Thursday, October 21, 2010

Identity Theft vs Impersonation Fraud

If identity theft is a crime, mustn't identity be a property?

No. And, clearly, this should show that there is no such as a thing as "identity theft".

But why people, including laws in Congress, use Identity Theft instead of the long-established and legal term Impersonation Fraud? What's happening here? Was this just a change of fashion?

It's because language is being used to shift the burden to the consumer. Using the soundbite "identity theft", instead of "impersonation fraud", redirects the loss to the victim and frees those actually responsible from any legally relevant questions that could be asked about their loose security of customer's accounts.

"Impersonation fraud" as a term focuses attention on the fact that the criminal is deceiving someone in order to gain advantage by claiming to have some valuable characteristics or authorizations in fact belonging not to the criminal but to some other person. The person deceived is the primary victim in contemplation when this terminology is used.

"Identity theft", by contrast, suggests that the victim is the person impersonated, because his or her "identity" has been "stolen".

This way of looking at things implies that the losses which arise out of the impersonation fall on the person impersonated, rather than on the person deceived by the impersonation.

"Identity theft" as a label is attractive to, for example, some banks who may wish to suggest that losses must be carried by their customers because they failed to take proper care of their "identity".

Indeed, there is no such thing as an "identity theft" and there should be no responsibility to you if someone else uses your name and you do not know about it, in the same way that there's no responsibility to you if someone sends spam or mails a letter on your name.

The burden for preventing the real crime of impersonation fraud should fall on those who accept the false identity and also on those who do not protect private records of their customers. Certainly not the consumer.

If you feel that it is time to see real solutions to this problem, rather than let the discussion continue to be dominated by a special choice of language, What can you do?

Let's look at five key points that you should think of:

1. Think it through a bit more before considering to "buy protection". In fact, as discussed here, we should refuse to buy such "protection" and, instead request that those holding or using our identifiers follow the law and be held responsible for their misuse (as now enforced in the US with medical records) -- not the victims.

2. Note that the use of the term "identity theft" by an organization trying to sell "protection" against it to the very victims should be illegal. At the very least, it should alert us to that organization selling a service and then, in case of loss caused by that service, trying to pass both the blame and the loss to the victims.

3. The fact that people got used to talk in dumbed down soundbites such as "identity theft", instead of using well-established words like "impersonation fraud", does not mean that any legally relevant conclusions can be drawn from the misuse of technical terms like "theft" in the soundbite (as might be wrongly asked: If identity theft is a crime, mustn't identity be a property?).

4. Keep in mind that "identity theft" is not a theft, and the victim may not even have been remotely at fault, as in terms of negligence.

5. Do not allow loose language to redirect the focus elsewhere but where the problem really lies.

Now, how can you protect yourself against "identity theft"? What if your information falls into the wrong hands?

We increasingly communicate online instead of by telephone.   Email, SMS and IM are the psychological equivalent of a voice conversation. People often forget, however, that a text message or an email conversation is stored online in many different servers and can be replayed many years later, often without the authorization of any of the parties, and often with undesired consequences.

According to a 2010 survey commissioned by Microsoft, 90 percent of the general population and senior business leaders are concerned about the privacy and security of their personal data in the cloud.

With ZSentry, you can actually eliminate the disclosure risk of email, webmail, SMS and IM by properly setting your message to self-destruct. This includes a combination of technical and legal measures, as done by secure email Zmail provided by ZSentry, and works with all editions.


No comments: