehash of Schneier's ideas, I would like to point out a few subtle differences between my own view and what Schneier says:

Vote for or comment on this article on Reddit or Hacker News ...