Day 2: Experts talk about ID theft

Members of News.com's ID theft roundtable panel open up a discussion with News.com editors and our readers.

CNET staff
11 min read


Other discussions: Monday | Wednesday | Thursday | Friday

The members of this Roundtable panel have agreed to have a discussion with News.com editors and our readers. Although we cannot guarantee a response for every e-mail, you can submit your questions for panelists here.

Click here to return to the main discussion page.

Tuesday: State vs. federal regulation

From: Chris Hoofnagle
Subject: Security *and* Privacy
Mon, 24 Oct 2005 17:06:15 PT

The data industry tried to win our trust back in the 1990s, by adopting a weak self-regulatory scheme known as the IRSG guidelines. Under the IRSG system, data brokers got to choose who were "qualified" to buy data and allowed individuals to opt-out of data sale to the "general public."

"Qualified" buyers, when it comes to Choicepoint, includes 100,000 businesses, and 7,000 federal, state, and local law enforcement entities. Also qualified were fraudsters who couldn't even spell the reasons why they wanted to use Choicepoint's services on the company's subscriber application! One of the fraudsters said he was going to use the database for: "Reducing bussiness [sic] loses [sic] by preliminary verification and increasing profitability by locating delinquent debtors. Basically fraud preventions." That's "qualified" under self regulation. Mention "fraud preventions" and you're in.

And that opt out right? It didn't even apply to Choicepoint, because the company didn't consider its customers to be the "general public."

The IRSG doesn't even exist anymore.

IRSG failed so badly that the data industry is in damage control mode. And the new "trust us" mantra is to focus on security without discussing the legitimacy of data sale itself.

I think that if we were to look into how our data are being used today, it would be reminiscent of the problems Senator Proxmire discovered in the 1960s with consumer reporting agencies before passage of the FCRA--poor accuracy, reporting based on rumor, release of records to law enforcement, etc. The fact that the industry doesn't want to have that debate--the secrecy surrounding their practices--should arouse some more suspicion.

In other matters...

Denigrating legislators and bureaucrats doesn't really get us anywhere (wasn't Cato the Younger a legislator?). It's a poison-the-well argument that doesn't contribute to the debate meaningfully. As a son and grandson of public servants, I resent it a bit.

Legislators have expert staff to help them understand proposals. No legislator has a full understanding of the myriad issues covered by their committees. Similarly, agencies have staff with deep expertise in many of the areas they regulate to guide decision makers. The system isn't perfect. But the effect of the "don't trust the bureaucrats" argument is to vest power in the private sector, which as we have seen, is less than committed to the consumer interest.

For those interested in weaknesses in the common law's approach to information privacy, see Daniel Solove's work: http://ssrn.com/abstract=248300.

I'd invite Jim to expound upon 1) exactly which torts would solve the information privacy problems we're experiencing and 2) what new theories of harm and duty are necessary to enable those torts to be effective.

From: CNET News.com
Subject: Question for Day #2: Federal vs. state regulation?
Tue, 25 Oct 2005 08:16:11 PT

Chris Hoofnagle asked Jim Harper to elaborate on which torts would "solve" the problem of information privacy and how those would work in practice.

May I broaden that point and open it up to the entire list? The question I'd like to pose is whether regulation of information security and privacy should be primarily done by state governments or the federal government.

There's a long list of data-security bills in the U.S. Congress and many of them would preempt state rules. Businesses tend to prefer that kind of approach, saying it creates a level playing field. But it means state legislators can't experiment with more or less regulatory solutions that might be better--and Congress may, after all, get it wrong.

Which approach is better?

From: Jim Harper
Subject: Common Law: Distributed Lawmaking
Tue, 25 Oct 2005 08:32:55 PT

"Cato" was the pseudonym of John Trenchard and Thomas Gordon, Englishmen writing anonymously in the early 18th Century, whose works had a profound influence on the Framers of the U.S. Constitution. Thanks for asking!

(Ahem. Back to work:)

The story of how the Individual Reference Services Group gamed the federal regulatory system bolsters my point that regulation is the playground of business, not the savior of consumers.

To the substantive question at the end of Chris' post: I have already talked about many of the causes of action that could, in varying degrees and applications, resolve many of the problems with data aggregation were they not largely preempted by the Fair Credit Reporting Act (and ignored by many who could use them to good effect).

As to our specific topic--data breaches--two courts have already found a duty on the part of holders of sensitive data to protect the subject of that data. One each deals with breach and sale of data. No new theory of harm is needed: One set of plaintiffs was victimized by identity fraud, suffering the expense and lost time of restoring their credit histories. In the other case, the victim was killed.

It is early yet and the doctrine I advocate for is not yet mature. I am humble enough not to try predicting what cases will bring the rule to other states or what its final shape will be.

Speaking of humility, I have served as a legislative staffer, so I know well their incompetence to solve these problems, much less see legislation through that does this. This is not because they're not smart and hard-working; it's because they can't know all the interests at stake and all the consequences of a rule for the indefinite future.

As this discussion makes clear, the problems with data aggregation and use are huge and difficult. They require a distributed system like common law development to resolve them. Common law is not only distributed laterally, across courts and judges, but over time, as well. Courts learn from each others' experience. The fairness of given rules to all parties in past cases helps build the best system of rules for the next case. It's not quite a Wiki, but the theory is the same.

I suppose I took the bait laid by CNET News.com's editors: "Why should people trust the industry?" Senator Simitian set the hook by suggesting that someone had wrongly argued for trusting business.

I didn't, but where businesses (and, by natural implication, businesspeople) are being impugned as untrustworthy, I do not think it is unfair to point out the parallel (and I think greater) flaws in regulators.

I especially think that an elected official who claims the authority and power to shape every Californian's life - indeed, all Americans' lives--should explain what principles, if any, guide him. I invite Senator Simitian to explain what regulation or tax proposal would fall outside the "public interest" test that gives him his "duty to regulate the private sector."

Now, Senator Proxmire's legacy, the Fair Credit Reporting Act, has been invoked twice. Does anyone realize that many of these issues exist despite, and possibly because of, his work? Does anyone see the irony in singing the praises of Senator Proxmire while we look over the train wreck he set in motion thirty years ago?

It reminds me of a luncheon I spoke at in Dallas, Texas a few years back. After the panel discussion about federal privacy regulation, an audience member got up and waxed poetic about how federal privacy regulation could be like a new Civil Rights Act of 1964. That impressed a lot of people, I'm sure. None of them probably noticed that the small number of African Americans in attendance had left the room after clearing the dishes.

From: James Van Dyke
Subject: RE: Common Law: Distributed Lawmaking
Tue, 25 Oct 2005 11:13:00 PT

To follow Jim Harper's previous post, I'll make this somewhat tangential observation: African-Americans, Latinos and all people of lower-income groups are about twice as likely to suffer from identity fraud as the average U.S. citizen. And when such individuals do become victims, their crimes have higher average amounts as well as an increased likelihood that the victim will be faced with personally covering a higher proportion of the crime.

New Javelin data indicates that, in contradiction to widely held opinion, emerging technologies actually provide crucial safety advantages over such methods as mailed paper statements and paper checks. Continued technology growth trends could further exacerbate the relative fraud-prone condition of those who already suffer the most from this crime today (the so-called "digital divide"). While the hands-off view assumes that individual responsibility will lead to the greater good, I've also seen where pervasive problems with unequal opportunities for education and safety can lead to some of the data I cite above. Furthermore, some poorer individuals may be more likely to simply walk away from substantial losses committed by a criminal acting in their name, which in turn causes the losses to be borne by all members of society.

From: Senator Simitian
Subject: Question for Day 2
Tue, 25 Oct 2005 11:20:00 PT

The argument for federal legislation rather than a "patchwork quilt" of state regulations makes sense in theory.

It would be more persuasive, however, if the people making the argument weren't the same people lobbying in Washington, D.C., against effective protections.

It would also be more persuasive if Congress had shown any interest in providing meaningful protections during the past decade, which has not been the case.

Under the circumstances, "lead, follow, or get out of the way" is an understandable reaction. I acknowledge that multi-state regulation can pose challenges, but as a practical matter it may be the only means we have of prodding industry and the feds to take significant action.

Moreover, while some state statutes may pose consistency/conflict problems, it is possible to craft state statutes that avoid these challenges, protect the public and prod industry and the feds.

From: Chris Hoofnagle
Subject: Pre-emption
Tue, 25 Oct 2005 13:06:00 PT

The industry wants pre-emption because it gives them more uniformity in compliance but also because they can get a better deal in Congress than in the states. Cynicism aside, there are very good arguments against--and for--pre-emption. Let me present some of the against arguments:

Many of the good ideas in federal privacy law come from states. Much of federal level identity theft protection came from California, for instance. And of course, the debate we're having was sparked by an innovative state legislator who passed a law that wouldn't have even had a hearing in Congress a year ago.

Consumer protection law, historically, has been a state endeavor. Most federal privacy laws aren't pre-emptive. And most privacy law itself was generated by the states. There are state privacy laws on medical privacy, arrest records, video surveillance, SSNs etc. Much of this law fills in gaps left by federal government inaction.

Especially in the financial services and credit reporting areas, there has been an argument that a national ceiling of laws is needed in order to prevent "balkanization" or a "patchwork" of state laws. However, there is nothing that differentiates these business from other industries that operate at the national level with varying state laws. (Insurance companies, for instance, are under different regs in 50 states.)

Isn't there some inconsistency between the argument that businesses can't comply with different state laws in light of personalization technology that's been developed. Data marketing company Claritas, for instance, advertises that it can track yuppies across three different state jurisdictions at the zip code level:


If data marketing companies can divide people into 95 categories at the zip+4 level, can't they use the same technology to address differences in state laws?

Finally, there won't be as much privacy law if there is broad pre-emption. Congress has increasing demands placed upon its attention. There's real meaning behind the cliche: "That will take an act of Congress." Problems have to rise to a high level of severity before Congress will act.

As to Jim's earlier point about the FCRA, EPIC's point is that commercial data brokers should fall under the law. The problems we're experiencing (access to the complete file, inaccuracy, indiscriminate sale of dossiers, lack of correction rights, sale to law enforcement) are all addressed by the FCRA. Commercial data brokers built their business to skirt the law. Now the law needs some revision to sweep in these new business models.

As for John Trenchard and Thomas Gordon, they used the name Cato in recognition of legislator Cato the Younger.

From: CNET News.com
Subject: Common Law and Privacy Protection
Tue, 25 Oct 2005 14:03:00 PT

One of our readers sent in a question that I wanted to run by you. He wrote:

"Why should I be responsible to prove I'm not the imposter who used my ID, fraudulently used my credit card, etc.? Why shouldn't they be responsible to prove it wasn't an imposter, if I deny the account, the charge, or the complaint.


From: Chris Hoofnagle
Subject: Common Law and Privacy Protection
Tue, 25 Oct 2005 14:42:00 PT

I've asked Jim to clearly articulate what new/existing torts could address information privacy issues. He responded by saying that in at least two cases, courts have adopted a principle that companies that breach sensitive data should compensate the consumers harmed.

I'm pretty sure that one of the two cases that Jim refers to was one where I wrote a brief (the "Amy Boyer" case). Let me tell you, that was not an easy case. And just a passing glance at it makes it clear why the tort system doesn't serve as a model for addressing information security or privacy.

In that case, a stalker hired data broker Docusearch.com to locate Amy Boyer. Because Amy Boyer lived with her parents, Docusearch couldn't locate her definitively. So, Docusearch hired a New York private investigator who located Boyer by "pretexting," that is, by pretending to have a valid reason to elicit Boyer's work address. The stalker showed up at the address, shot Boyer to death, and then killed himself.

EPIC's page on this case is online at:


Now, was Docusearch or the private investigator "closely responsible for the harm" in the Boyer case? All they did was sell personal information, they argued. In fact, the information that led to her death--her work address--isn't considered sensitive under statutory or common law.

I think we won that case because 1) the Docusearch defendants were not the most attractive defendants. They had shoddy client screening techniques, and one of them had a criminal history. 2) The activity resulted in someone dying. 3) The killer posted a Web site describing his activities and stalking of Boyer.

Jim's approach ignores the practical reality of privacy invasions: 1) that one usually does not know how their personal information has been obtained or misused. It is still the case that in almost 50 percent of identity theft cases, the victim doesn't know how their information was stolen. 2) That most privacy invasions aren't as severe as the Boyer case.

Put aside the transactional costs of litigation, tort reform, the delay of litigation, the privacy invasions that plaintiffs have to undergo to so, etc., and one still has to be able to demonstrate:

1) Duty
2) Breach of the duty
3) Causation
4) Damages

Again, in the Boyer case, without the killer's Web site, we would have only had damages. There would have been no obvious way to discover Docusearch's involvement.

From: James Van Dyke
Subject: Common Law and Privacy Protection
Tue, 25 Oct 2005 14:56:00 PT

For market-based societies to have any degree of efficiency, consumers and businesses must each shoulder some responsibility for proving the authenticity of transactors and transactions. As is said, power tends to corrupt, and absolute power corrupts absolutely. If the power to accuse or refute were to solely fall on just one party, abuse would become rampant, causing certain and substantial decline in our ability to buy and sell goods at reasonable prices.