Iang reminds me that it was on his blog, Financial Cryptography, that I saw the rough estimate of how much an identity theft costs, that is, about $1,000.
He follows up on my post of yesterday about LifeLock, discussing a company called Integrity which insures identities in Second Life. Or, actually, insures any lawsuits resulting from "inappropriate content", whatever that is.
Then he gets to the real quesion:
How viable is this model? The first thing would be to ask: can't we fix the underlying problem? For identity theft, apparently not, Americans want their identity system because it gives them their credit system, and there aren't too many Americans out there that would give up the right to drive their latest SUV out of the forecourt.
On the other hand, a potential liability issue within a game would seem to be something that could be solved. After all, the game operator has all the control, and all the players are within their reach. Tonight's pop-quiz: Any suggestions on how to solve the potential for large/class-action suits circling around dodgy characters and identity?
— If Insurance is the Answer to Identity, what's the Question?, Iang, Financial Cryptography, September 11, 2007
This wraps right around to the original reaction of the person from whom I heard it (hi, Anne Marie) on a list that is silent.
I have several thoughts about this:
- The game operator does not have all the control in the "real" world, and probably not even in Second Life, since "inappropriate content" has a nasty habit of getting defined in real-world courts. Meanwhile, remember the world's largest supercomputer is a botnet used for phishing among other purposes.
- If the identity theft problem were so easy to solve, the financial companies, law enforcement agencies, network security companies, etc., involved in, for instance, the Anti-Phishing Working Group would have done so already. In fact, it's getting worse, and it could get a lot worse, if the black hats keep being better at leveraging the Internet than the white hats.
- Nonetheless, there are some obvious measures that could be taken. It's all very well that the CEO of LifeLock posts his social security number. If everybody did that, SSNs would be useless as authenticators, and credit card companies, telcos, powercos, and your maiden aunt Sally would have to stop using them as such, thus greatly reducing one of the most obvious problems. That, however, would require either some real vision on the part of someone in the financial community (good luck) or some really huge SSN theft on a scale we haven't seen (yet).
On the fourth hand, maybe insurance is the answer. It's a traditional method of pooling resources to manage risk and liability. And while it may seem strange to fight the very agile black hats with one of the most stodgy instruments in the financial repertoire, well, if it works, so be it.
I can understand how people find upsetting the idea of having to buy insurance to protect something they thought was their birthright and entitlement. Yet we buy life insurance, health insurance, automobile insurance, errors and omissions insurance, and so on.
I remember when we never locked the doors to our house. Ever. Eventually the population grew and there were too many people roaming around in cars for that to be tenable. So we locked our doors.
Maybe the price of population growth on the Internet is identity insurance.
Yet, speaking of health insurance, why do we have to buy that as individuals in the U.S., rather than having the governmment do it as in every other big rich country in the world? Is identity any less essential than health? And it would be a lot cheaper to insure on a national or international plan. And what does the insurance actually pay for, anyway? Lawyers and bureaucracy. Hm, sounds like a government specialty.
So maybe the answer is that we need identity insurance in the form of governments taking the problem more seriously and dealing with identity thefts more proactively when they occur. Sure, we'd still need passwords. But if had one stolen we wouldn't have such a hard time getting the identity problem fixed.
"They kept hooking hardware into him—decision-action boxes to let him boss other computers, bank on bank of additional memories, more banks of associational neural nets, another tubful of twelve-digit random numbers, a greatly augmented temporary memory. Human brain has around ten-to-the-tenth neurons. By third year Mike had better than one and a half times that number of neuristors. And woke up."
—Robert A. Heinlein, The Moon Is A Harsh Mistress, 1966