This page addresses identity theft policy issues. If you are a victim of identity theft, this page may be useful to you, but you should first focus on the resources authored by the Privacy Rights Clearinghouse. Victims should make themselves familiar with Privacy Rights Clearinghouse Fact Sheet 17, and other resources on the organization's page. EPIC is not affiliated with the Privacy Rights Clearinghouse.
- Lack of Privacy Impacts Internet Use, Economy, Says NTIA Survey: A recent study by the National Telecommunications and Information Administration found that nearly half of Internet users in the US refrained from online activities due to privacy and security concerns. Identity theft was the top concern, cited by 63 percent of respondents, followed by financial fraud, noted by 45 percent. Nearly a quarter of Americans cited concerns about online tracking. “In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online,” NTIA concluded. EPIC has supported enactment of the Consumer Privacy Bill of Rights and recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election. (May. 16, 2016)
- California AG Releases 2016 Data Breach Report, Retail and Financial Sectors Most Vulnerable: A new report from California Attorney General Kamala Harris examines data breaches in California from 2012 to 2015. There were 657 data breaches during the last four years, which compromised over 49 million records. The retail sector experienced the largest share of breaches at 25%, followed by the financial sector at 18%. Among several recommendations, the report recommends that organizations adopt strong encryption. "Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security," Attorney General Harris stated. The Attorney General received a 2015 EPIC Champion of Freedom Award. EPIC recently launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election. (Feb. 18, 2016)
- EPIC Testifies Before Senate on Risks of SSN on Medicare Cards: EPIC will testify before the Senate Committee on Aging about "Protecting Seniors from Identity Theft: Is the Federal Government Doing Enough?" A law enacted earlier this year prohibits the inclusion of SSNs on Medicare cards, but the federal agency tasked with implementing the change has said it will take years. In a prepared statement, EPIC President Marc Rotenberg warns about the growing risk of SSN-related identity theft. Mr. Rotenberg said, "Given the growing risk of identity theft coupled to the SSN and the fact that other federal agencies have already removed the SSN from identity cards, there is simply no excuse for further delay." EPIC has long urged Congress and state legislators not to use the SSN on identity documents. (Oct. 6, 2015)
- Federal Appeals Court Revives Driver Privacy Claims: In McDonough v. Anoka County, a federal appeals court has revived several cases under the Driver's Privacy Protection Act. A lower court previously ruled that the plaintiffs, including female journalists, failed to bring the claims in time. EPIC argued as amicus that "discovery" not "occurrence" is the correct standard for time limitations in privacy cases. Although the appellate court affirmed that some claims were time barred, it permitted many of the claims to proceed. The defendants' justifications for accessing the plaintiffs' driving records, wrote the court, "are not sufficiently convincing to undermine the reasonable inference of impermissible purpose." The appellate court also acknowledged that "[EPIC] raises legitimate concerns about the ability of identity thieves to utilize sensitive personal information found in motor vehicle records and the difficulty in detecting such a crime within the applicable limitations period." (Aug. 20, 2015)
- Data Breach Bill Would Preempt State Law, Weaken FCC Authority: Representatives Burgess, Blackburn, and Welch have proposed a bill for data breach notification. The Data Security and Breach Notification Act would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its authority to protect consumers privacy. In 2005, EPIC testified before Congress on "Identity Theft and Data Broker Services" and urged the regulation of data brokers following the disclosure that Choicepoint sold personal information to identity thieves. In 2009 and again in 2011, EPIC favored baseline federal law that would allow states to innovate and develop new legislative responses to privacy risks. (Mar. 13, 2015)
- Obama Issues Executive Order to Strengthen Consumer Privacy: President Obama signed an Executive Order today to Improve the Security of Consumer Financial Transactions. The Order will require enhanced security features for government financial transactions, including chip-and-PIN technology which has greatly reduced financial fraud and identity crimes in Europe. The Executive Order states that "the Government must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality..." The White House also announced a series of measures to safeguard consumer financial security, including more secure payment systems, efforts to reduce identity theft and support "algorithmic transparency." EPIC has endorsed many of these proposals. The White House also announced a summit on cybersecurity and consumer protection. For more information, see EPIC: "Cybersecurity and Data Protection in the Financial Sector" (House 2011), EPIC: "Cybersecurity and Data Protection in the Financial Sector" (Senate 2011), and EPIC: Identity Theft. (Oct. 17, 2014)
- Home Depot Data Breach Exposes Millions of Credit Card Records: A data breach at Home Depot might have exposed millions of consumers' credit card records, according to an announcement from Home Depot's corporate center. "We're looking into some unusual activity that might indicate a possible payment data breach," the announcement read, "If we confirm a breach has occurred, we will make sure our customers are notified immediately." In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. In May of this year, the President's science advisors surprisingly found little risk in the massive collection of personal data by companies. However, a recent FTC report on data brokers warned that "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." EPIC has urged the White House to enact the Consumer Privacy Bill of Rights and to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, and EPIC: Identity Theft. (Sep. 4, 2014)
- Report - Half of American Adults Data Hacked So far This Year: A new report finds that 432 million online accounts in the US have been hacked this year, concerning about 110 million Americans. In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. Earlier this month, the President's science advisors found little risk in the continued collection of personal data. However, the FTC's recent report on data brokers warned that, "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." Earlier, EPIC urged the White House to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, EPIC: Identity Theft and EPIC: Choicepoint. (May. 29, 2014)
- FTC Chair Ramirez Urges Senate to Act on Data Security Legislation: The Senate Judiciary Committee hearing on "Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime" followed a series of major data breaches at Target, Neiman Marcus, and Michaels, which compromised the personal data of tens of millions of consumers. Senator Leahy, who has introduced important data privacy legislation, said "In the digital age, Americans face threats to their privacy and security unlike any time before in our Nation's history." FTC Chair Edith Ramirez expressed strong support for federal data security legislation. (2h18m). In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights, which is supported by consumer privacy organizations. For more information, see EPIC: Privacy Legislation, EPIC: Identity Theft, and EPIC: Federal Trade Commission. (Feb. 5, 2014)
- Senator Leahy Proposes Consumer Privacy Legislation: Senator Leahy has introduced the Personal Data Privacy and Security Act of 2014. The Act would strengthen privacy and data security by establishing a national standard for data breach notification, and requiring companies to create a data privacy and security program to protect and secure sensitive data. The bill follows a massive data breach at Target that compromised the personal data of more than 40 million consumers. Senator Leahy stated that the bill "aims to better protect Americans from the growing threats of data breaches and identity theft" and said there would be a hearing in the Judiciary Committee later this year. In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights. For more information, see EPIC: Privacy Legislation and EPIC: Identity Theft. (Jan. 9, 2014)
- Trade Commission Approves Data Breach Settlements, But Fails to Impose Monetary Penalties. The Federal Trade Commission has finalized settlements with TJX, Reed Elsevier, and Seisint. The settlements arose from data breaches, which exposed the sensitive personal information of over 500,000 consumers and resulted in millions of dollars in financial fraud. Earlier this year, EPIC filed comments with the FTC urging the Commission to include civil penalties in the settlements. EPIC wrote that civil penalties are necessary to provide incentives for companies to safeguard personal data. EPIC also noted that the FTC imposed $10 million in civil penalties in the Choicepoint case. The final agreements impose security and audit responsibilities, but no financial penalties. (Aug. 4)
- EPIC Urges Commission to Impose Civil Penalties in Data Breach Settlements. Today, EPIC filed comments with the Federal Trade Commission urging the FTC to include civil penalties in settlements with TJX, Reed Elsevier, and Seisint. The FTC recently concluded investigations of the companies' weak security policies, and reached preliminary settlements that would impose security and audit responsibilities, but no financial penalties. The FTC's investigations arose from the companies' unrelated 2004-2005 data breaches, which exposed the sensitive personal information of over 500,000 consumers and resulted in millions of dollars in alleged financial fraud. EPIC noted that civil penalties were necessary to provide incentives for companies to better safeguard personal consumer data in the future, and observed that the FTC imposed $10 million in civil penalties in the Choicepoint case. (Apr. 28)
- GAO Releases Report on Data Breaches and ID Theft. The report found that althought the incident of data breaches is widely reported there are no reliable figures on how often it leads to identity theft. The report focuses on breaches of sensitive information that might be used to commit identity theft. (June 4, 2007)
- EPIC Creates an Online ID Theft Resource for Katrina and Rita Evacuees. The thousands of families displaced as a direct result of the catastrophic 2005 hurricane season may face a great threat of identity theft. The resource page is intended to provide step-by-step guidance on getting free credit reports, and instructions on how to protect the information contained in the reports from abuse or misuse by others. (Feb. 14, 2006)
- Montana Forms Committee to Address Identity Theft. The Montana State Legislature's Economic Affairs Interim Committee has been tasked to investigate identity theft issues. (Nov. 30, 2005).
- EPIC Comments on Credit Freeze. Both the Maryland Attorney General and New York State Legislature are holding forums on Monday, November 21 concerning "credit freeze." Credit freeze allows individuals to restrict the dissemination of their credit report in order to prevent identity theft. EPIC's comments (also available in PDF) explain why individuals cannot rely upon existing protections against identity theft, and need credit freeze to regain control of their personal information. (Nov. 18, 2005)
- EPIC Advises Canadian Committee on Identity Theft. In comments (also available in PDF), EPIC advised the Canadian government to assume an aggressive posture against identity theft by requiring consumer reporting agencies to allow individuals to freeze their credit files, and to require heightened authentication to prevent impostors from obtaining credit. EPIC also argued that retailers should notify individuals before they submit derogatory information to a consumer reporting agency, as this is often a signal that identity theft has occurred. (Sept. 15, 2005)
- Senators Specter and Leahy Introduce Comprehensive Privacy Legislation. The leading Republican and Democrat on the Senate Judiciary Committee have introduced the Personal Data and Security Act of 2005. The bill would strengthen penalties for identity theft, create new rights of data access, establish security standards, limit the sale and display of the social security number, and require the government to establish safeguards for personal information held by data brokers. See EPIC's Choicepoint page and Model Privacy Regime for more information. (Jun. 30, 2005)
Often referred to as the fastest growing crime, identity theft is the appropriation of another's personal information in order to commit fraud, or to masquerade as another person.
Almost all identity theft involves at least three persons:
- The victim.
- The impostor who had stolen the victim's personal information.
- A credit issuer who grants a new account to the impostor or a governmental entity that issues credentials to the impostor in the victim's name. New accounts are often labeled "tradelines" and can include a new credit card, utilities service, a wireless phone, or even a mortgage. Credentials can include a drivers license or passport.
There are many different types of identity theft that have been labeled by advocates. They include, in order of severity to the consumer:
- Credit card fraud: where an account number is stolen in order to make charges without authorization. Credit card fraud causes major inconvenience for consumers who have to convince their bank that they did not make the fraudulent charges. Also, the cost of fraud is passed on to merchants, and to consumers through higher fees and interest rates.
- New account fraud: where an impostor initiates an account or "tradeline" in the victim's name. New account fraud is difficult for consumers to solve because the crime may not be discovered for months or years after it has been committed. Victims often learn of the crime when they are applying for credit. In some cases, impostors will create a "synthetic" identity, one that does not even exist or borrows from the personal information of several different people in order to open new accounts.
- Identity cloning: where the impostor masquerades as the victim.
- Criminal identity theft: where the impostor, masquerading as the victim, is arrested for some crime, or is fined for some violation of the law. In these very serious cases, the victim will acquire a criminal record.
One must remember that there will always be financial fraud, and that no payment system is perfect. However, when it comes to identity theft, the financial services industry must bear some of the blame for the crime. The credit granting system and electronic payment mechanisms are designed in such a way that committing fraud is easy. A key thesis of EPIC's thinking on identity theft is that the credit industry causes the crime by adopting practices that favor convenience over security. Steps could be taken to reduce the incidence of identity theft dramatically, such as requiring credit issuers to more carefully check applications for new accounts.
It's not that credit card companies and banks want to cause harm, it's that tolerating some identity theft results in more profits for the companies. Turning away a legitimate customer in the interest of caution may result in lost sales. And, sometimes victims pay debts that impostors charge on their accounts. Also, in many cases, merchants swallow the costs of identity theft. Some have alleged that in these cases, credit card companies and banks profit from the crime.
In a 2003 survey of more than 4,000 Americans, the Federal Trade Commission found that in the previous year, identity theft cost victims $5 billion in out-of-pocket expenses, as well as 300 million hours of their time trying to fix damage caused by the crime. The FTC survey showed that in all, 27.3 million Americans were affected by identity theft in the previous five years.
The FTC found that 49 percent of all the 4057 respondents did not have any idea whatsoever how their identity came to be purloined, while 22 percent cited theft and another 12 percent claimed the information was stolen in the course of a transaction. Businesses incurred $48 billion in loss as a result of identity theft.
- Federal Trade Commission Report on Identity Theft (PDF), 2003.
Identity theft is so easy to commit that even unsophisticated criminals can steal your identity.
First personal information is acquired.
- Personal information can be stolen from a company, for instance, from a corrupt employee.
- Personal information is often thrown away by careless businesses. Impostors then dig through the trash and find the information.
- Information could be sold by a data broker to criminals.
- Many identifiers used in credit granting can be found in public records.
- Information can be accessed by friends, roommates, and family members.
- And on and on and on
Then the personal information is used to apply for credit. The impostor will use the Social Security Number, mother's maiden name, date of birth, and current address on an application at a retail store. The clerk checks this information against a file at a consumer reporting agency, like Equifax, Trans Union, or Experian. This information is known as a "credit header," it is personal information at the top of a credit report. The credit header consists of the name, date of birth, Social Security number, current and previous address, phone number, employment information, and spouse's name. If the information from the application matches the credit header (or even if it doesn't-read below), the clerk typically will issue an account to the impostor in the victim's name.
Understanding the Causes of Identity Theft
Creditors Use a Flawed, Circular System to Identify and Authenticate Individuals
The core problem in identity theft is that a business cannot discern the difference between the impostor and the victim. This problem has its roots in the credit granting process--the same information that is used to identify the credit applicant is used to "authenticate" her.
Identification is the process of placing a label on an individual ("I am John Doe"). Authentication is the process of verifying the label. That is, proving that one is who she claims to be ("This document proves that I am John Doe"). Many different things can be used for authentication. For instance, a password can be used to verify that one is authorized to use a computer account. Tokens are also used for identification. For instance, a bus token can prove that one has authority to ride the bus.
But creditors don't use sound authentication methods. They use your personal information as a password-the same personal information you use to identify yourself. It is the equivalent of this exchange:Creditor: Who are you? John Doe's Impostor: I am John Doe. My SSN is 111-11-1111. Creditor: Thank you, Mr. Doe. I need to check whether you have adequate credit with the consumer reporting agency. Consumer reporting agency: There exists a John Doe with the SSN 111-11-1111. Here is his credit report. Creditor: Thanks, Mr. Doe. Here's a new credit card. John Doe's Impostor: Thanks! I'll take that Rolex while I'm here. See ya.
If you are reading this and are thinking to yourself that this doesn't make any sense, you get it. It doesn't. But it is the system that creditors use.
The Social Security Number
Reliance on the Social Security number (SSN) causes identity theft. As explained above, the SSN is used both to identify and to authenticate individuals.
But many other problems exist with the SSN. Unlike credit card numbers, the SSN contains no "checksum," a mathematical formula to verify integrity. Credit card numbers are generated using a mathematical formula that allows an individual to tell whether the number is authentic. SSNs are issued in numerical order, and have no internal structure that allows easy verification. Practically, this means that it is very easy to simply make up a fake SSN, and there is a high probability that a manufactured SSN belongs to a real person. This means that if someone applies for credit and simply guesses a SSN, the account may be attributed to a total stranger.
The SSN is also widely available in public records, mostly at the county level, where property deeds are filed. Because they are in public records, SSNs are available to almost anyone.
Lax Credit Granting Practices
Credit granting practices are so lax that new accounts are regularly issued to pets and toddlers. Take the case of "Clifford J. Dawg." Clifford J. Dawg was issued a Chase Manhattan Platinum Visa Card with a $1,500 credit limit. The problem is that Mr. Dawg is a dog, a four-legged domestic animal that lacks the ability to pay credit card bills or even enter into a credit contract.
In this instance, the owner of the dog had signed up for a free e-mail account in his pet's name and later received a pre-approved offer of credit for "Clifford J. Dawg." The owner found this humorous and responded to the pre-approved offer, listing nine zeros for the dog's Social Security number, the "Pupperoni Factory" as employer, and "Pugsy Malone" as the mother's maiden name. The owner also wrote on the approval: "You are sending an application to a dog! Ha ha ha." The card arrived three weeks later.
Mr. Dawg's owner contacted the issuing bank to cancel the card. According to the owner, the issuing bank explained that Mr. Dawg's name had been acquired from a marketing list. The issuing bank's representative joked that the incident could be used as a commercial with the slogan "Dogs don't chase us, we chase them."
How does this happen? How can dogs (Clifford J. Dawg isn't the only one-Monty, a Shih-Tzu was extended a $24,600 credit line), other pets, and toddlers get credit cards? The problem lies in lax credit granting practices. Creditors want to establish new accounts in order to make a sale. In the rush to issue a new account, errors can be made, and fraudsters can scam the system.
Insufficient Regulation of Access to Credit Reports
Under the Fair Credit Reporting Act (FCRA), credit reporting agencies only are required to "maintain reasonable procedures designed" to prevent unauthorized release of consumer information. In practice, this means that credit reporting agencies must take some action to ensure that individuals with access to credit information use it only for permissible purposes enumerated in the Act. The Federal Trade Commission Commentary on the FCRA specifies that this standard can be met in some circumstances with a blanket certification from credit issuers that they will use reports legally.
This certification standard is too weak. It allows a vast network of companies (and their employees) to gain access to credit reports with little oversight. It treats credit issuers and other users of credit reports as trusted insiders, and their use of credit reports and ultimate extension of credit as legitimate. The problem is that insiders can pose a serious risk to security of personal information. For instance, in a high-profile case, criminals relied upon the relationship between Ford Motor Credit Company and credit reporting agency Experian to steal credit reports for identity theft purposes. The criminals used passwords for terminals that gave Ford access to the Experian database. To create this relationshipas a trusted user of the credit system, Ford Motor Credit Company would have had to certify that it only obtained and used credit reports for permissible purposes. Despite this certification standard, the criminals were still able to order 30,000 reports using Ford's account before they were caught. Since this fraud occurred over a three-year period, it suggests that a mere certification does not include monitoring or auditing of access to the credit database.
Competition in the Credit Markets
Competition to gain customers also exacerbates identity theft. In order to gain new customers, credit grantors have flooded the market with "pre-screened" credit offers, pre-approved solicitations of credit made to individuals who meet certain criteria. These offers are sent in the mail, giving thieves the opportunity to intercept them and accept credit in the victim's name. Once credit is granted, the thief changes the address on the account in order to obtain the physical card and to prevent the victim from learning of the fraud. The industry sends out billions of these pre-screened offers a year. It 1998, it was reported that 3.4 billion were sent. By 2003, the number increased to an estimated 5 billion.
Competition also drives grantors to quickly extend credit. Once a consumer (or impostor) expresses acceptance of a credit offer, issuers approve the transaction with great speed. Experian, one of the "big three" credit reporting agencies, performs in this task in a "magic two seconds." In a scenario published in an Experian white paper on "Customer Data Integration," an individual receives a line of credit in two seconds after only supplying his name and address. Such a quick response heightens the damage to business and victims alike, because thieves will generally make many applications for new credit in hopes that a fraction of them will be granted.
The Architecture of Vulnerability
Professor Dan Solove argues in Identity Theft, Privacy, and the Architecture of Vulnerability, that "many modern privacy problems are systemic in nature. They are the product of information flows…" Identity theft is such a problem, as the availability of personal data under current information architectures makes it simple for impostors to obtain the identifiers needed to apply for credit. Solove explains that information policy makes people vulnerable to fraud. The current policy is similar to being rented a home that lacks door locks.
Solove argues that to address these "problems that are architectural, the solutions should also be architectural." By creating an architecture that secures personal information and by establishing rights for individuals and responsibilities on data collectors, we can reduce the risk of misuse of personal information.
- Daniel J. Solove, Identity Theft, Privacy, and the Architecture of Vulnerability, Hastings Law Journal, Vol. 54, p. 1227, 2003.
Credit Cards are Designed for Convenience, Not Security
From a technical standpoint, credit cards are not a secure form of payment. In the credit card system, the same number is used time and time again to charge an account. The number is disclosed to hundreds of people, some of whom cannot be observed by the consumer or card issuer.
Credit cards are a good form of payment because under the law, consumers' liability is limited to $50, and all of the major issuers have waived that charge. Card issuers manage risk by monitoring charges carefully, looking for patterns of fraud. A lot of fraud could be reduced on the front end if issuers built better security into the cards, which could be done by adding a password or PIN to the account, by creating smarter cards that do not "swipe" until a password is keyed onto the card, or by creating cards that generate random numbers rather than employing the same number over and over again.
But the prospects for greater credit card security are bleak, because card companies are trying to make payments even faster, despite security risks. In 2006, major issuers plan to implement charge mechanisms that operate on RFID--technology that transmits identifiers via radio frequencies. These RFID devices can be embedded in money clips or jewelry, allowing the customer to waive the device near a reader to initiate a charge. These devices will be susceptible to new attacks by fraudsters who can cause the payment method to transmit without the customer's knowledge.
Several approaches have been discussed and considered by both the federal and state governments in an attempt to curb the growing problem of identity theft. Addressing fraud is difficult, and no single approach can offer a perfect solution to the problem.
The US government has taken a reactive approach to identity theft. US law addresses identity theft largely by creating remedial measures and heightened penalties. These remedial measures (such as the "fraud alert") help consumers but do not prevent the crime. Similarly, heightened criminal penalties have been ineffective as well, because impostors are so rarely caught. We need to implement policies that will prevent identity theft.
It is critical to understand that before each identity theft incident, a business is tricked by an impostor into pulling a credit report on the victim. Therefore, if one can stop dissemination of the credit report, identity thieves will be thwarted. Knowing this, state legislators have started to pass laws that place a "freeze" on credit reports so that they cannot be released unless certain conditions are met.
- Chris Jay Hoofnagle, Putting Identity Theft on Ice: Freezing Credit Reports to Prevent Lending to Impostors, SECURING PRIVACY IN THE INTERNET AGE, Stanford University Press, 2005.
Notice of Credit Report Pull
In a typical identity theft situation, an impostor may make many attempts to apply for credit. Each one of these attempts will result in a credit report being requested from a consumer reporting agency. Although not as good as a credit freeze, if individuals had a system that alerted them to this activity, they could reduce the severity and the cost of identity theft.
There is tremendous opportunity to limit identity theft through technology. For instance, a significant percentage of credit card fraud would be thwarted if credit cards were designed so that they wouldn't work without a password. Credit card fraud would also be less likely if websites did not store credit card numbers (thus creating a honey pot for computer crackers).
Biometrics is Not the Solution
Many in the financial services industry try to address the privacy problems of identity theft by requiring more and more personal information. Many are now deploying biometric systems, tools that authorize charges based on some characteristic of the body. These systems offer little added convenience, and raise serious privacy and security risks. For instance, the fingerprint or other biometric that you give to a retailer can be handed over to police without a warrant or subpoena.
Many of the promises that advocates of biometrics make regarding their privacy and reliability are demonstrably falsifiable. For instance, a group of Japanese scientists have conducted a study whereby they were able to deceive fingerprint scanners with an astonishing success rate by using a mold made from a material similar to that which makes up "gummy bears." The experiment, which tested 11 different types of fingerprint systems, found that all of the fingerprint systems accepted the gummy finder in their verification procedure more than 67% of the time. In a November 2002 article in Heise Magazine, an entire array of biometric authentication systems were fooled using simple methods. In addition to claims of reliability, biometrics vendors claim that privacy is protected because fingerprints are stored in a "template," and thus the retailer does not have the customer's actual print. But researchers have demonstrated that prints can be reverse-generated through analysis of templates.
One should carefully consider risks of biometric payment systems. After all, if you lose your PIN or credit card, you can always be issued a new one. What do you do when someone is able to steal your fingerprint?
- Adam Shostak, Fingerprint Privacy, June 28, 2005.
- EPIC Comments to the Department of Commerce on the Use of Biometrics to Address Identity Theft, April 2004.
- Lisa Thalheim, Jan Krissler & Peter-Michael Ziegler, Body Check, Nov. 2002.
- Tsutomu Matsumoto, et. al., Impact of Artificial "Gummy" Fingers on Fingerprint Systems, Prepared for Proceedings of SPIE vol. #4677, Optical Security and Counterfeit Deterrence Techniques IV (January 2002). The paper concludes that "gummy fingers, namely artificial fingers that are easily made of cheap and readily available gelatin, were accepted by extremely high rates by particular fingerprint devices with optical or capacitive sensors."
Previous Top News
- State DMVs Targeted by Identity Thieves. In recent months three state DMVs have been penetrated by identity thieves. In March, burglars rammed a vehicle through a back wall at a DMV near Las Vegas and drove off with files, including Social Security numbers, on about 9,000 people. Last week Florida police arrested 52 people, including 3 DMV examiners, in a scheme that sold more than 2,000 fake driver's licenses. Two weeks ago Maryland police arrested three people, including a DMW worker, in a plot to sell about 150 fake licenses. These criminal schemes come in the wake of a rash of data broker scandals that have compromised the personal information of millions of Americans. For more information, see EPIC's National ID Cards and Choicepoint pages. (May 4, 2005)
- EPIC Highlights Role of SSN in Identity Theft. In a follow up letter to previous testimony on enhancing SSN privacy, EPIC and U.S. PIRG detailed the role that the SSN plays in identity theft. For more information, see the EPIC SSN Privacy Page. (July 2, 2004)
- EPIC Recommends Protections for the SSN. In testimony to the House Ways and Means Subcommittee on Social Security, EPIC argued that Congress should create legislative protections for the Social Security Number (SSN). EPIC praised Subcommittee Chairman Shaw for introducing legislation that limited SSN use in the public and private sector, and made recommendations to strengthen protections. For more information, see the EPIC SSN Page. (June 15, 2004)
- EPIC Urges Agency to Reject Biometrics. In comments to the Department of the Treasury, EPIC urged the agency not to deploy biometric systems in order to attempt to curb identity theft. EPIC wrote that biometrics will not effectively curb identity theft and suggested less invasive alternatives, including placing a higher standard of care on credit issuers who cause identity theft by opening new accounts to impostors. For more information, see the EPIC Biometrics and Fair Credit Reporting Act Pages. (Apr. 1, 2004)
- EPIC Urges Support for ID Theft Victims. EPIC and over a dozen consumer protection groups sent a letter (pdf) to the State Attorneys General urging them to accept identity theft affidavits. Acceptance of the affidavits allows identity theft victims to exercise important rights under the Fair Credit Reporting Act. For more information, see the EPIC FCRA Page. (Jan. 16, 2004)
- FTC Releases Strong ID Theft Findings, Weak Recommendations. The Federal Trade Commission released a report finding that identity theft imposes billions of dollars of costs, and millions of hours of wasted time upon society. However, the agency's recommendations to address identity theft were entirely reactive, and likely to exacerbate the crime. The recommendations primarily addressed how victims can recover from the crime, including the use of uniform identity theft affidavits. Additionally, the agency recommended that Congress preempt state credit laws, which will worsen the problem by preventing states from passing strong identity theft legislation. For more information, see the EPIC Privacy and Preemption Page. (Sept 5, 2003)
- EPIC Submits Statement for Congress on Identity Theft. In response to a request from the Senate Select Committee on Aging, EPIC has submitted a report on identity theft and biometrics. The report summarizes the problem of identity theft for the elderly community and then surveys various biometric techniques, concluding that such techniques would be impractical on a national level and are likely to create new risks to privacy. The report also endorses the recent conclusion of a Consumer Reports article that "[t]he nation urgently needs to tackle the complex task of regulating biometrics before vast stores of data are built." For more information, see EPIC's Biometrics page. (July 17, 2002)
- EPIC Testifies at House Hearing on Identity Theft. EPIC Executive Director Marc Rotenberg testified at a joint hearing of the Subcommittee on Social Security and the Subcommittee on Oversight and Investigations on identity theft, particularly post-September 11. EPIC's testimony focused on the urgent need to limit the collection and use of Social Security numbers and to establish regulatory and oversight mechanisms to protect consumer's sensitive private information. (Nov. 8, 2001)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
Communications Law and Policy
Jerry Kang and Alan Butler