Shostack + Friends Blog Archive


What Congress Can Do To Prevent Identity Theft

Larry The Lender
Seventy Percent of Americans think we need more laws to protect them from identity theft and all that.

I can think of a situation we need protection from. Here is a scenario. Let us take the case of a lender, Larry. We need a law to make it so that if Larry lends money to Alice, he cannot try to collect it from Bob. That’s all we need. If we have that, we’ll have all the legal protection we need to solve identity theft.

The threat of identity theft comes from Larry’s business practices. Larry wanders around hawking credit. “Yo, Alice, Bob, either of you want to borrow some money for lunch? A car?” There are a lot of advantages to easy credit, but disadvantages as well. In addition to the usual ones of people amassing too much debt (whatever that means), identity theft is actually the result of easy credit.

Perhaps Larry is nearsighted, perhaps Larry is stupid. Perhaps Larry is dumb like a fox. However, what happens is that Alice borrows money from Larry and says, “I’m Bob.” Larry marks that down, and then goes and hits up Bob for payment. Bob is understandably confused.

That’s it, that’s the security scenario of identity theft. We’re going about solving it the wrong way, because the real cause of identity theft is Larry’s business practices. I can (and probably will, in a future post) tell you how to reduce the chances of identity theft. These are actionable suggestions; they are things you can actually do. None of us can presently deal with the real problem, so we have to make do.

There is nothing in law, morality, or ethics that requires Bob to pay up when Larry lends to Alice. Unfortunately, we’ve all let Larry get away with it. We’ve made it be Bob’s problem, when it isn’t. Let’s make no mistake here, Alice is committing fraud. But Larry is the enabler, and really not only owes Bob setting the record straight, but reimbursement for the trouble Bob had to go to because Larry is stupid (even if it’s stupid like a fox).

If Congress wants to do something for consumers, it would be to require lenders to be responsible. Yes, this would crimp their style. For example, one bank sends my household mail for pre-approved credit cards at a rate of more than one per day. We used to shred them, but now we package everything up in the business reply envelope and send it back to them. Perhaps it would be part of the slow slide into tyranny for the nanny-state to effectively prevent banks from sending 400 credit-card offers to a single household per year, but the right to swing your arm stops at my nose, and the right to beg, plead, whine, and wheedle me to borrow more stops when you can’t tell Alice from Bob.

An alternative solution would be for some ambulance-chaser to file a class action lawsuit. I think that it could be extremely successful, properly done. Contract law covers these cases, or at least it’s mystifying to me why it doesn’t.

Apparently, however, it seems that our current legal system does not support this intuitively obvious notion that bad business decisions do not create liability on some third party. If Congress wants to help people, it will do something simple and sane. It’s not Bob’s fault that Larry is stupid.
Photo of Larry The Lender courtesy of jonmc.

4 comments on "What Congress Can Do To Prevent Identity Theft"

  • nowen says:

    I had too many, too incoherent comments to politely post here, so I put them in my blog instead. That way, when I actually read it and see how dumb it is, I can delete it.
    To sum though, have you tried

  • mordaxus says:

    I read your blog post. Let me say this again simply:
    The liability for bad lending decisions should rest totally on the lender.
    Yes, this will dry up some forms of cheap and credit. Identity theft is merely a byproduct of this.
    An opt-out sys sugar-coats the passthrough of liability. It makes it so that it’s still Bob’s fault that Larry is stupid and Alics is a crook. This is past bad security. it is immoral.

  • nowen says:

    Let me try at least a bit to clarify what I mean. Sorry, I’ve got too much going on right now to really focus. I think that bad lending decisions are currently the liability of the lender. Yes, Bob must prove to Larry that Larry made a mistake by, for example, showing that his foot has not been amputated. If he does that, he’s off the hook for the money (but his credit is perhaps screwed up). So my question is: what do you mean by “totally”?

  • Gunnar says:

    “The liability for bad lending decisions should rest totally on the lender.”
    Sounds great. How to actually implement? However, I don’t want take a urine test every time I buy stock. The vetting process (or proofing if you work for Burton Group) for credit card merchants is pretty extensive and time consuming. It extensive because Visa is ultimately liable, but this vetting process does not scale to the consumer level.
    Some aditional proposals that could help
    1. Publish SSNs (debunked on EC, but still worthwhile considering, SSNs should not be used as authenticators, but they are)
    2. Invest in buzzers (see comments)
    3. How about congress writes a big, fat check to the credit bureaus. Say $5/month per family for credit monitoring services? They should be able to get a bulk price, right? I heard that outsourcing is going to be big some day.

Comments are closed.