Several recent high-profile incidents have thrust identity theft into the media spotlight. The first to gain notoriety involved the credit-verification company ChoicePoint, which in 2004 inadvertently delivered electronic files containing the names, addresses, social security numbers, and credit reports for almost 140,000 people to identity thieves in the Los Angeles area. In 2007 the British government lost computer disks that contained the personal details of every family in the country. In both cases, the media and authorities articulated a series of anxieties about how this data could be exploited. A plethora of security experts quickly emerged to offer citizens concrete advice on how to mitigate the risk of identity theft, including tips on both prevention and on what to do if victimized. These tips, the rationale behind them, and their implications have provided considerable fodder for this article. Every year there are similar stories of corporations losing customers' personal information, and while citizens are repeatedly told to protect themselves, the parties responsibleboth the companies that lost the data and the thieves themselvesare often unscathed.
Although there are different definitions of identity theft, the crime typically involves illegally using someone else's personal information to secure some benefit. Thieves acquire such information through various sources and means, including customer service representatives, hacking and data-mining programs, "dumpster diving" for personal documents, and stealing computers. Victimization ranges from single-instance fraud to more elaborate, extended uses of a person's identity. And while estimates of the extent and cost of identity theft differ, it is commonly recognized as the most rapidly escalating form of crime in both North America and the United Kingdom.
The rise in identity theft parallels the rise of bureaucratic identity markers such as driver's licenses, credit cards, and passports. The shift to an information economy means that people interact with each other at a distance. Over the phone, on the Internet, through the mail, people use these markers to verify their identity and their trustworthiness. As they go about their daily lives, they actively invoke or unknowingly draw upon a host of markers, in the process producing yet more information about their behaviors that institutions store, analyze, and sell. Making a purchase with a debit card, opening a door with a swipe card, telephoning a friend, requesting a travel visa, driving on electronic toll roadsan expanding range of activities leaves informational traces that cumulatively compose a dispersed and loosely coordinated network of information that can be drawn together in particular configurations to produce detailed profiles of a person's behavior, health, travels, consumption patterns, and so on. These profiles are commonly referred to as "data doubles ." They are the lifeblood of new forms of informational capitalism and e-governance, and are used to ascertain a person's trustworthiness and value as a customer, as well as to streamline services and improve corporations' daily operations. Data doubles are also a prime target for identity thieves. Institutions anxious about the risks inherent in data doubles falling into the wrong hands are now championing assorted projects of personal information management designed to reduce the prospect of identity theft.
Several initiatives have been established to counter identity theft, the most prominent of which involve efforts to encourage citizens to alter their regular routines to reduce their risk of victimization. These measures can be understood as encouraging a care of the virtual selfa wider social project that encourages people to reduce the risks and maximize the potentialities related to their data double. In the context of identity theft, however, institutionally promoted methods for virtual self-care transcend what is reasonably practicable for most citizens and mask the role played by major institutions in fostering the preconditions for identity theft.
Institutional advice on identity theft offers a dizzying array of tips on how citizens can avoid victimization. These tips range from limiting the information one carries and using secure passwords, to closely analyzing bank and credit card statements and ordering credit reports every six months, to keeping all personal information in a safe (ideally locked) location and locking one's mailbox. Tips telling citizens to avoid shopping online and to avoid giving out personal information on insecure phone or Internet lines often stray on the side of paranoia. The most common tip is to shred everything from receipts to bank statements, to magazine address labels. In order to manage the risk of identity theft, citizens are encouraged to buy an abundance of anticrime products that have been rebranded to capitalize on the identity theft buzz. Alongside the shredder, other devices sold to thwart identity theft include computer locks, safes, firewalls, and encryption software, as well as new services such as identity theft insurance. Marketed by credit card companies as a benefit to potential victims, such services also offer businesses some hope of reducing costs related to identity theft and generate a new revenue stream.
Many of the recommended risk avoidance measures involve forms of "responsibilization," a process of encouraging individuals to become more involved in managing the risks they face. Under pressure to streamline their services, governments increasingly encourage individuals and the private sector to shoulder more responsibility in managing risk and preventing crime. But this responsibilization is far from perfect. Rather than identity theft being the fault of consumers' poor information-management practices, research suggests that the greatest proportion of this risk can be attributed to the careless or negligent data-management practices of major institutions. More than 50 percent of stolen identities, for example, are taken by employees or people impersonating employees . Other research has noted that up to 70 percent of identity theft can be traced to leaks within organizations . Yet statistics such as these aren't common knowledge. When concerned citizens ask their local police, government, and corporate authorities about identity theft, they receive lists of tips on theft prevention, and on what to do once one has (seemingly inevitably) become a victim.
The process of reestablishing one's identity is the greatest source of frustration. The material costs of the initial fraud or theft of data can pale in comparison with the frustrating and time-consuming work required to rectify the problem. These frustrations are compounded by the fact that victims encounter a reverse onus; they are expected to provide appropriate documentary details in prescribed forms and within a specified timeline to prove their victimization (in duplicate, and by registered mail). The investigation and resolution of their case often depends on the speed and the accuracy of the information they provide.
There is a standardized four-step process for recovering from identity theft. First, victims should contact the police and file a reporta requirement that has almost nothing to do with the prospect of effective police assistance, but is instead understood as a key component in the documentation process. Police reports are vital when trying to prove victimization to credit bureaus, account providers, and government authorities. Second, victims should contact the three major credit bureaus to acquire copies of their credit report to examine for discrepancies. A client can also register a fraud alerta form of notification stored on their file to caution agents that someone has been manipulating their data. Third, victims should close any accounts where they suspect involve identity theft activity has occurred. Finally, they should contact government authorities to log their complaint and provide statistical information to the relevant authorities. Reclaiming identities involves intense scrutiny of the bare essences of a person's life that can resemble a Kafka-esque toil with inscrutable organizational routines and seemingly unending paperwork that on average can take up to 40 hours to complete. Victims of extreme instances of identity theft are best situated to deal with their case if they are familiar with bureaucratic protocols and have a heightened sensitivity to the importance of documentation. They also need perseverance, and, above all, a plan.
Whereas most crime victims are expected to do little more than contact the police, great weight is placed on identity theft victims to rectify their situation, through an expansive program of self-documentation and mediated communication with social institutions. Indeed, one of the paradoxes of identity theft is that while the crime itself raises questions about institutional trust in documentary identities, this trust can be reestablished only through an elaborate frenzy of further documentation. Ultimately, the victim's task is to return their data double to the status of one among millions of unremarkable transactions in a global system of informational relays.
Curiously, the discourse on identity theft is almost entirely lacking in specific references to criminals, beyond vague references to hackers (even though most identity theft methods require very little computer skills). It appears to be an almost criminal-less crime. Instead of employing breathlessly moralized accounts of evil criminals, institutions treat the crime dispassionately, as a simple risk to be managed. One consequence of this lack of a conspicuous criminal is that the gaze of surveillance focuses on the victim herself. In the absence of identifiable perpetrators, victims become the predominant object of statistical knowledge, trend predictions, risk profiling, and bureaucratic " dataveillance."
Victims are often treated with suspicion and must do considerable work to prove their innocence. An extreme example of this involves cases in which a criminal provides someone else's personal details when they are arrested for a crime. In this case, the victim must report to their nearest police station (if they haven't been arrested already) and file an impersonation report. To complete this report, the victim must ask to have mug shots taken and to be fingerprinted. These prints and photos are then compared with those of the imposter. Their mug shot and personal details are entered on a police computer accessible to officers 24 hours a day. Police record and store their fingerprints and offer no assurances that these records will ever be removed. If exonerated, victims should then request an official clearance letter or certificate of release and are expected to carry this with them at all times in case they are wrongly arrested again. This process represents a complete inversion of the usual processing of victims and criminals. Unlike criminals, however, victims are expected to willingly subject themselves to this documentary regime or risk being judged as having failed to live up to the new responsibilities associated with their "victim identity."
Victims and potential victims alike are expected to transform the minutia of their daily routines in light of informational risks. It is a project that involves attending to the flows, accuracy, and security of the composite bits of documentary identities. For individual citizens, this process aims to foster a particular form of life characterized by an ongoing hyper vigilance about routines for managing their data double. The often mind-numbing minutia of the proliferating identity theft risk-reduction strategies often exceed the bounds of what might be reasonably expected from most citizens in managing a single risk. When all such expectations fall on individual citizens, it becomes highly unlikely that all of these can be effectively incorporated into a person's daily regimen.
This, in turn, accentuates a larger political point about how individuals are positioned as the source of identity theft risks. Such a characterization effectively ignores the role of institutions in creating the risk of identity theft by systematically placing profit and organizational self-interests ahead of any concerns about the public. When information security has been breached, policies often preclude companies' informing customers of this fact out of a fear of negative publicity and as a way to save money. So, even when credit card companies know that the personal details of thousands of their cardholders have been compromised, they do not routinely issue those customers new cards because of the costs involved. Instead, they subject the consumption patterns of those suspect cards to still greater electronic profiling, and cancel individual cards only when there is evidence of fraudulent use. This practice saves the company the considerable cost of having to mail out thousands of new cards, but in the process they effectively consign a subset of cardholders to victimization.
The policies and practices of credit agencies are most responsible for the comparative ease of identity theft. Take pre-approved credit cards. While it is common knowledge that identity thieves regularly steal and use them, these costsand the attendant victimization of innocent citizensare written off as a cost of doing business. But beyond the obvious risk of this junk mail is something more insidious. The credit industry is fixated on being able to quickly grant credit, and individual agencies pride themselves on being able to approve transactions in a few seconds. This emphasis on speed consciously sets aside questions about the accuracy of information and the security of transactions. Businesses fear that if credit purchases take too long to process, or if security measures are too stringent, then legitimate purchases will be rejected and they will lose revenue. From a business perspective, one of the major dangers of credit is the expense associated with security measures that might mistakenly reject legitimate purchases. Hence, while championing a host of individualized responsibilization measures against identity theft, the credit industry has opposed proposals to conduct basic fact checking for credit transactionsa policy that would reduce the number of frauds, but that would also slightly slow down the credit-granting process.
The fact that institutions have knowingly created many of the necessary conditions for identity theft, refused to rectify glaring problems, and established the bureaucratic structures that give identity theft victimization its characteristic form all suggests that the recommended individual responsibilization measures are themselves part of a political strategy whereby institutions are divesting themselves of responsibility for the full social and economic costs of the risks they have produced. These costs are effectively externalized through policies that champion an individualized project of care of the virtual self, as individual victims are expected to pay the price for institutional policy decisions. And although such responsibilization measures are unlikely to prove immediately effective in reducing the prospect or pains of victimization, they do signal a step change in an ongoing historical attempt to foster bureau-cratically rational capacities in citizens and help reveal emergent heightened expectations about the role that individual citizens are to play in caring for their virtual selves.
The lessons here for HCI practitioners are apparent. Given the increasing media accounts of large-scale information breaches, ensuring the security of data flows from individuals to institutions should be a priority. But an even larger priority is improving the data-handling practices within corporations. While technological security solutions may help decrease data leaks, increased attention must be paid to the humans that handle this information. Along with examining how these physicalrather than digitalpractices can be better secured.
The case of the credit card industry highlights how corporations as well as consumers commonly prioritize ease-of-use and convenience over security. The challenge for HCI professionals is to avoid thinking of these traits as mutually exclusive. New technologies can be convenient, but also more secure. For example, consumers are warned never to leave their debit and credit cards out of their sight when paying for purchases, but this is often impossible to avoid, especially in restaurants where the terminals are kept in the back. New technology has helped address this risk while simultaneously increasing convenience. Wireless credit and debit machines in restaurants allow payments to be securely processed at clients' tables where the cards can remain in their owners' sight at all times. This example demonstrates that although security practices are often weighed against other interests, innovative design and conscious attention to how users interact with technology can help shore up gaps through which users' information is leaked.
Beyond helping to design products expressly geared at protecting clients' information, there lies a much larger challenge. Data mining and profiling practices undergird the information economy and employ many HCI practitioners. But they also create numerous risks, including large-scale identity theft. While practitioners have a role to play in improving the security of these large databases and tightening up information handling practices, they should not only ask themselves, "Should we collect this data, just because we can?", but measure the benefits of collecting and storing data against the risk of it falling into the wrong hands.
For more information on how to protect yourself from identity theft, read the Federal Trade Commission's 2005 report "Take Charge: Fighting Back Against Identity Theft;" http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm.
2. Jewkes, Yvonne. "Policing the Net: Crime, regulation and surveillance in cyberspace." In Dot.cons: Crime, Deviance and Identity on the Internet, edited by Y. Jewkes, 1535. Cullompton, England: Willan Publishing, 2002.
Jennifer R. Whitson is a sociology Ph.D. student at Carleton University in Ottawa, Canada. Her current research interests include digital identity management, governance in online domains (especially MMOs), and social influences on software development processes. Her recent work includes a chapter, coauthored with Aaron Doyle, on virtual world governance in Stéphane Leman-Langlois' edited collection, Technocrime, and an article on identity theft, coauthored with Kevin Haggerty, in the November 2008 issue of Economy & Society.
Deposit your outgoing mail in post office collection boxes or at your local post office, rather than in an unsecured mailbox.
Don't carry your SSN card; leave it in a secure place.
Give your SSN only when absolutely necessary, and ask to use other types of identifiers. If your state uses your SSN as your driver's license number, ask to substitute another number. Do the same if your health insurance company uses your SSN as your policy number.
Carry only the identification information and the credit and debit cards that you'll actually need when you go out.
Keep your purse or wallet in a safe place at work; do the same with copies of administrative forms that have your sensitive personal information.
When ordering new checks, pick them up from the bank instead of having them mailed to your home mailbox.
©2009 ACM 1072-5220/09/0300 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.