Impersonal Identity and the Need for Personal Responsibility
Cryptographer and cybersecurity expert Bruce Schneier recently opined on the media-hot topic of identity theft. In his commentary Mr. Schneier insightfully points out that the "very term ‘identity theft' is an oxymoron. Identity is not a possession that can be acquired or lost; it's not a thing at all. Someone's identity is the one thing about a person that cannot be stolen."

The real issue is the "ancient crime" of impersonation being used to commit fraud. Mr. Schneier breaks identity theft down into two components, the security of personal information and the "ease with which a criminal can use personal data to commit fraud." According to the article, government is spending too much time concerned with making it harder to steal personal data while instead "we must concentrate on preventing and detecting fraudulent transactions."

Bruce Schneier goes to say that the only "reasonable answer" is for financial institutions "to be liable for fraudulent transactions." However, even while admitting that "I don't know what the final solutions will look like..." he goes on to state, without any discernable evidence, that "I do know that once financial institutions are liable for losses due to these types of fraud, they will find solutions."

While Mr. Schneier is justifiably renowned as a cryptographer, he applies his economic analysis to the policy issue in a rather single-sided manner. Mr. Schneier starts with the reasonable proposition that "Security can do all sorts of things, once the economic incentives to apply them are there."

Specifically, Mr. Schneier claims that "Right now, the economic incentives..." are such that financial institutions are "not paying enough attention to fraudulent transactions." The author claims that once financial institutions are "liable for losses and damages to legitimate users... they'll mitigate the risks."

However, Mr. Schneier's analysis apparently assumes that economic incentives apply only to financial institutions, not to merchants or consumers. Of particular concern is that the article portrays as unreasonable the notion that consumers to take even modest steps to protect their personal information. Mr. Schneier states that financial institutions "can't claim that the user must keep his password secure or his machine virus free. They can't require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those aren't reasonable requirements for most users. The bank must be made responsible, regardless of what the user does."

How on earth can any institution be responsible for third-party actions "regardless of what the user does"? Why do economic incentives apply to financial institutions but not to merchants and individuals? Doesn't automatically absolving consumers of all responsibility to take reasonable, prudent steps to protect their private information promote irresponsible behavior? Wouldn't such automatic absolution encourage some consumers to commit fraud and blame it on the merchant or financial institution?

Ultimately, any effective new steps to reduce identity fraud would need to encourage responsible actions by all stakeholders. Blame-shifting will not work.