Some people eat, sleep and chew gum, I do genealogy and write...

Monday, March 2, 2015

What has genealogy got to do with identity theft?

Locally, there was another flurry of news articles about the need to protect individuals in the U.S. from identity theft. Whenever this happens, I start getting comments, usually anonymous, about genealogist's fears that putting their ancestral information online will compromise their identity and make them vulnerable to identity theft. Despite waves of comments about the "huge increases" in identity theft, I have yet to hear about a single survey or study linking having an online family tree to an increased risk of the so-called identity theft.

Notwithstanding this simple fact, I still get comments like the one I did yesterday expressing a reader's intent not to put his genealogy online and using words that prevented me from quoting or posting the comment. But then again today, I got another comment from my dear friend, Anonymous, that I could print:
Correct me if I'm wrong because I also worry about this but have decided to use online genealogy , if someone really wants to get your identity its not that hard all they have to do is what everyone searching for their roots do and look up cencus records, birth records, obituaries, etc old newspapers wedding and birth announcements etc. Is there really anyway to keep information from ending up on line and if you don't put your information up whats to stop a family member also working on family tree? In order to use your information to get into your bank they would have to know were you bank first and you don't put that information on genealogy trees I can see someone maybe trying to open a new account with some of information you share but they would still need a social security number for that wouldn't they and that is not something you'd post on your tree,
I made no attempt to correct either spelling or grammar. In this case, Anonymous is certainly right. There is a disconnect between the issue of identity theft, however it is defined, and the fact that I have common ancestral information online. The simple fact is I share ancestral information with hundreds, thousands, even millions of people. I have investigated this issue over and over again during the past few years and cannot find one iota of evidence that online genealogical information can be used to establish a false identity. Most genealogists are blissfully unaware of the huge amount of personal information about them and their lives that is already online and has nothing at all to do with genealogy. In fact, few genealogists would know where to go to find out this very personal information.

Let me give a very simple example, mentioned above by Anonymous: Social Security numbers. Why would you or anyone think that your social security number is not readily available to anyone who cares to know? Think about it. You have to use it to file income taxes, obtain a driver's license, obtain insurance, get medical help, enroll in school, apply for a loan and almost anything else in our society that requires identification. I had to present my social security card, the original card, to get a driver's license in Utah. What was there to keep the clerk who was processing my license from copying my number and using it to "steal my identity?" Nothing. My own number was once my student number at the University of Utah for seven years. It was also my Army ID number for eight years. 

Let me start with a simple fact. There is no consistent or generally accepted definition of the term "identity theft." When I speak of identity theft, what am I talking about? What do you think it is? Are we talking about losing a credit card or about someone taking out a loan in my name? Both of these actions are considered identity theft. For your information, the National Crime Victimization Survey of the Bureau of Justice Statistics, Department of Justice of the United States, includes three general types of incidents in its definition of identity theft:
  • unauthorized use or attempted use of an existing account
  • unauthorized use or attempted use of personal information to open a new account
  • misuse of personal information for a fraudulent purpose.
By the way, the latest statistics for identity theft date from 2012. Here is a more specific definition of identity theft from the latest Bureau of Justice Statistics
Identity theft is the attempted or successful misuse of an existing account, such as a debit or credit card account, the misuse of personal information to open a new account, or the misuse of personal information for other fraudulent purposes, such as obtaining government benefits or providing false information to police during a crime or traffic stop.
Here is a further continuation of the issue from the same report:
In 2012, the misuse or attempted misuse of an existing account was the most common type of identity theft — experienced by 15.3 million people. An estimated 7.7 million people reported the fraudulent use of a credit card and 7.5 million reported the fraudulent use of a bank account such as a debit, checking or savings account. Another 1.1 million persons had their information misused to open a new account, and about 833,600 persons had their information misused for other fraudulent purposes. 
The most common way victims discovered the identity theft in 2012 was when a financial institution contacted them about suspicious activity on an account. About 2 out of 3 victims did not know how the offender obtained their information, and 9 out of 10 did not know anything about the identity of the offender.
Can you see any connection between this and the fear that putting your genealogical data online will compromise your identity?  Now let me ask a very simple question. How many of you have insisted on using a newly issued credit card with an encrypted micro-chip in all your transactions? We have the technology to prevent nearly all of the current credit card issues, but do not use them. If you do not know what is involved in the new credit card technology, see EMV smart chips which are used throughout the world, except in the U.S.

When will we stop hearing about identity theft? Probably never. When will credit cards stop becoming so much of an issue? When the EMV standard is adopted. Here is the latest:

That will change as the first major milestone in EMV deployment occurs on October 1, 2015. While it’s not a hard cutoff, that date is being referred to as when liability shifts for the American credit card industry. Starting in October, the least technologically equipped party will pay the cost of fraudulent transactions. If a retailer has an EMV compatible terminal, but the bank doesn’t issue an EMV compatible card, then the bank is responsible for the cost of fraud. However, if the cardholder has an EMV compatible card and the retailer hasn’t upgraded its systems, then the retailer will be liable.Read more:
What has this to do with genealogy? Not much.


  1. Publishing your genealogy online is safer than handing your credit/debit card to someone to process out of your view.

  2. Maybe this is a hangover from when banks just wanted to ask your date-of-birth, place-of-birth, and mothers-maiden-name as security questions. They were always silly questions, and I sincerely hope that no bank still relies on them.

    A much more serious issue concerns a lax password on your main email account. The problem being that this account is probably used when registering access to several other sites (including genealogy and well as financial). If some hacker has got the password to your main email account then they can go to most of those other sites and select the option for 'forgot my password'. That will cause the host to send either a reset-link (if it's a good one) or a copy of your password (if it's a bad one) to your main email. The hacker can then not only change your password for those other sites, but also remove those reset messages so you may not even be aware of what has happened. If they wanted to, they could also lock you out of your main email account which could be devastating -- that's how central it has become in online life.

    1. That is all true, but has nothing at all to do with genealogy or having a family tree online. Thanks for the insight.

    2. I only posted it as a real example of 'identity theft' James. I don't believe genealogical data creates any significant risk in this area. I wish that some data custodians would lighten up on the controls that they impose on access; citing everything from privacy to identify theft.