Addressing Identity Crime in an Information Economy, 26 J
Total Page:16
File Type:pdf, Size:1020Kb
The John Marshall Journal of Information Technology & Privacy Law Volume 26 Issue 1 Journal of Computer & Information Law Article 2 - Fall 2008 Fall 2008 Beyond Whiffle-Ball Bats: Addressing Identity Crime in an Information Economy, 26 J. Marshall J. Computer & Info. L. 47 (2008) Erin Kenneally Jon Stanley Follow this and additional works at: https://repository.law.uic.edu/jitpl Part of the Computer Law Commons, Internet Law Commons, Privacy Law Commons, and the Science and Technology Law Commons Recommended Citation Erin Kenneally & Jon Stanley, Beyond Whiffle-Ball Bats: Addressing Identity Crime in an Information Economy, 26 J. Marshall J. Computer & Info. L. 47 (2008) https://repository.law.uic.edu/jitpl/vol26/iss1/2 This Article is brought to you for free and open access by UIC Law Open Access Repository. It has been accepted for inclusion in The John Marshall Journal of Information Technology & Privacy Law by an authorized administrator of UIC Law Open Access Repository. For more information, please contact [email protected]. \\server05\productn\S\SFT\26-1\SFT102.txt unknown Seq: 1 20-MAY-09 13:32 BEYOND WHIFFLE-BALL BATS: ADDRESSING IDENTITY CRIME IN AN INFORMATION ECONOMY ERIN KENNEALLY & JON STANLEY* I. INTRODUCTION Information technology has enabled Americans to live significant as- pects of their lives in a digital environment. The U.S. legal system’s re- sponse to this shift has been protracted, confused, and uninspired at times. A significant consequence of this muddled response has been a widening gap between a citizen’s expectations of a safe and secure digital environment and the stark reality of a chaotic and at times, dangerous, digital environment, mediated by various marketing and advertising perception machines.1 The situation resembles one where business and government, racing to exploit the new opportunities that technology inspires, set up a shop- ping mall to entice visitors. At the same time and unknown to the con- * Erin Kenneally is a licensed attorney and forensic scientist who consults, researches, publishes, and speaks on prevailing and forthcoming issues at the crossroads of information technology and the law. These include evidentiary, privacy, and policy implica- tions related to information forensics, information security, privacy technology and infor- mation risk. Ms. Kenneally is founder and CEO of Elchemy, Inc.and holds a Cyber Forensics Analyst position at the University of California San Diego. Ms. Kenneally holds Juris Doctorate and Master of Forensic Sciences degrees. Jon Stanley is the Director of Tech Law for Elchemy, Inc. and Principal of the Law Firm of Jon Stanley. His focus areas include regulatory concerns for business entities, information security, privacy, cybercrime, cyberspace insurance, and intellectual property, about which he has spoken at various na- tional conferences including the American Bar Association, Computer Security Institute and the Annual RSA Conference. Mr. Stanley earned his J.D. from the University of Maine Law School and his LL.M. in Information Technology and Telecommunications Law from Strathclyde Law School, UK. This project was supported by Award No. 2005-IJ-CX-K061 and 2006-DE-BX-K001 awarded by the National Institute of Justice, Office of Justice Programs, U.S. Department of Justice. The opinions, findings, and conclusions or recommendations expressed in this publication/program/exhibition are those of the author(s) and do not necessarily reflect the views of the Department of Justice. 1. See WordNet, http://wordnet.princeton.edu/perl/webwn?s=chaotic (last visited Aug. 12, 2008) (search definition of “chaotic:” “lacking a visible order or organization”). 47 \\server05\productn\S\SFT\26-1\SFT102.txt unknown Seq: 2 20-MAY-09 13:32 48 JOURNAL OF COMPUTER & INFORMATION LAW [Vol. XXVI sumer, this “mall” is a zone where each beleaguered consumer is largely left to his own devices to protect himself from fraud or theft.2 While the legal system does not allow the outright bludgeoning of harried citizen- consumers in these malls, it implicitly demands a threshold of a near- mugging before it will intervene on the citizens’ behalf. Moreover, con- sumers’ choices are increasingly limited to these “unprotected” malls as institutions raze their concrete stores and migrate to the virtual stores. This would be an untenable scenario in the physical world, yet it is suggested that this is happening in the digital world. This tension be- tween consumer expectations and reality can be viewed as a macro re- flection of the features-versus-security tradeoff in software development, where the longstanding and dominant first-to-market policy has not co- incidentally spawned demand for more secure code. Yet in this larger digital mall space the outcry for security is dispersed and muffled, thus allowing institutions to continue to drive consumers towards digital transactions without a corresponding investment in the security that would be required in the “physical” marketplace. This paper will explore the underpinnings and state of these pernicious dynamics in the context of identity crime, suggest likely consequences if nothing is done to alter the dynamics, and offer some solutions to bring a more well-founded sense of stability, safety, and order to this emerging and chaotic digital world. In the throes of an accelerated period of change, society is struggling to make rational choices that strike a balance between traditional con- sumer expectations about safety and the grim realities of fraud and theft that the consumer faces online. The fear, uncertainty and doubt sur- rounding personal information privacy are the primary manifestations of this dynamic. The most tangible instantiation of this privacy fear3 has arguably been the explosion in both alleged and actual Identity Theft Crime(“IDC”).4 IDC exposes the rift between citizens’ expectations of sta- bility and security, and the reality of society’s information age institu- tions’ management of digital data. This paper attempts to drive a proverbial zamboni across the dialogue about the identity theft problem 2. In the digital world these “devices” include, for example, improperly configured firewalls, continuous software patch updates, and anti-virus/malware/spam software. 3. See Press Release, TRUSTe, TRUSTe Report Reveals Consumer Awareness and Attitudes about Behavioral Targeting (Mar. 26, 2008), available at http://www.truste.org/ about/press_release/03_26_08.php. 4. See U.S. Dept. of Justice, http://www.usdoj.gov/criminal/fraud/websites/idtheft. html (last visited Aug. 27, 2008). For our purposes here, and throughout the paper the term Identity Theft Crime (“IDC”) means: “Identity theft and identity fraud are terms used to refer to all types of crime [or tort violations] in which someone [or some entity] wrongfully obtains and uses or intends to use another person’s personal data [or identifying informa- tion and/or symbols] in some way that involves fraud or deception, typically [but not exclu- sively] for economic gain.” \\server05\productn\S\SFT\26-1\SFT102.txt unknown Seq: 3 20-MAY-09 13:32 2008] BEYOND WHIFFLE-BALL BATS 49 rather than taking yet another swing at this complex topic with a whif- fle-ball bat. We will highlight the compartmentalized and imbalanced role that the free market and law enforcement plays in response to this emerging threat to privacy, the implications of this dynamic, and recom- mendations for improving the societal risk management of Identity Crime. A. THE QUESTIONS THAT WILL DEFINE THE ANSWERS Fundamental questions that must be addressed in any analysis of IDC include: What is identity in the analog world? What is identity in a digital environment? How is identity unlawfully acquired and used? How and when does this dynamic invoke legal protections? How are and should these legal protections be measured in terms of recoverable loss and/or damages? What is the nature and scope of IDC, and conse- quently, where are the risk allocation points during the lifecycle of IDC where responsibility and liability for prevention, detection and response should attach? This paper is motivated in part by what the authors con- tend to be a lack of satisfactory, objective answers to these questions. While this paper does not answer the totality of these questions it ex- poses the shortcomings of the predominant discourse about IDC, which is often as superficial as the perceptions it ingrains. In so doing, the goal is to direct solution-focused dialogue on these critical issues by providing a deeper and more comprehensive understanding of the role of key insti- tutional forces on the structure and functions of IDC. An examination starts with the contention that that the relation- ships between citizens and their institutions are undergoing, at mini- mum, two significant role transformations in the digital environment.5 Specifically, we dissect the IDC crisis6 as owing to the dominion of un- regulated or misguided free market forces.7 It is further suggested that these misguided, or unbounded, free market forces are forging and man- 5. By this term we mean any environment where digital information, information us- ing a series of ones and zeros, is stored. 6. See Press Release, Federal Trade Commission, FTC Testifies on Identity Theft (July 12, 2000), available at http://www.ftc.gov/opa/2000/07/identity.shtm. Jodie Bernstein, Director of the FTC’s Bureau of Consumer Protection, delivered the agency’s testimony before the Subcommittee on Technology, Terrorism and Government Information of the Senate Judiciary Committee, stating “The fear of identity theft has gripped the public as few consumer issues have,” the testimony says. “Consumers fear the potential financial loss from someone’s criminal use of their identity to obtain loans or open utility accounts. They also fear the long lasting impact on their lives that results from the denial of a mort- gage, employment, credit, or an apartment lease when credit reports are littered with the fraudulently incurred debts of an identity thief.” Id.