Shostack + Friends Blog Archive


More on Data Reservoirs

Nick Szabo takes issue with an article I pointed to in “Reservoirs of Data” in his post, “Citron’s ‘data reservoirs:’ putting liability at the wrong end of the problem:”

Bottom line: liability should be put on the low-cost avoider. This is not merely a rule of negligence but a guideline for determining where any kind of liability should fall in any new area of commerce. The idea that the data brokers are the low cost avoiders in this system is highly implausible. Rather, here as with most other harms, it is those parties most proximate to the harm who can most easily prevent it. Furthermore, the evidence needed to hold parties liable will be far more reliably available for the proximate harmer than the remote data leaker.

Organizations that use widely distributed and easily leaked data like SSNs as authenticators, and who currently depend on such weak authentications for credit reporting and debt collection, can switch to more secure passwords at lower costs than would be imposed by Citron’s regime. Organizations that fail to use secure authenticators, especially organizations that report information to credit bureaus or attempt to collect debts based on insecure authenticators, should bear the liability for identity theft due to the known insecurity of those authenticators, rather than organizations who inevitably leak already widely distributed data.

Is the low cost avoider really the debt collector? What about the cost to the consumer of a decreased credit score? Isn’t the low cost avoider here the credit agency? Aren’t they well positioned to take note of discrepancies in the reports they aggregate together?

3 comments on "More on Data Reservoirs"

  • nick says:

    I’m lumping together the original creditor Alice (who originally falsely imputed the debt to Bob instead of to Mallet), and any subsequent owners of the debt, and any agent of same (e.g. collection agency) who publicly and falsely imputes a debt, as in making a false entry to a credit report.
    All creditors, but especially the original one, should have a legal duty to not falsely impute debts, even in good faith and even if they’ve been duped into doing so. They should pay for damages incurred by the putative debtor including (and especially) reputational damages.
    Of course the primary liability should be on the identity thief, the real low cost avoider, but they are usually judgment proof.
    My idea is not that properly authenticating their debtors easy, just that the cost of avoidance is much higher for all of us who use data that might be misused as an authenticator — not just SSNs but birthdays, legal names, addresses, and so on.
    Citron does not address this issue but avoids it by claiming that the low-cost-avoider methodology is applicable only to negligence, which is simply wrong.
    Citron complains about lobbying by data aggregators, but the real public choice issue is that large creditors have been able to lobby for the right to falsely impute debts to people without being held liable for the resulting reputational damage.
    Credit reporting operations, as I understand them, are very automated and do not generally do manual fact or consistency checking, which would be quite costly and probably not very effective. They don’t publish libels, they merely distribute the libels of others. They don’t have the knowledge on which their entries are based; the people making the entries have that knowledge. Nor do they have commercial relationships with the people on whom they report. Holding them liable would be like holding an ISP liable for kiddie porn they didn’t know about.

  • Adam says:

    I think that there are some obvious comparisons that could be done; different addresses, for example, without corresponding change of address forms. The credit agencies use this to flag requests for new credit, but (as I understand things) will still pass debt reporting to the name/ssn pair unimpeded.

  • nick says:

    What is the credit agency supposed to do with this information? It’s quite common for people to fail to fill out change-of-address forms when they move. Indeed they sometime purposefully don’t fill them out for quite good reasons. If you used this information by itself to deny credit the false positives would be astronomical. It is certainly not strong evidence that the creditor who made a loan anyway made it to the wrong person. Its best use is probably just a hint to the creditor that they need to take extra effort to verify the debtor’s address or to otherwise make a stronger authentication of this particular debtor. The credit agency doesn’t know and doesn’t report whether such extra effort was made.
    The credit agency actually knows very little. It’s ridiculous to treat it, as the popular press often does, like some kind of omniscient god that accumulates all the knowledge needed to authenticate every “sparrow in the field.” It is not the credit agency’s responsbility to authenticate borrowers. Nor can they possibly do so by themselves with sufficient accuracy, nor do they have any financial incentive to do so (short of wongheaded ones that might be imposed by law). Credit agencies have no control over what (mis)information, obtained from themselves or others, the creditor uses to authenticate its debtors. Nor do they have much of any control over (mis)information the wide variety of creditors put into their database. It’s the people who gather the information from the subject and report information that are in a best position to verify its accuracy. The credit agencies are basically a dumb conduit, like an ISP routing packets. You can’t expect an ISP to be legally liable for content because they could peek into the packets and make some algorithmic choices; the same goes for credit reporting agencies.

Comments are closed.