Bill Introduced to Congress Would Allow ID Theft Restitution

← Back to Stories (view on slashdot.org)

Bill Introduced to Congress Would Allow ID Theft Restitution

Posted by Zonk on Wednesday October 17, 2007 @06:11AM from the an-increasingly-common-problem dept.

verybadradio writes with an article at News.com about a bill introduced into Congress that would allow citizens who have been victimized by identity theft to seek repayment for the money and time spent repairing their credit history. The bill was introduced by Democrat Patrick Leahy of Vermont and Republican Arlen Specter of Pennsylvania. "Last year, 8.4 million Americans were victims of identity theft, and many were left with a bad credit report, which takes months or years to repair, the lawmakers said ... The bill would also eliminate a requirement that the loss resulting from damage to a victim's computer must exceed $5,000 for prosecution; make it a felony to use spyware or keyloggers to damage 10 or more computers; and expand the definition of cybercrime to include extortion schemes that threaten to damage or access confidential information on a computer."

33 of 166 comments (clear)

Min score:

Reason:

Sort:

Wow... by DragonPup · 2007-10-17 06:14 · Score: 4, Insightful

...a cyber-crime bill that seems to be actually useful. Did we step into Bizarro America?

--
"Useless organic meatbag" -HK-47
1. Re:Wow... by Necreia · 2007-10-17 06:19 · Score: 3, Insightful
  
  These issues have been plaguing Credit companies with costs to make customers 'happy'. It's been a financial hit on those that have... shall I say: Strong pull in government. Now, those same people can just attack the assailant instead of trying to get things corrected through their credit institution. The law, I'd assume, is to actually support/help the credit companies-- meaning that it being a benefit to the consumer is a side effect. Don't worry. We didn't go and be all sensible towards the general public on purpose or anything.
2. Re:Wow... by pburdine · 2007-10-17 07:50 · Score: 5, Interesting
  
  The problem with this is that it only addresses 1 of the 5 known forms of identity theft. Financial Identity theft is estimated to be less than 26% of all ID theft crimes. For reference the other 4 are: 1) Drivers License - Someone can get using your DL # and you may have moving violations or points on your record that you don't know about it. This can happen in other states and it will take years to get back to you since the DMV's don't communicate all that well. Try fighting that. 2) Medical - Someone has procedures performed or gets checkups in your name. How would you like it if your insurance rates shot up because someone tested positive for HIV on your medical history. How about they change what you are allergic to and next time you go in they give something and you have an allergic reaction. Or maybe change your blood type. This can kill you and no one will know. 3) Character - Do you have outstanding arrest warrants in you name for crimes someone else committed? This can keep you from getting employed or you can lose your security clearance through no fault of your own. 4) Social Security - Has your SSN number been stolen and used by other people and reported to the IRS for tax reasons? You could be liable for a very large tax bill on income you didn't receive. The IRS doesn't care since most of the time they can force people to pay even though it wasn't them. Unfortunately congress doesn't seem to pay attention to the rest of these. Until they address all of them, we are all in trouble. --Peter
Hmm by orclevegam · 2007-10-17 06:16 · Score: 4, Interesting

It all sounds good except this line makes me a bit nervous:

and expand the definition of cybercrime to include extortion schemes that threaten to damage or access confidential information on a computer.
Would threatening to expose a security flaw in a server or website unless it was patched open you up to prosecution under cybercrime laws then? I know that's already fairly shaky ground from a legal standpoint, but would this make it even worse?

--
Curiosity was framed, Ignorance killed the cat.
1. Re:Hmm by Nom+du+Keyboard · 2007-10-17 06:20 · Score: 4, Insightful
  
  It all sounds good except this line makes me a bit nervous:
  and expand the definition of cybercrime to include extortion schemes that threaten to damage or access confidential information on a computer.
  
  Would threatening to expose a security flaw in a server or website unless it was patched open you up to prosecution under cybercrime laws then? I know that's already fairly shaky ground from a legal standpoint, but would this make it even worse?
  
  Would this apply to the RIAA and MediaSentry/SafeNet breaking into private individuals computers?
  
  --
  "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
New laws really necessary? by RandoX · 2007-10-17 06:17 · Score: 2, Interesting

So are you telling me that no other laws actually forbid any of these things already? What's wrong with those laws?
Usually by evanbd · 2007-10-17 06:17 · Score: 3, Interesting

My usual reaction to identity theft laws is "Aren't existing fraud laws sufficient?"

At least at first glance, however, this bill seems to be doing more, and doing it in a useful manner -- not solely a "well, let's make it more illegal!" type of bill.
1. Re:Usually by vertinox · 2007-10-17 07:07 · Score: 3, Informative
  
  My usual reaction to identity theft laws is "Aren't existing fraud laws sufficient?"
  
  No. But its not the identity thieves the laws should target (because its hard to track them down) but the credit companies and the companies that accept fraudulent credit.
  
  Simply letting someone ruin another persons life with a birthday and a social security number is a horrid method for identification. It really needs to stop and there should be recourse for identity theft victims to go after credit companies who allowed such a transaction to happen.
  
  Of course these credit companies are the ones trying to make a buck by offering "protection" services when they are the ones who let these transactions happen with little background checking.
  
  --
  "I am the king of the Romans, and am superior to rules of grammar!"
  -Sigismund, Holy Roman Emperor (1368-1437)
2. Re:Usually by evanbd · 2007-10-17 08:19 · Score: 2, Interesting
  
  It's not just at a national level, and it's not just the current administration. Much as I dislike them, I don't think the current administration is all that much worse than previous ones in this regard, and a lot of the fault rests with Congress, not the Executive branch.
  
  I recently served on a grand jury handling general local level stuff. A typical indictment for ID theft would include fraud, atm card fraud (a special law! I'm sure making it super-extra-illegal helped), identity theft (yep, specifically illegal, even though it's hard to see what makes it ID theft instead of just, well, fraud), and usually a couple others.
why can't we get what the RIAA gets? by User+956 · 2007-10-17 06:17 · Score: 3, Insightful

a bill introduced into Congress that would allow citizens who have been victimized by identity theft to seek repayment for the money and time spent repairing their credit history.

If they set the damage levels anything near what the RIAA got in their last downloading lawsuit, that would put the brakes on ID theft right quick.

--
The theory of relativity doesn't work right in Arkansas.
1. Re:why can't we get what the RIAA gets? by neil-ngc · 2007-10-17 06:25 · Score: 3, Insightful
  
  We shouldn't. Really, the correct response to unreasonable copensation on a pro-rich people law is to fix the bad law, not right equally unreasonable payouts into a pro-average joe law. A law that makes it easier for victims to fix things up and get compensation for their losses and time is reasonable. Even some modest punitive damages are reasonable. But stupid sized compensations like those under the DMCA just give the green light to write more laws with stupid compensation levels, and you may not like the next one.
2. Re:why can't we get what the RIAA gets? by orclevegam · 2007-10-17 06:28 · Score: 2, Interesting
  
  If they set the damage levels anything near what the RIAA got in their last downloading lawsuit, that would put the brakes on ID theft right quick.
  Oh yes, because those Chinese, Russians, and others located outside the US are so mortally afraid of being sued for a hojillion dollars. The one good thing this law is doing is allowing the victim to recoup some of the loss, and maybe might act as incentive for the credit card companies to actually do something to reduce identity theft. The problem till now is it was always the victims eating the costs of identity theft, not the credit card and credit reporting agencies.
  
  --
  Curiosity was framed, Ignorance killed the cat.
Where have I heard "damage computers" before... by HTH+NE1 · 2007-10-17 06:20 · Score: 3, Insightful

make it a felony to use spyware or keyloggers to damage 10 or more computers; Expect an exception amendment to the bill on behalf of the RIAA, MPAA, BSA, etc. from Senator Orrin Hatch to try granting themselves immunity again.

--
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
The nature of the identity theft crime... by Bill+the+Cat · 2007-10-17 06:24 · Score: 2, Interesting

...cries out for an approach similar to the combating of piracy back in the 1700 and 1800's, eg) issues of letters of marque, allowing private citizens to capture or do damage to the criminals.
1. Re:The nature of the identity theft crime... by kilo_foxtrot84 · 2007-10-17 06:34 · Score: 2, Interesting
  
  ...until the system is abused. Actually, a quick check shows that the US Congress is empowered by the Constitution to issue letters of marque to private citizens. I wonder if they're issued all that often now...
2. Re:The nature of the identity theft crime... by firecowboy · 2007-10-17 07:06 · Score: 2, Insightful
  
  Blackwater USA
  
  --
  To the victor goes the spoils
Now if only... by InvisblePinkUnicorn · 2007-10-17 06:24 · Score: 4, Insightful

Now if only the penalties for stealing a person's identity, money, and ruining their credit history for years could match the penalty for having a certain flowering plant in your pocket, maybe the court system wouldn't be such a joke.
Extortion. by Erris · 2007-10-17 06:26 · Score: 3, Insightful

Would threatening to expose a security flaw in a server or website unless it was patched open you up to prosecution under cybercrime laws then?

If you ask for money in return for keeping your mouth shut, you are already an extortionist. At the same time, it's hard to see them using the bill to come after an honest disclosure, where you simply published details. Must find bill to know.

--
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Years too late by angryrobot · 2007-10-17 06:28 · Score: 5, Insightful

I was the victim of identity theft about 6 years ago. It took me literally 2 years to clear my name. That's 2 years of making long distance phone calls, tracking down the right people, emailing, photocopying birth certificates and licenses, making police reports, etc, etc. All the while I was looked at with suspicion and I basically had to prove my innocence!

Whose fault was it that my identity was stolen? That would be the credit bureaus and the credit card companies that allowed it to happen, not me. It is their system that is at fault for allowing people to steal identities so easily. So why am I responsible to clean up their mess? If I have marks on my credit report, I should be able to tell the bureaus and that should be the end of it. I think restitution is the least they can do.
1. Re:Years too late by jav1231 · 2007-10-17 06:42 · Score: 4, Insightful
  
  Agreed. I can't for the life of me understand why when ID theft is identified your credit score isn't immediately returned to the state it was in on the date the theft is pinpointed. THAT should be in this bill.
Re:Why ten? by pintpusher · 2007-10-17 06:31 · Score: 4, Funny

It should be 10 computers, as in one more than 1 computer.

--
man, I feel like mold.
This is the WRONG approach by erroneus · 2007-10-17 06:33 · Score: 5, Insightful

The real problem is that, as very well predicted, the use of social security numbers for anything other than social security will lead to all sorts of problems. The fact that a person's identity is essentially just this number and that the credit game has become an entrenched part of commerce and culture, they [the people behind the illegal use of social security numbers -- yes, it's illegal -- law was written to prevent this and everyone, including and especially the IRS has ignored it] have created a situation for which "they" should be held liable. Instead, they create the mess and we are somehow responsible for cleaning up the messes. And now with bills like this, the idea that "we" are responsible for when THEIR credit and identity systems are abused and used against us... that "we" can somehow prevent it from happening and it's our responsibility.

The abuse of SSNs and the credit system at large needs to be dismantled or severely reformed in such a way that the creators of the problem are liable for the problems it causes. As it stands, they can buy and sell "your information" because it's not your data... it's theirs... they collected it! But when it's abused and affects your life, YOU are responsible. How is that appropriate? NO. This bill is VERY wrong. The bill should assign liability to the parties responsible for creating the mess. This is just further effort to assign the liability of the SSN and credit industry to people who may not even be willing participants!
Can we sue the credit reporting agencies? by 140Mandak262Jamuna · 2007-10-17 06:57 · Score: 5, Interesting

For slander or defamation?
Basically, someone impersonates me. Some bank/merchant/credit card company extends credit without verification. The impersonator defaults. They report me as the deadbeat. That is the scenario. The creditor who mistakenly reported me should be liable for slander. The credit reporting agencies should be considered accessory after the fact. So the real culprits are the people who extend credit without verification and people who report me as a deadbeat without justification. Normally if they have to face full consequences of their action, they will clean up their act and we would not need any special laws for identity theft.
But congress in its infinite stupidity holds the impersonator the responsible for my ruined reputation. The impersonator is liable for lying, cheating, committing forgery and is responsible for all the damage caused to the credulous creditor. And if they call me a deadbeat without proper verification whoever reported me as the deadbeat is responsible for the damage caused to my good name.
As usual it is a credit reporting agency liability protection act being sold to the public as an anti-ID theft law.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:Can we sue the credit reporting agencies? by jfengel · 2007-10-17 07:30 · Score: 3, Insightful
  
  I believe they don't want to push it too hard because easy credit is an important driver in the economy. They give you easy credit, you buy houses and cars and stuff on credit cards, and lots of people get jobs selling you those things.
  
  There's the fact that they make it too easy for people to buy stuff without realizing that they have to pay it back, but it's kind of a separate issue. If they erred on the side of security, the economy would slow drastically. You'd need an economist (which I am not) to run all the numbers, but basically the assertion is that the amount of fraud does less damage to the economy than the good done by easy credit.
  
  What we really need is to make it easy to get credit if you qualify and not if you don't, which means forcing the credit providers to come up with a better mechanism for verifying identity than they're currently using (which is essentially none at all). There are difficulties there with civil liberties, as well as the fact that if you put more faith in a better authentication mechanism you suffer even more when it's broken (and there are no unbreakable authentication mechanisms).
  
  Plus, there's the fact that the credit providers are personally profiting from the current rules. Which means it would be up to government to mandate a better scheme, which (a) they would do badly, like those idiotic RFID passports, and (b) would certainly set records for new forms of civil liberties violations.
Bill Number (110) S.2168 by megaditto · 2007-10-17 07:06 · Score: 2, Informative

Leahy did release the PR blurb on it, but the full text is kept secret of course (Dems want to get paid too)

Track the bill here: http://www.govtrack.us/congress/bill.xpd?bill=s110-2168

--
Obama likes poor people so much, he wants to make more of them.
Oh Not This Again by mpapet · 2007-10-17 07:28 · Score: 4, Insightful

These issues have been plaguing Credit companies

1. Your premise is wrong. The banks DO NOT assume the costs of fraud. Merchants absorb all of the cost of fraud and pay the bank a penalty too. The costs are shifted to consumers through higher prices. Bottom line: The Association banks benefit greatly from fraud.

2. The bill in question is the wrong way to address the issue. The card associations have a solution to the problem except they won't implement it because it cuts into their fraud revenue and the costs are much higher per-card than dumb plastic/mag-stripe. The standard is called EMV. It solves 98% of fraud issues. Today. The other 2% I'll blame on bad coding.

--
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
1. Re:Oh Not This Again by dgatwood · 2007-10-17 07:50 · Score: 5, Insightful
  
  Credit card number theft is almost an insignificant issue. I've had unknown charges occur on my credit card, and in one of those cases, the card company contacted me. The other one only required a simple phone call. I'm not sure how they got the numbers---one of those cards had only been used once at CostCo---but it happens. Either way, it didn't cost me a dime.
  
  This is about identity theft---stealing enough information to obtain credit cards of your own in someone else's name, then racking up thousands of dollars of debt. EMV doesn't solve any fraud issues because most identity theft is either A. caused by somebody giving out information too willingly to someone who really doesn't need it, or B. caused by somebody who should have been trustworthy not taking care of the data that they retain. EMV won't help either of those situations. (For people who aren't aware, EMV is a smart card system for credit cards. AFAIK, EMV also won't really solve card number theft, since internet purchases have to be made the old-fashioned way unless you just happen to be willing to buy a reader for your computer....)
  
  The only thing that will really solve identity theft is making credit card companies and credit agencies fully responsible for every penny of losses due to identity theft. This law is exactly backwards and should not be passed. The reality is, we wouldn't have identity theft problems if those companies were held liable for losses. You would apply for a credit card, and they would make phone calls to your last known telephone number, give you some code number, and ask you to call a 1-800 number and enter that code in order to complete the request. The fact that they don't do even the most basic checks to verify the validity of a CC request is proof positive that they are content to let merchants and individuals bear the brunt of their own incompetence.
  
  I've never had my identity stolen, but if it happened to me, the first thing I'd do is hire a lawyer to sue every reporting agency that the CC company contacted for credit history information. If the reporting agency were responsible, they would have contacted me and asked for authorization before releasing that information. As far as I'm concerned, a credit reporting agency should not have the right to retain data on me nor to release that data to anyone without my explicit permission. That means checking signatures against known signatures on file, contacting me at known prior addresses/phone numbers, etc. Then, I would follow that by suing the credit card company for similarly failing to properly research the request. When it was all over, my credit history would still be screwed, but at least I'd have gotten enough money out of the dirty scumbags that I wouldn't have to care.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
2. Re:Oh Not This Again by suv4x4 · 2007-10-17 08:29 · Score: 2, Interesting
  
  2. The bill in question is the wrong way to address the issue. The card associations have a solution to the problem except they won't implement it because it cuts into their fraud revenue and the costs are much higher per-card than dumb plastic/mag-stripe. The standard is called EMV. It solves 98% of fraud issues. Today. The other 2% I'll blame on bad coding.
  
  For e-commerce it's even simpler. In our country (Bulgaria) 10 years ago we suffered from too many teen hacker wannabes for whom the greatest fun in the world was stealing credit card info and ordering books for it.
  
  Not only people abroad suffered, but also local citizens. So, for online commerce, the solution is dead simple, when a transaction is carried out, a confirmation link is sent to your email, and you need to click that link to make money move.
  
  Why is this better than the majority of credit cards nowadays? Well.
  
  With mastercard or visa, I input all the information that's required to complete the purchase in the form. No secret remains mine. If this info leaks, anyone can order from my card.
  
  With the email confirmation, I still have the password on my card account which I never input anywhere, where the email is specified. I never enter the password to my email anywhere either.
  
  Second benefit is I get real time notification in my email when someone tries to order with my card. With regular credit card, I only see this 10 days later on my bank statement.
  
  So I guess it's true: the credit card providers DO want the fraud to continue, since they don't implement basic confirmation techniques, despite it's neither complicated nor costly (fine, maybe it'll be costly NOW with so many merchants to update their business process, but common sense wasn't invented yesterday, what were they doing ALL THOSE YEARS..?).
OT: SCHIP by Kadin2048 · 2007-10-17 07:47 · Score: 2, Funny

That didn't work for SCHIP. Yes, I have to admit that outbreak of common sense on the part of the Executive Branch was unexpected, to say the least.

--
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Re:Funny, I thought we had a mechanism for that... by jhantin · 2007-10-17 08:15 · Score: 2, Interesting

#include <not_lawyer.h>
The bank was the fraud victim, you're collateral damage. Er, um, no pun intended...
After the fraud uses your personal information to take money from a third party creditor, said creditor unfairly trashes your reputation, since that's the easiest recourse they have. Actual damages inflicted by the creditor in what looks to me like a defamation case might well be difficult to demonstrate, but not impossible: that nasty little clause in your credit card agreements that makes everything go to 31.99% APR if anything derogatory appears on your credit report means the defamation is costing you actual cash.

--
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
Agree 100% by Joce640k · 2007-10-17 09:50 · Score: 2, Interesting

Re: Identity theft

People need to be notified whenever an application is made for a drivers license, bank loan, etc. Until the rightful owner of the SSN responds (eg. via telephone with a PIN), the application cannot proceed.

If people are dumb enough to carry their PIN in their wallet then they should be liable for all losses.

Re: credit cards:

I'd like to see:

a) No storage of credit card numbers by *anybody* other than the card issuer (ie. online merchants like must not store your card numbers anywhere, you need to type it in for each transaction).

b) Any credit card transaction over $100 requires secondary verification (eg. PIN, token ID).

c) More than (say) five credit card transactions in a single day triggers a verification requirement (talk to credit agency on phone, give password, say everything is Ok).

This sort of thing will never happen until the credit card companies become liable for losses. When it is done then the liability can be shifted to the people who didn't look after their PIN, etc.

PS: You can carry PINs securely - I had an account with a bank which gave you a little card with a grid of colored squares on it. The idea was to write the digits of your PIN in positions you'd remember then fill the rest of the grid with random digits. It worked beautifully - I could safely carry my PIN in my wallet and I never forgot where the PIN was. There's no reason why something like this couldn't be printed as standard on the back of all credit cards instead of the stupid signature strip which is too small to sign properly and nobody ever looks at anyway.

--
No sig today...
1. Re:Agree 100% by unitron · 2007-10-17 11:14 · Score: 2, Interesting
  
  a) No storage of credit card numbers by *anybody* other than the card issuer (ie. online merchants like must not store your card numbers anywhere, you need to type it in for each transaction).
  How about instead of telling fuzzysandals.com "Here's my credit card number. Tell MasterCard's computer to give you 40 of my dollars.", you connect to MasterCard.com and tell them "Give 40 bucks to fuzzysandals.com on my behalf. Here's their transaction serial number for my order." ?
  
  --
  I see even classic Slashdot is now pretty much unusable on dial up anymore.
FICA contributions by GPS+Pilot · 2007-10-17 10:17 · Score: 4, Interesting

If a person uses a stolen Social Security number to get a job, I would like to see all FICA contributions made by the employee and employer to remain credited to the identity theft victim, even after the fraud is discovered.

That the victim will someday receive larger Social Security checks would be some consolation.

[Yes, this measure would have a negative impact on the illegal immigrant population, because few other groups have any reason to use stolen Social Security numbers when applying for a job.]

--
That that is is that that that that is not is not.