Skip to content

ftc logoLaw Six of The Laws of Disruption deals with the myths and realities of Internet crime.  It’s a subject that’s bothered me for a long time.  Back in the Stone Age (1995), John Perry Barlow and I wrote a Position Paper for Computer Sciences Corporation titled, “Five Privacy and Security Imperatives for Electronic Trade.”   (It’s so old I can’t even provide a link!)

This was before there was any electronic trade, or what came to be known (when it arrived) as e-commerce.  This was in the era where people were saying things like, “No one will ever give their credit card number out over the Internet.”  (Never start a sentence with “no one will ever,” especially when it relates to technology.)

The problem was that most of the people saying “no one will ever” worked for banks and credit card companies.  Many of them were clients of our research program.  They were overwhelmed by the idea of e-commerce.  Technically, they didn’t know how they would integrate their private networks with the public Internet.  From a business standpoint, they didn’t know how they could make it cost-effective to process what were expected to be smaller-dollar transactions in high volume from a new kind of merchant population.  Not to be unkind, but much of the fear surrounding e-commerce was generated to hold back the flood while these companies looked for ways to build dams.

Eventually these problems were resolved, but the fear-mongering has had a lasting effect.  In 2001, according to the Pew Internet & American Life Project, 87% of Americans said they were concerned about credit card theft online; by 2008 it was down only marginally.  Yet by 2009 over 50% of all American adults had paid online with a credit card anyway.

In the interim, of course, an entire industry has emerged with a strong incentive to keep the fear numbers high.  Companies that make money selling anti-virus software, credit reports, identity theft insurance and alternative payment methods (e.g., PayPal) stoke the fears of users that only a fool would ever type his or her credit card number into a web browser.

Identity theft is real, but for those who have been victims of it, generally the loss of money is the least of its damage (banks and credit card companies are legally obliged to return money fraudulently obtained from a customer’s account).  Restoring credit history and credit scores is where the real crimes take place, and the perpetrators are often the consumer’s own financial services providers.

The recent indictment of three men in the theft of 130 million credit card numbers is a good example of the continued obfuscation employed by the industry and their counterparts at the Federal Trade Commission, confusion often left unchallenged by journalists.  The thieves, an American named Albert Gonzalez and his offshore co-conspirators, broke into corporate networks of payment processors as well as major retailers including 7-11 and TJ Maxx.  When Gonzalez, plead guilty, the Associated Press described him as “masterminding one of the largest cases of identity theft in U.S. history.”  Reuters called it “one of the largest identity-theft crimes on record.”

Stealing credit card numbers from corporate computers is a serious crime, but it is not “identity theft.”

The problem is that “identity theft” has come to mean many different things, including what we may now think of as the quaint form where consumers give their credit card number online to a scam artist, often in response to a fake email message purporting to be from their bank or other payment processors.  The scammer uses or sells the number to open new accounts, make fraudulent withdrawals or charges, and otherwise pass himself off as if he was the victim.  (See my 2005 article, “If Feds Fail, What Can Stop Identity Theft?”)

But that’s small potatoes compared to the kind of crime Gonzalez and his colleagues commit, where millions of credit card numbers are stolen and then sold.  Most of these, however, don’t actually result in identity theft—the credit card numbers are used to get cash and merchandise and are quickly disabled by software that recognizes dubious transactions.  Again the financial losses here are borne by the banks and credit card processors, not the consumers or the merchants.  That’s why the software is good and getting better.  It’s their money at stake.

No one’s “identity” is being stolen, but the use of the term to describe every financial fraud involving a computer amps up the terror level of consumers who largely have nothing to fear.  The vast majority of “real” identity theft has nothing to do with computers at all, but rather  begins with a stolen or lost wallet, stolen or simply discarded mail, or inside jobs pulled by clerks and others with legitimate access to the data.

The real problems are on the back-end, where credit card systems are left insufficiently secured, or where laptops with sensitive data are left in the back seats of cars where they are stolen not for the data but for the hardware.  We keep hearing horror stories of government employees, university officials, and private sector employees who can’t even be bothered to put password protection on their logins, let alone encrypt their data.  And the continued use of social security numbers by private enterprises both as a customer ID and an authentication field is probably the most dangerous practice of all.

Oddly enough, these were exactly the problems Barlow and I pointed out in 1995.  The solutions were obvious then, and they’re still obvious now.  But as long as consumers are being misdirected to think it’s their behavior that needs to be controlled, the financial services industry can avoid solving their largely self-made problems.

Meanwhile, electronic commerce doesn’t grow as quickly as it could.

If anyone wants a hardcopy of my 1995 position paper, I’m happy to send it along!

I wrote extensively in Chapter 8 of The Laws of Disruption about the madness of prosecuting Lori Drew, a Missouri woman, for her participation in a cruel MySpace hoax that contributed to the suicide of a 13 year-old girl named Megan Meier. Drew's behavior aside, the decision by federal prosecutors to charge her under the Computer Fraud and Abuse Act was a cynical effort to appease an angry mob of bloggers and news media who wanted to see blood spilled. The judge, who for dubious reasons of his own allowed the case to go to the jury, signalled a few months ago that he was going to grant a defense motion to overturn the verdict, which he has has now done.

As the old legal adage goes, hard cases make bad law. Had the jury's verdict stood, federal prosecutors would have found themselves with the awesome power to treat any violation of the Terms of Service of any private website as a federal crime, limited only by the wise application of prosecutorial discretion, which the Drew case itself amply demonstrated to be a virtue best honored in the breach.

(Not to get into the details of messy facts, but most of the nasty behavior was perpetrated not by Drew but by an 18 year-old part-time employee of her home-based business, who received immunity for cooperating with the prosecution. Drew hadn't even been the one who clicked on the "I Agree" for the MySpace Terms of Service, as if anyone believes that doing so signals understanding let alone ability to comply. The jury foreperson, after the case, made clear that their chief objection to Drew was her failure to adequately parent her own 13 year-old daughter, the other mastermind behind the hoax. If only that were a crime...)

Drew's ultimate acquittal was never in serious doubt. But in the meantime, recognizing the lack of any real law she or her teenage co-conspirators had broken, the Missouri legislature weighed in with an idiotic anti-"cyberbulling" statute known of course as "Megan's Law," which is now being tested, as reported last week by CNET's Lance Whitney. The law criminalizes the use of the phone or Internet by someone 21 years old or over to cause emotional distress to someone 17 or under. Garden-variety bullying by one's peers and, one presumes, emotional distress inflicted by parents are still perfectly legal. In the test case, a 40 year-old woman is being charged for posting a fake personal ad on behalf of a teenage girl. The defendant faces up to four years in prison.

It doesn't take a genius or a crystal ball to see that Megan's Law will soon be declared unconstitutional on First Amendment grounds. Which the Missouri legislature undoubtedly knew. But passing stupid laws that appease angry mobs is easy, especially when hypocritical legislators can all rely on "activist" judges to overturn them.