Is identity theft inevitable?

Exactly what is going on here?

To hear the politicians tell it, identity theft is the inevitable result of a fast-paced information society. Congress now wants to pass new laws that will centralize the investigation and enforcement of identity theft cases--and it certainly should.

To be sure, anything would mark improvement over the current mess. Yet remapping the murky domains of federal agencies alone will not be enough to actually stop or even slow identity theft. So what are we doing to make sure that our nation's databases are protected?

Nothing.

I learned this the hard way. In the process of downloading my 2004 W-2 from a Web-based payroll company, I discovered I could also download the W-2 of every person who had ever been a customer, as far back as 1999.

As it happens, IRS Form W-2 is the perfect tool for blackmail, containing one's Social Security number, annual salary, home address, employer's federal identification number and employer's state tax ID. With one keystroke, without breaking into any systems, without hacking--really, without even trying--I could have pretended to be anyone I desired to be out of a potential pool of up to 100,000 people.

Even in the wake of the ChoicePoint fiasco, the payroll company didn't want to hear about the problem. Faced with the prospect of my own personal data leaking out onto the Internet, I started making phone calls.

Once word of the flaw began making its way into the press, the company threatened to sue me for violating U.S. Code Title 18 Section 1030, otherwise known as the Computer Fraud and Abuse Act of 1986. Never mind that I was a (former) customer trying to access my own data in my own W-2 and that I had passed on information about the flaw as a courtesy. I could not ignore the fact that the charges were "very serious," as my lawyer (who had never even heard of the 1986 law) repeatedly told me.

What is a digital Good Samaritan to do? If you knew that your Social Security number and salary were being broadcast to the world, could you simply walk away? Perhaps you might choose the flipside: 10 years in prison for committing a noncrime or, in the best-case scenario, shoulder the expense and inconvenience of going to trial.

Indeed, legislation that centralizes the government's sizable burden of dealing with identity fraud is all well and good, but it misses the mark completely. Identity thieves will have nothing to steal if our computers are well-protected.

Therefore, to be truly effective, any new law designed to fight identity theft absolutely must comprise at least two key components. One would be a clause forcing financial institutions--not just those affected by the Fair Credit Reporting Act, but also payroll companies and businesses storing credit card numbers--to stay current with computer security standards as defined by the latest industry developments.

The second "must-have" is a loophole to protect white-hat hackers, who know enough about computer security to point out flaws, but who are not acting out of malicious intent. When these security professionals find problems, companies have far too many incentives to shoot the messenger.

Currently, there is no clear way out. Byzantine regulations imposed by the USA Patriot Act further compound the problem. Meanwhile, security professionals--true patriots trying to protect our digital infrastructure--find themselves forced to fight legal battles that never should have arisen in the first place.

Identity theft may be an inevitable part of our society's technological evolution, but it is not unstoppable. New laws can and will help, as long as they protect those who understand the underlying technologies involved. After all, a safer society, free of identity theft and cyberterrorism, will probably never come about if the good guys are all tied up in court--or jail.