"Jörn" Schmidt <[EMAIL PROTECTED]> writes:

> The answer to this dilemma? I'm afraid this time it really is
> legislation. Frankly, I'm not even sure if that would work but, at this
> time, it's our best shot. Congress won't do anything about this unless
> a few representatives have their identities stolen and experience
> first-hand what a PITA it is to have to deal with the fallout.

I agree that legislative changes are necessary, but I think they are
fairly small.   Consider the following:

  Alice is a model citizen with a good credit history

  Bob "steals Alice's identity" by finding out semi-public static

  Bob gets a loan from Charlie under Alice's identity, where Charlie
  transfers something of value to Bob and records a debt from Alice.

Here, Bob has committed a crime, and this being a crime isn't
controversial.  Until this point, Alice hasn't really been harmed
unless she tries to interact with Charlie herself.

  Charlie tries to collect from Alice, or
  Charlie reports that Alice owes a debt to a third party, or
  Charlie reports that Alice is in default to a third party.

In my view, _Charlie_ has comitted a tort against Alice because he has
been negligent (or at least incorrect) in issuing credit.  If Charlie
has decided to issue credit with minimal checks because the business
benefit of that is more than the fraud losses (similar to our credit
card system today), then it's only fair for Charlie to cover the full
burden to Alice, including all the effort of cleanup.  If Charlie
isn't being careful to the some degree, so that such incidents are
rare, triple damages are probably in order.  Even if Charlie is very
careful, actual damages should be paid.

A reasonable penalty for Charlie might be on the order of $1000
statutory damages plus $100/hr for any time over two hours Alice has
to spend dealing with the issue, plus any legal fees incurred if any
problems remain 30 days after the first report.  This puts the onus on
Charlie and the reporting systems will quickly adjust to enable
Charlie to withdraw the incorrect report completely and quickly.

Of course, Charlie should be able to recover all of his own costs, as
well as payments to Alice, in triplicate from Bob.
Many credit issuers willfully conduct their business with the
knowledge that this will occur.  So, as I see it the basic problem is
not one of security, but the fact that credit issuers etc. impose
costs on innocent third parties and get away with it.

        Greg Troxel <[EMAIL PROTECTED]>

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to