Shostack + Friends Blog Archive


Puerto Rico: Biggest Identity Theft ever?

puerto-rico-birth-certificate.jpgApparently, the government of Puerto Rico has stolen the identities of something between 1.7 and 4.1 million people

Native Puerto Ricans living outside the island territory are reacting with surprise and confusion after learning their birth certificates will become no good this summer.

A law enacted by Puerto Rico in December mainly to combat identity theft invalidates as of July 1 all previously issued Puerto Rican birth certificates. That means more than a third of the 4.1 million people of Puerto Rican descent living in the 50 states must arrange to get new certificates. (“Shock over voided Puerto Rican birth certificates,” Suzanne Gamboa, AP)

If I’m parsing that right, all 4.1 million identities were stolen from their legitimate holders, and 1/3 of those are outside Puerto Rico, leading to an unclear level of actual effort to get the documents replaced.

Now, some people may take umbrage at my claim that this is identity theft. You might reasonably think that fraud by impersonation requires impersonation. But the reason that it’s called identity theft is that the victim loses control of their identity. False claims are tired to their name, ssn, birth certificate, etc. Those claims show up at random. Their sense that they have “a good name” is diminished and assaulted.

You might also claim that I’m exaggerating, but I’m not the one who titled the article “shock.” People are feeling shocked, confused and assaulted by this action.

So despite the not for profit nature of the crime, this is identity theft on the largest scale I’ve heard about in years.

Image from the Oritz family showcase.

4 comments on "Puerto Rico: Biggest Identity Theft ever?"

  • Dissent says:

    Hmmmm…. I wouldn’t call it “identity theft” as much as “identity revocation” or “identity do-over.”

    Suppose our government, in its infinite wisdom, decided to do away with all current SSN and go to a different identifier that they would presumably secure better than SSN – and that everyone who currently has a number has to re-apply to get a new number. Would you say that there were over 300 million cases of ID theft?

    The “victim” hasn’t really lost control of their identity, as our identity is not our birth certificate. The “victim” has temporarily lost the ability to authenticate their identity, right?

    But yeah, the legislation seems another case of good intentions, poor execution.

    • Adam says:

      I would argue it to be identity theft, which is surprising in light of your framing.

      The theft is the imposition of friction into transactions that are based on identity databases. You are no longer who you were, and you have to go deal with that.

      The statement “our identity is not our birth certificate” is true, but that doesn’t mean that “your birth certificate is not part of your identity” is untrue.

  • Sniper says:

    why bother with identity theft when US servers like that of are so vulnerable to the most ordinary exploits? details are all (full disclosure) listed in pinoysecurity

Comments are closed.