LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Focusing on the wrong problem

Focusing on the wrong problem

Posted Jul 14, 2005 14:47 UTC (Thu) by martinfick (subscriber, #4455)
Parent article: The Personal Data Privacy and Security Act

Attempting to protect personal data in an information society is futile.
Any laws aimed at doing this are focussing on the wrong problem. There
are many reasons why people want their info protected, each should be
dealt with directly instead of passing harmfull laws about protecting
information. Obviously one big reason is authentication. It is simply a
bad idea to use an unchangeable secret such as a SS# as proof of ID for
authentication. Laws like this outright justify such practices instead of
encouraging change.

(Log in to post comments)

Focusing on the wrong problem

Posted Jul 14, 2005 22:10 UTC (Thu) by kleptog (subscriber, #1183) [Link]

Not entirely futile. Laws targeting just identity theft arn't particularly useful because, as you say, there are many more reasons why you'd want to protect information.

However, you can get a long way by establishing some basic principles like restricting how and why people can collect information and for what purposes. Even things like: "If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual" can be a huge benefit. I should be able to go to any data collection company and ask if they have anything on me, what it is and let me check it for accuracy.

I'd prefer outlawing all selling of private identifing information since I can't think of any situation where it could be considered a good thing.

Focusing on the wrong problem

Posted Jul 14, 2005 23:41 UTC (Thu) by giraffedata (subscriber, #1954) [Link]

I don't think such efforts are futile, but they make me sick anyway because they are in fact focusing on the fringes of a problem rather than attacking the root.

Free flow of information is a good thing, not a bad thing. And information such as social security numbers and bank account numbers don't even have personal privacy value.

The root of the identity theft problem is people reporting false, slanderous information to credit reporting bureaus. A bank says "John Doe borrowed $5000 from me and never paid it back," when in fact the bank has never dealt with John Doe (it dealt with some stranger who said he was John Doe).

The penalties that should be enhanced are those for reporting this false information. And also for using it to deny someone credit. Those penalties would cause creditors to demand more proof of identity than just, "I know his account number."

And then we should provide a convenient way to prove identity. Digital signatures would work great, but need some kind of push, probably from government, to get to the practical level. Same with smart cards.

As long as measures like keeping social security numbers secret keep the problem beat down, there isn't going to be motivation to tear it out by the roots.

Focusing on the wrong problem

Posted Jul 18, 2005 1:18 UTC (Mon) by xoddam (subscriber, #2322) [Link]

> It is simply a bad idea to use an unchangeable secret such as a SS#
> as proof of ID for authentication.

Soooo correct. That this is standard practice in the US beggars belief.
Anywhere else I've been the idea of 'identity theft' is an abstract
curiosity, but Americans are actually afraid of it. Hmmm.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds