Can ID Theft Be Solved with More Regulation?By Brian Prince | Posted 2007-02-08 Email Print
An RSA panel discusses approaches to combating identity theft, which tops the list of consumer complaints received by the FTC in 2006.SAN FRANCISCOEarly one morning several years ago, the police knocked on Robert Maynard's door and told him he was under arrest for fraud. There was just one problem: The Robert Maynard the police were looking for did not actually exist.
Maynard was the victim of identity theft. Today, he is co-founder and chief operating officer of LifeLock, a company that works with credit bureaus to prevent the crime to which he fell victim. He was also one of four officials from the federal government and technology industry who sat on a panel at the RSA Conference here Feb. 7 at a town hall meeting on identity thefta meeting marked with calls for stronger government regulation of ISPs and increased crackdowns on cyber-criminals.
It is a subject that is not going away. According to the Federal Trade Commission, in 2006 identity theft topped the list of consumer complaints filed with the agency for the seventh year in a row. The FTC received 246,035 complaints of identity theft last year, accounting for 36 percent of the 674,354 complaints it received.
Ira Winkler, president of the Internet Security Advisors Group and a former computer systems analyst with the National Security Agency, said there are three main ways criminals get their hands on stolen identities: low-tech activities like dumpster diving, data breaches at companies and "stupid" user mistakes online.
The government should mandate that ISPs control what they are putting on their network. His opinion was seconded by a member of the audience, and another man suggested the government take the offensive and attack hackers.
But authorities can't simply "hack back," said Christopher Painter, principal deputy chief of the U.S. Department of Justice's Computer Crime and Intellectual Property Section. Painter served on the panel with Maynard, Winkler and FTC Chief Privacy Officer Marc Groman.
Such offensive actions may not be legal, Painter explained. In addition, the attacks may not hit their intended targetsinstead taking down an innocent system that has been hijacked, he said. Painter added that law enforcement officials have conducted undercover operations to take down rings of cyber-criminals.
But enforcement is just one aspect of the solution, he and others said. Education is a key element of combating identity theft, said Groman, who added that the FTC has embarked on an expansive campaign to inform the public on how it can protect itself.
But Winkler argued that education has proven to be largely ineffective. Instead, the focus should be on requiring ISPs to better manage security on their networks and giving the DOJ and FTC the resources they need to combat ID theft.
In remarks prior to the panel discussion, FTC Chair Deborah Platt Majoras lamented the prevalence of identity theft even as she outlined the work the agency is undertaking to protect consumers. If personal data is not protected, consumers will lose confidence, she said.
"Unfortunately, [the thefts are] becoming all too familiar," she said.