RootsTech 2014

Some people eat, sleep and chew gum, I do genealogy and write...

Sunday, February 23, 2014

Online Family Trees and Identity Theft -- Fiction or Fact?

I have written several blog posts over the years about the blatant misuse of the term "identity theft." Yet again I find published blog posts circulating in the genealogical community declaring that sharing information on a public online family tree involves an increased risk of identity theft. Unfortunately, I have yet to read even one such article that has cited one solid piece of evidence that putting anything in a family tree program increases any definition of identity theft. Why is this the case? Because of the following:

  • There is no consistently applied definition of identity theft in the United States.
  • There are no documented instances tying identity theft in whatever form directly to genealogical data in an online family tree
  • No matter what definition is used, the incidence of any type of identity theft is dramatically overstated in most references to the issue

If you read any article expressing the opinion that adding information to an online family tree will increase your risk of identity theft, you should make comments demanding that the writer justify his or her opinion with some verifiable documentation.

Do I really need to go through all the facts again? I guess so, as long as I continue to see comments in print on genealogy blogs handwringing over the threat of identity theft.

First, the definition. Let's start with 18 U.S. Code Section 1028. These are the sections added to the act by the ‘‘Identity Theft and Assumption Deterrence Act of 1998’’:
(7) knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law; or 
(8) knowingly traffics in false or actual authentication features for use in false identification documents, document-making implements, or means of identification;
There is a lot more, but this is essentially the Federal law on the subject. I guess my question is how this statute applies to online family trees? Is an online family tree an "identification document?" Well, like most federal statutes there is a copious definition section. Here is the definition of an "identification document":
(3) the term “identification document” means a document made or issued by or under the authority of the United States Government, a State, political subdivision of a State, a sponsoring entity of an event designated as a special event of national significance, a foreign government, political subdivision of a foreign government, an international governmental or an international quasi-governmental organization which, when completed with information concerning a particular individual, is of a type intended or commonly accepted for the purpose of identification of individuals;
In short, the Federal law deals with use of identification documents. Let's jump to the Federal Trade Commission (FTC) and see how they define identity theft. Their definition is a little simpler:
Identity theft happens when someone steals your personal information and uses it without your permission.
Hmm. I don't think that definition gives me much to go on but it certainly excludes genealogical data in an online family tree. First of all, the information about dead people is not your personal information. Secondly, you can't steal information from a public family tree. This brings up the first rule putting information online:

If you want information to be private, don't put it online.

Oh by the way, the FTC is charged with reporting incidents of identity theft. All of the FTC's statistics are based on complaints. This is their assessment:
According to the ID Theft Data Clearinghouse, the most common types of identity theft are:
  • using or opening a credit card account fraudulently
  • opening telecommunications or utility accounts fraudulently
  • passing bad checks or opening a new bank account
  • getting loans in another person’s name
  • working in another person’s name
I guess what I would say is where are the prosecuted cases and the statistics concerning prosecution for "identity theft?" Now what about each of the states? Here is the Identity Theft Resource Center, a compilation of the laws of the several states. Here is a sample. This is Arizona Revised Statutes 13-2008:
A. A person commits taking the identity of another person or entity if the person knowingly takes, purchases, manufactures, records, possesses or uses any personal identifying information or entity identifying information of another person or entity, including a real or fictitious person or entity, without the consent of that other person or entity, with the intent to obtain or use the other person's or entity's identity for any unlawful purpose or to cause loss to a person or entity whether or not the person or entity actually suffers any economic loss as a result of the offense, or with the intent to obtain or continue employment.
B. A person commits knowingly accepting the identity of another person if the person, in hiring an employee, knowingly does both of the following:
1. Accepts any personal identifying information of another person from an individual and knows that the individual is not the actual person identified by that information.
2. Uses that identity information for the purpose of determining whether the individual who presented that identity information has the legal right or authorization under federal law to work in the United States as described and determined under the processes and procedures under 8 United States Code section 1324a.
C. On the request of a person or entity, a peace officer in any jurisdiction in which an element of an offense under this section is committed, a result of an offense under this section occurs or the person or entity whose identity is taken or accepted resides or is located shall take a report. The peace officer may provide a copy of the report to any other law enforcement agency that is located in a jurisdiction in which a violation of this section occurred.
D. If a defendant is alleged to have committed multiple violations of this section within the same county, the prosecutor may file a complaint charging all of the violations and any related charges under other sections that have not been previously filed in any precinct in which a violation is alleged to have occurred. If a defendant is alleged to have committed multiple violations of this section within the state, the prosecutor may file a complaint charging all of the violations and any related charges under other sections that have not been previously filed in any county in which a violation is alleged to have occurred.
E. This section does not apply to a violation of section 4-241 by a person who is under twenty-one years of age.
F. Taking the identity of another person or entity or knowingly accepting the identity of another person is a class 4 felony.
As you can see if you wade through this statute, Arizona is not concerned about you and your identity they are more concerned about illegal foreign nationals.

Identity theft is very flexible. As a tag word, it can be used for a whole variety of political purposes.

Now, it is time to return to the question of criminal statistics. Here is the Federal Bureau of Investigation (FBI) assessment of the number of identity thefts:
The number of identity theft victims and total losses are probably much higher than what’s been reported. Because different law enforcement agencies may classify identity theft crimes differently, and because identity theft can also involve credit card fraud, Internet fraud, or mail theft—among other crimes—it’s difficult to provide a precise assessment. The FBI, however, has dedicated significant analytical resources to combating the identity theft problem and is working with other agencies to develop a system that will analyze large streams of identity theft data.
We don't know what it is exactly, but we are allocation "significant analytical resources" to find out. This article goes on to state:
Since fiscal year 2008 through the middle of fiscal year 2013, the number of identity theft-related crimes investigated by the Bureau across all programs have resulted in more than 1,600 convictions, $78.6 billion in restitutions, $4.6 billion in recoveries, and $6.8 billion in fines.
Here is an interesting statement from the Bureau of Justice Statistics:
  • About 7% of persons age 16 or older were victims of identity theft in 2012.
  • The majority of identity theft incidents (85%) involved the fraudulent use of existing account information, such as credit card or bank account information.
  • Victims who had personal information used to open a new account or for other fraudulent purposes were more likely than victims of existing account fraud to experience financial, credit, and relationship problems and severe emotional distress.
  • About 14% of identity theft victims experienced out-of-pocket losses of $1 or more. Of these victims, about half suffered losses of less than $100.„„
  • Over half of identity theft victims who were able to resolve any associated problems did so in a day or less; among victims who had personal information used for fraudulent purposes, 29% spent a month or more resolving problems.
Like many such statistical citations, the numbers sort-of jump around. So only 14% of the identity theft victims suffered a financial loss of over $1.00 and of this 14%, half were less than $100. But notice that there are no actual numbers attached to these statistics. 

If you keep digging, as I have time after time, you will find that there are no real statistics. Except for the FBI statement that there were 1,600 convictions over a six year period, or about 266 convictions a year, there are very few other statistics that help us to understand the real threat of identity theft. Oh, another interesting fact, in the United State's Attorneys' Annual Statistical Report on crimes in the Federal Courts for 2010, there were 81,934 defendants convicted in the Federal Courts. If we can depend on the round number of 1,600 convictions over six years from the FBI, it would appear that only approximately .3 of 1 percent of the convictions were from identity theft. 

I am certain that those who wish to use "identity theft" as the modern bogey man, will continue to do so. I just had a young friend of mine who had his wallet stolen. The thief then used his debit card to buy some gas before the card was cancelled. This is identity theft today. 

10 comments:

  1. Thank you for the excellent article. I'm going to refer people to it every time I hear them incorrectly use that phrase with genealogy! Learning who my ancestors are is a far cry from stealing my identity. I often think of people who put things online and then want to maintain privacy too. We had little privacy when the phone books listed our name, address, and phone number.

    ReplyDelete
  2. It's good to look at what "identify theft" really is, James, but I wonder if you're missing a very common instance for which genealogical data could be useful.

    Most cases that I'm aware of involve someone's online account being hacked by someone who has worked out their passwords, "special information" phrase, place-of-birth, mother's maiden name, etc. Banks used to ask the daftest - and easiest - questions once, but they seem to be tightening things up now. However, most people's passwords are still based on given names (esp. children's), maiden names, dates of birth, and pet's names.

    ReplyDelete
    Replies
    1. There are quite a few descriptive words I could use to describe bank and password practices that use genealogical relationships. I am still being asked my grandfather;s first name for example as a "security" question. This is no reason however to avoid family trees, the information is readily available elsewhere.

      Delete
  3. I have heard people say they won't put a picture of a tombstone on Find A Grave (without cropping it first) if it has a name of the spouse that is not deceased yet. There is a Boogie man behind every stone.

    ReplyDelete
  4. James -

    First time reader, first time commenting.

    I would share this as someone who completely disagrees with you and also works in cyber security.

    I can tell you:

    any person who has their birth date and other informaiton (mother's maiden name, etc.) posted online has greatly increased risk

    the problem of cyber secutiry is real, rapidly evolving, and far worse than even concerned people suspect

    the public infrastructure and coordination required to fight the problem (police, governments, FBI, etc.) barely exists

    the government has warned corporations that their entire network has already been hacked by the Chinese (http://www.zdnet.com/blog/security/richard-clarke-china-has-hacked-every-major-us-company/11125)

    every major bank in the country has sent out multiple fraudulent wires for multiple thousands of dollars each this week alone, as they do every week

    you will never find birth date or mother's maiden name for anyone in cyber. in fact, most will not have any online identity (no facebook, no yahoo mail, no gmail, no blogs)

    I would challenge you to find someone in cyber security at a major bank, fortune 100, or in the defense sector that disagrees with me.

    In summary, I'm not sure that a Russian hacker hoping to encourage people to leave valuable morsels online could have written a better blog post than what you pulled off.

    Pozdravlyayu?

    ReplyDelete
    Replies
    1. Interesting, but not on point. Cyber-security may be an issue, but it is not what is being reported as "Identity Theft." I am looking a FBI, Department of Justice and other statistics concerning identity theft. Interesting also that you post as Anonymous.

      Delete
  5. You haven't changed my opinion. I think you're biased anyway. The security expert summed it up very well. You're just being obtuse.

    ReplyDelete
    Replies
    1. I didn't intend to change your opinion. Do you have any statistics involving the number of criminal convictions for violations of cyber-security? I guess my question is, if my bank gets hacked how does not putting my genealogy online help to prevent that? I am certain that cyber-security is a big issue, but it is not something that I personally have control over. If Amazon or whomever is hacked, what can I do personally to stop that?

      Delete
  6. Identity thefts have now appeared in our sights very often. Since technology has been advanced by time, different ways of identity stealing have appeared. One of the ways that’s used commonly is that they will become your friend. Those thefts could first pretend to be your friend. Then they will chat with you and become good friends with you. At last they will take away your personal information and then at last you realize that he/she’s just imaginary. At the same time you don’t know that if your friend stole your identity or someone else stole your friend’s account and did that. You need to know that not everyone and everything on the internet is reliable. People usually get tricked by people that they trust the most because no one knows that what he/she is actually thinking about. For example in one short clip in YouTube, there’s a girl that found a friend randomly. In his profile picture that boy is really handsome so she decided to add him. They became very good friends. And one day they decided to meet each other. At the day that they meet, the girl arrived very early but no sign of the boy have come. She waited for hours and at last went back home. When she went back home, she noticed that her identity is stolen while she went outside. She told the police about this. At last the police figured out that that boy was actually a 32 year old man. He is an identity theft. His profile picture was actually a picture that was found in google images. The same thing also appears in movie Identity Thief.

    ReplyDelete
    Replies
    1. Nice story. But it doesn't have anything to do with posting your information online as a genealogist. I also notice that you do not cite any specifics about the incident that would allow someone to verify if it happened or not. How did the girl "notice that her identity is stolen?" This story sounds like a confusion of two different types of fraud, not an actual incident.

      Delete