Some people eat, sleep and chew gum, I do genealogy and write...

Sunday, December 27, 2009

Privacy, Identity Theft and Genealogy -- More on Identity Theft


In the past few posts I have been commenting on the fact that privacy and identity theft are both real concerns, albeit not nearly so important as the media would have you believe. Given the reality of the criminal activities included in the umbrella term "identity theft," it turns out that the danger of having your identity stolen, posed by sharing genealogical information, even online, is vanishingly small despite the reportedly large number of instances. Also, in the modern electronic world, privacy is mostly an illusion. It is possible to keep some very personal things private, but the vast majority of our interactions with the public are more or less easily discoverable.

Could I steal your identity if I had a copy of your genealogy file?

First of all, I am not going to steal anything, much less anyone's identity. That said, what if someone wanted to "steal your identity." Could they do that by using your genealogy? (This discussion assumes that your genealogy is done well enough to provide some accurate information) OK, here is a hypothetical. You open a bank account at a local bank and they ask you to answer a security question. It has long been the practice to use your mother's maiden name as an identifying question. Given that is the case, could someone find your pedigree online and thereby learn your mother's maiden name and then use that information to impersonate you at the bank and wipe out your bank account? Well, it could be a problem if you were dumb enough to use your mother's maiden name (easily obtainable in many cases) as a security question, rather than another more difficult question, like the name of your first pet dog or something like that. However, if all the crook had was your mother's maiden name, it would be nearly impossible to defraud a bank with that information alone.

But think about the type of information usually available on a family group record or even less of that information on a pedigree sheet or computer form. First of all, my files contain very little, if any, current address information. There is a place in most programs to store current addresses, but I never use that feature. I have other ways to store addresses, like my E-mail program or other database. My files (and almost all those I have ever seen) focus on a very narrow type of information, that is births, deaths, marriages etc. Good for identifying historical figures but not much use in applying for credit or making large purchases by credit card.

The rule in looking at information issues, like identity theft, is always be aware of the source. Who is telling you that identity theft is a problem? The answer is largely the companies that want to sell you identity theft protection. Here is a quote from one of those companies:

10 Million Americans Have Stolen Identities Each Year
Identity theft is a skyrocketing crime.
Without protection, Americans are at high risk of identity theft in the near future. These crooks aren't just opening up credit card accounts under your name. They're also abusing your utility services, using counterfeit checks, making ATM electronic withdrawals, taking out a loan, getting your driver's license with their own picture, obtain government benefits, and the list goes on.

Now, think about it, how many of these supposed activities would be facilitated by having a copy of your genealogy file? More importantly, how many of these alleged activities are really going on? If there are really 10 million or more cases of identity theft each year, then the other statistics about crime have to be inaccurate. But you can get a better idea of the risk by examining the overall criminal statistics from the Bureau of Justice Statistics. Looking at these statistics it is apparent that only 5.5% of all households in the U.S. experienced one or more types of identity theft and almost half of those cases were unauthorized use of an existing credit card. The total number of cases may approach 10 million, but not of the type of activities outlined by the sales material cited above.

Here is one report that discusses the issue: Identity Theft: Trends and Issues. It was prepared by the Congressional Research Service for members and committees of the Congress of the U.S. The definition of identity theft used by the report comes from 18 U.S.C. Section 1028(a)(7) which states: "identity theft is a federal crime when someone...knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law."

The article goes on to point out, "According to the CFR definitional section for the Fair Credit Reporting Act (16 C.F.R. § 603.2), “[t]he term ‘‘identifying information’’ means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any — (1) Name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (3) Unique electronic identification number, address, or routing code; or (4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).”

In addition to the above, in Flores- Figueroa v. United States, 129 S. Ct. 1186 (2009) the Court decided that in order to be found guilty of aggravated identity theft, a defendant must have knowledge that the means of identification he used belonged to another individual. Identity theft is aggravated when done intentionally and knowingly.

In May of 2006, The President's Identity Theft Task Force authored a Strategic Plan to combat identity theft. The recommendations included:
• preventing identity theft by keeping consumer data out of criminals’ hands,
• preventing identity theft by making it more difficult for criminals to misuse
consumer data,
• assisting victims in detecting and recovering from identity theft, and
• deterring identity theft by increasing the prosecution and punishment of identity thieves.
Now to the substance of the report, here is the list of "Identity Theft Complaints" made in 2008 and their percentage of frequency:
  • Credit Card Fraud 20%
  • Government Documents or Benefits Fraud 15%
  • Employment Related Fraud 15%
  • Phone or Utilities Fraud 13%
  • Bank Fraud 11%
  • Loan Fraud 4%
  • Other 24%
  • Attempted Identity Theft 6%
Now, back to the causes of identity theft. It is reported in the above article, that as of 2007, 42 million Medicare cards displayed Social Security numbers. In my own experience, not only was my student number while at a university my Social Security number, my Army ID number for eight years was also my Social Security number. Also, for most of my life, my Driver's license number was also identical to my Social Security number. The biggest percentage of cases reported deal with some aspect of the use of a Social Security number, but in my case, my number is (or was) very publicly known.

No where in this report, or anywhere else I was able to find, was anyone worried about genealogical information. Notwithstanding, I think there are some rules that should be followed:

1. Do not store financial or Social Security number information about living people in genealogy files. (I don't know anyone who does, but this is a rule anyway).
2. Do not use or publicly disclose personal, private information about any living person or for some time after their death, probably more than ten years.
3. If you give someone a GEDCOM file or other type of data file, do not disclose any financial or related information about living people.

Notwithstanding my own recommendations, I am not changing my methods of sharing genealogical data. I simply cannot see any direct or indirect relationship between my genealogy files and the list of the types of complaints attributed to identity theft.

No comments:

Post a Comment