By suggesting last week that the US Constitution gives every individual clear title to his or her personal data, I did not anticipate wide applause from the business leaders who stand to loose free access to a gold mine. Many fair minded readers however may doubt the practicality of such an interpretation and to them I owe explanations.
Yet my good will has been overtaken by the news. How could I ignore the debacle which broke this week as the Department of Veterans Affairs acknowledged the theft of 26.5 million ID's ?
In fact I almost did. ID theft has become such a common occurrence that reports by David Stout and Tom Zeller Jr (*)(**) went at first in the bulging folder I use to prepare for my lectures. And if I released the 2005 edition of Identity Theft to the public on the same day, it was by a serendipity marketing money cannot buy.
What struck me at second thoughts was the number of veterans who bank at CitiFinancial and use a Visa Card. It should run in the six digits if these three factors are not correlated.
Assume you are one of them and find out tomorrow your ID has been stolen. Indulge me and assume you have the resources to sue any organization which neglects what should be considered its fiduciary duty towards the data you entrusted to it. Then what?
How can you find out the origin of your personal grievance? Is it the Veterans Administration (30 million ID's stolen)? CitiFinancial (4 million ID's "lost")? Their lawyers will tell you the real culprit is likely to be the Visa card processor CardSystems (40 million ID's exposed to hackers), whose legal obligations have conveniently vanished with its swift demise (see slide 9 of the Slideshow on ePrivacy).
In a recent editorial (1) the Financial Times raises the issue of "breach fatigue". There are indeed just too many of them for the information available to the victim, potential or proven, to be of any use. For confirmation, look up the list maintained by The Privacy Rights Clearinghouse.
May I dare to suggest that if the wizards in control behind the curtain did not insist on collecting our ID's in giant central data bases no amount of measures can totally secure, there would be no more ID thefts?
The issue is that there are ID's and id's.
Certainly any organization, public or private, ought to be able to identify anyone with whom it has a relationship. So I deal with my bank using my ATM number, my phone company with my phone number and the Social Security administration with my SS number. Each contact can further be secured with organization-dependent private facts such details about last transactions or, for Social Security, filiation. In fact I have as many id's as I have relationships. It is quite an annoyance to loose one's ATM card or any other id's but this is minor compared to loosing one's ID.
The difference between an ID and an id is simple: an ID is a common id which can be recognized by all my relationships with a two fold effect:
- advertisers, lawyers and governments, the three unprincipled plagues of privacy can easily aggregate all those records about myself. If you think they could do that as well with my last name, you have not seen the spelling variations it inspires. At times I hardly know myself.
- submission of my ID backed by a favorable report from credit report agencies who sell my data to anyone who ask is often all it takes to tie my credit to a new account.
Notice that both of these "benefits" accrue to third parties without my knowledge and authorization. No wonder nobody wants to adopt the real solution to ID theft. Use of my ID without my explicit consent, aka ID embezzlement, has been practiced all along by most established organizations, the same ones who send me privacy (invasion) policies, these glowing samples of TrueSpeak.
Am I then advocating our society returns to some Golden Age, without advertisers, lawyers, goverments and credit report agencies? Not in the least. They all carry on roles indispensable to modern society. What I ask is a simple question:
why beyond the fulfillment of the specific relationship for which I gave it, should they be allowed to reuse my personal data, and that includes my ID, without my explicit consent?
My banker does not wire my money without my express order. "No taxation without representation" was a leading demand of American patriots. Why would my ID be different?
If organizations were to ask each time for my permission, no thief could take a loan on my credit without my consent. I might still be swindled by some clever confidence man, but thiefs are lazy. Conning 26.5 million people one at a time is a lot harder than stealing 26.5 million ID's at once.
Of course I am back trying to storm the Bastille. Advertisers, lawyers, governments and credit report agencies will squeal they cannot function without the right to embezzle ID's. George III was not amused either. And yes I promise to give the explanations I owe fair minded readers.
Philippe Coueignoux
PS: I have full confidence in Brant Parker and Johnny Hart's sense of humor to avoid slapping me with a trademark infrigement lawsuit.
A matter for a further fillip perhaps.
- (*). Vast Data Cache About Veterans Has Been Stolen, by David Stout and Tom Zeller Jr. (New York Times) - May 23, 2006
- (**) Veterans Chief Voices Anger on Data Theft, by David Stout (New York Times) - May 25, 2006
- (1) Disarray on Data, editorial column (Financial Times) - May 2006
|