TOC When fighting ID theft, beware of Procustes Your Turn

Procustes may wait. Let me first thank Damon Darlin for recommending a soul mate to me in his article on Social Security Number theft (*). As reported, Mrs. Betty Ostergren (1) tries her best to alert people and authorities to the danger of abusing Social Security Numbers (SSN's for short). Faithful readers of these filips will recognize a most familiar gripe (see 5/30/06 fillip). The more SSN's are used to identify users, the easier it is to steal their identities. It is therefore quite comforting to hear Betty Ostergren have lately had some positive influence on local government agencies. As a result her site has experienced a huge increase in traffic. This is the power of Internet at its best.

We should not be carried away. Storming an outlying bastion is not the same as storming the Bastille and Betty Ostergren can expect to continue her fight for many years still.

One reason is fairly obvious. As mentioned by Damon Darlin, "she wins no fans among legitimate companies who sell databases". First among them are the credit reporting bureaus. I have told them how to change their business model so as to fulfill their essential economic role: set up a mechanism allowing individuals to sell access to their report and get recommended when in need of credit (see 5/23/06 fillip). I would be naive to hope they listen. As the biggest data pirates in the world, they must have bought the US Congress outright (see 10/3/06 and 12/19/06 fillips). Why else are they called "legitimate" despite being the receivers of our very own personal data, taken with neither due process nor just compensation?

More devious however is another reason which would make Procustes proud.

A famous Greek bandit, Procustes (2) must have had a remarkable personality in equal parts government agent, lawyer and marketer. Not for him to kill the unfortunate passerby on the spot. No sir, he would kindly but firmly bid his victim to nap in his bed. One size fit all though and obsessively so. The tall would have their dangling legs cut off. The short would be stretched as on a rack. Somehow this bed was bad for all bodies.

As long as SSN's are abused, some solutions to tackle the ID theft issue remind me of Procustes' bed.

Take TrustedID for instance. As Damon Darlin further tells us, it has compiled a list of compromised information and set up a free online service at which to check whether one's personal data has been stolen (3). Imagine your SSN has already been compromised. Go ahead and use TrustedID alert service. As your legs have already been chopped off, you have little to lose as you lie down in its bed. But if not, you are in for some serious stretch. For guess what!! In order to use the service, the first thing you must give it online is your very sensitive SSN.

Let make this very clear. I believe TrustedID is fighting ID theft with its own resources as hard as Betty Ostergren with hers. TrustedID for example provides you with a standard privacy policy, promising to safeguard your confidential information. But what prevents some clever crook to force it into bankruptcy and acquire its unvaluable database of uncompromised SSN's? Didn't the Church of Scientology obtain a list of opponents in this way (4)? TrustedID also uses a very secure mode of communication to protect SSN's from being stolen while being sent. But what prevents other clever crooks to clone the site and engage in a bit of phishing ? How many Internet users will think of checking the certificate which validates the site identity? For all its simplicity and usefulness, TrustedID's solution is fraught with danger.

Procustes met his match in Hercules, who forced him to lie down in his own bed and meet a predictably painful end. ePrio is no Hercules. At best Damon Darlin will call it another gadfly while deploring a lack of visual gloss on its site. Yet ePrio's revolution (see priority to privacy) is elegant.

Using ePrio's matching platform, do not ask users to send their good SSN's online. Send them instead the encrypted file of compromised SSN's and let them be matched locally against each user's SSN, out of reach from the service provider and any other third party. Granted, the bad SSN's file is bulkier, but who's afraid of a 20 Mbytes download in the days of high bandwidth? Granted again clever crooks may crack the bad SSN's list. But aren't those numbers already available online for much less effort?

Let us have a dream then about storming the Bastille, hard as it is to dream in Procustes' bed.

Philippe Coueignoux

  • (*) .. Your Social Security Number Is Just a Few Mouse Clicks Away, by Damon Darlin (New-York Times) - February 24, 2007
  • (1) see The Virginia Watchdog
  • (2) see Procustes in the Wikipedia
  • (3) see here for TrustedID's alert service
  • (4) see the Jason Scott case (1999) in the Wikipedia
February 2007
Copyright © 2007 ePrio Inc. All rights reserved.