Task Force Shapes ID Theft Policy
A viral epidemic of consumer identity fraud and data theft prompted President Bush last year to create a task force charged with crafting proposals to marshal Uncle Sam's resources to prevent identity fraud, assist victims and more aggressively prosecute those responsible.
The president's task force is co-chaired by U.S. Attorney General Alberto Gonzales and Deborah Platt Majoras, the head of the Federal Trade Commission. It also includes top leaders from a number of other government departments.
At the end of December 2006, the group requested comments on its interim recommendations. It received hundreds of opinions from businesses and consumers, and it is now readying a final set of recommendations to be presented to the White House in the coming weeks.
More than 100 million personal or financial records on Americans have been compromised as a result of data breaches or losses at corporations, government agencies, educational institutions and other entities over the past three years, according to the Privacy Rights Clearinghouse. In addition, more than 10 million Americans were victims of identity fraud in 2006, according to the FTC.
A number of bills are being crafted on Capitol Hill to address the problem, and many of the task force's interim recommendations mirror them closely. For example, the group is debating whether to recommend that national data security requirements be imposed on all commercial entities maintaining sensitive consumer information, and whether a national data breach notification requirement should be adopted.
But other proposed recommendations would go further. The task force is considering whether to call for the creation of a National Identity Theft Law Enforcement Center to serve as a clearinghouse for identity theft complaint data. It would be a central "hub for analysis of that information" that could be used "to provide support for law enforcement at state and federal levels in the investigation, prosecution and prevention of identity theft crimes" and to "enable law enforcement officers from around the country to share, access and search appropriate law enforcement information through remote access."
The task force also suggested tweaking criminal laws to allow prosecutors to better pursue cyber criminals who operate huge networks of remote-controlled, virus infected personal computers, so-called "robot networks" more commonly known as "botnets."
The majority of the malicious code enabling bot masters to control their herds also allows them to steal passwords and record what the victim types on a computer keyboard.
The task force recommended eliminating certain criteria that currently must be met to trigger an investigation. It advocated dismissing the requirement that bot masters' malicious spyware infections cause "damage" to computers and that the loss caused by the attack must exceed $5,000. The group also suggested amending the law to clarify that a victim need not have sustained any monetary loss for prosecutors to pursue a case on their behalf.
Eliminating the monetary threshold that would trigger an investigation could be a meaningful step. Most prosecutors aren't likely to take a case unless it involves at least $50,000 worth of damage.
Security Fix had an opportunity at the RSA Security conference in San Francisco last month to sit down with Chris Painter, deputy chief of the Justice Department's Computer Crime and Intellectual Property Section. Painter said the "existing monetary thresholds we need to meet in order to launch an investigation makes it difficult to always effectively deal with the botnet problem."
A number of state and local law enforcement professionals have called on the government to clarify that identity fraud victims have the right to let law enforcement officials receive ID theft-related documents on their behalf. The task force said it is seriously considering that recommendation.
Jason Jenkins, a detective with the financial and high-tech crimes unit of the Palo Alto, Calif., police department, said victims often "hit a brick wall" when dealing with a financial institution in attempts to gather the relevant information to report to the police. Banks, he said, usually decline to provide victims with any information when they realize fraud exists on the account.
"More often than not we are met with resistance by the institutions who demand a subpoena or search warrant due to privacy issues," Jenkins wrote. "In many instances, law enforcement is unable to gather the necessary details of the crime. If we are lucky and get the information that we are seeking, it is often too late to recover any digital or physical evidence necessary to identity and locate the suspect(s) responsible. Considering that many criminals have traded in their handgun and ski-mask for the tools necessary to commit identity crimes, I believe this epidemic will only get worse. Law enforcement officers should not have to draft a four-page search warrant in order to identify the location where a crime occurred or the account details of a victim who has reported identity theft."
Jenkins' comments were echoed in those submitted by a detective at the Honolulu Police Department and an unidentified U.S. Secret Service agent.
I support an idea offered by Business Software Alliance President Robert Holleyman that was not in the task force recommendations. He said federal racketeering laws should be updated to give U.S. law enforcement greater leeway for investigating and prosecuting organized cyber criminal syndicates. The BSA suggested that the government update the Racketeer Influenced and Corrupt Organizations Act to support racketeering criminal charges against organized cyber crime syndicates from Eastern Europe, Africa, Asia and other regions. The law currently is used mainly to investigate and prosecute domestic mafia and other crime syndicates.
What do you think, dear Security Fix readers? Would these ideas help improve the current situation with identity fraud? Share your thoughts in the comments section below.
Posted by: Bartolo | March 15, 2007 10:04 AM | Report abuse
Posted by: Alan | March 15, 2007 10:10 AM | Report abuse
Posted by: Qian Wang | March 15, 2007 10:30 AM | Report abuse
Posted by: wiredog | March 15, 2007 11:28 AM | Report abuse
Posted by: JD | March 15, 2007 11:36 AM | Report abuse
Posted by: WB | March 15, 2007 12:43 PM | Report abuse
Posted by: CITRMS | March 15, 2007 1:13 PM | Report abuse
Posted by: The real Danny Lents - IdTheftAwareness.com | March 15, 2007 1:25 PM | Report abuse
Posted by: egalitaire | March 15, 2007 1:42 PM | Report abuse
Posted by: Moike | March 15, 2007 1:59 PM | Report abuse
Posted by: K | March 15, 2007 4:35 PM | Report abuse
Posted by: Beckwith Miller | March 15, 2007 6:13 PM | Report abuse
Posted by: dan martin | March 16, 2007 10:52 AM | Report abuse
Posted by: Andy Tarc | March 16, 2007 12:07 PM | Report abuse
Posted by: Michael | March 16, 2007 1:14 PM | Report abuse
Posted by: Yogesh Raja | March 18, 2007 3:47 PM | Report abuse
The comments to this entry are closed.