Bill Introduced to Congress Would Allow ID Theft Restitution

verybadradio writes with an article at News.com about a bill introduced into Congress that would allow citizens who have been victimized by identity theft to seek repayment for the money and time spent repairing their credit history. The bill was introduced by Democrat Patrick Leahy of Vermont and Republican Arlen Specter of Pennsylvania. "Last year, 8.4 million Americans were victims of identity theft, and many were left with a bad credit report, which takes months or years to repair, the lawmakers said ... The bill would also eliminate a requirement that the loss resulting from damage to a victim's computer must exceed $5,000 for prosecution; make it a felony to use spyware or keyloggers to damage 10 or more computers; and expand the definition of cybercrime to include extortion schemes that threaten to damage or access confidential information on a computer."

Wow...

[DragonPup]

...a cyber-crime bill that seems to be actually useful. Did we step into Bizarro America?

Re:Wow...

[EMeta]

Only if it passes...

why can't we get what the RIAA gets?

[User 956]

a bill introduced into Congress that would allow citizens who have been victimized by identity theft to seek repayment for the money and time spent repairing their credit history.

If they set the damage levels anything near what the RIAA got in their last downloading lawsuit, that would put the brakes on ID theft right quick.

Re:Wow...

[Necreia]

These issues have been plaguing Credit companies with costs to make customers 'happy'. It's been a financial hit on those that have... shall I say: Strong pull in government. Now, those same people can just attack the assailant instead of trying to get things corrected through their credit institution. The law, I'd assume, is to actually support/help the credit companies-- meaning that it being a benefit to the consumer is a side effect. Don't worry. We didn't go and be all sensible towards the general public on purpose or anything.

Where have I heard "damage computers" before...

[HTH NE1]

make it a felony to use spyware or keyloggers to damage 10 or more computers;

Expect an exception amendment to the bill on behalf of the RIAA, MPAA, BSA, etc. from Senator Orrin Hatch to try granting themselves immunity again.

Re:Hmm

[Nom du Keyboard]

It all sounds good except this line makes me a bit nervous:

and expand the definition of cybercrime to include extortion schemes that threaten to damage or access confidential information on a computer.

Would threatening to expose a security flaw in a server or website unless it was patched open you up to prosecution under cybercrime laws then? I know that's already fairly shaky ground from a legal standpoint, but would this make it even worse?

Would this apply to the RIAA and MediaSentry/SafeNet breaking into private individuals computers?

Now if only...

[InvisblePinkUnicorn]

Now if only the penalties for stealing a person's identity, money, and ruining their credit history for years could match the penalty for having a certain flowering plant in your pocket, maybe the court system wouldn't be such a joke.

Re:why can't we get what the RIAA gets?

[neil-ngc]

We shouldn't. Really, the correct response to unreasonable copensation on a pro-rich people law is to fix the bad law, not right equally unreasonable payouts into a pro-average joe law. A law that makes it easier for victims to fix things up and get compensation for their losses and time is reasonable. Even some modest punitive damages are reasonable. But stupid sized compensations like those under the DMCA just give the green light to write more laws with stupid compensation levels, and you may not like the next one.

Extortion.

[Erris]

Would threatening to expose a security flaw in a server or website unless it was patched open you up to prosecution under cybercrime laws then?

If you ask for money in return for keeping your mouth shut, you are already an extortionist. At the same time, it's hard to see them using the bill [senate.gov] to come after an honest disclosure, where you simply published details. Must find bill to know.

Years too late

[angryrobot]

I was the victim of identity theft about 6 years ago. It took me literally 2 years to clear my name. That's 2 years of making long distance phone calls, tracking down the right people, emailing, photocopying birth certificates and licenses, making police reports, etc, etc. All the while I was looked at with suspicion and I basically had to prove my innocence!

Whose fault was it that my identity was stolen? That would be the credit bureaus and the credit card companies that allowed it to happen, not me. It is their system that is at fault for allowing people to steal identities so easily. So why am I responsible to clean up their mess? If I have marks on my credit report, I should be able to tell the bureaus and that should be the end of it. I think restitution is the least they can do.

This is the WRONG approach

[erroneus]

The real problem is that, as very well predicted, the use of social security numbers for anything other than social security will lead to all sorts of problems. The fact that a person's identity is essentially just this number and that the credit game has become an entrenched part of commerce and culture, they [the people behind the illegal use of social security numbers -- yes, it's illegal -- law was written to prevent this and everyone, including and especially the IRS has ignored it] have created a situation for which "they" should be held liable. Instead, they create the mess and we are somehow responsible for cleaning up the messes. And now with bills like this, the idea that "we" are responsible for when THEIR credit and identity systems are abused and used against us... that "we" can somehow prevent it from happening and it's our responsibility.

The abuse of SSNs and the credit system at large needs to be dismantled or severely reformed in such a way that the creators of the problem are liable for the problems it causes. As it stands, they can buy and sell "your information" because it's not your data... it's theirs... they collected it! But when it's abused and affects your life, YOU are responsible. How is that appropriate? NO. This bill is VERY wrong. The bill should assign liability to the parties responsible for creating the mess. This is just further effort to assign the liability of the SSN and credit industry to people who may not even be willing participants!

Re:Years too late

[jav1231]

Agreed. I can't for the life of me understand why when ID theft is identified your credit score isn't immediately returned to the state it was in on the date the theft is pinpointed. THAT should be in this bill.

Re:Why ten?

[Anonymous Coward]

For similar reasons to why e.g. a tax law may reduce the tax rates on investments held for 7 years, rather than 5 or 10 - they have to pick a number that's going to be in aggregate the most right and the least wrong. Being a convicted felon is a fairly serious thing, isn't it so in the US that you lose your right to vote, and get banned from a number of jobs? I'd saying having it a felony by itself to install a keylogger on one computer is as draconian as the total sum from the RIAA lawsuit, but clearly doing it on 30 or 40 computers might not be. Ten seems to be a number that they feel hurts when it should hurt.

Re:The nature of the identity theft crime...

[firecowboy]

Blackwater USA

wow

[valkabo]

Did we step in Bizzaro slashdot where we don't see how abused this will be??

make it a felony to use spyware or keyloggers to damage 10 or more computers

So basically, I am a felon about 30 times over because of work. Also, how long before installing kazaa becomes a felony because of its loaded spyware? Think about it.

Re:New laws really necessary?

[Anonymous Coward]

Notably absent (based on my reading of the superficial article) is any provision that would formalize a victim's right to seek damages from either the credit reporting agencies or the credit issuers.

It's basically useless to try to get money from the criminals themselves since they're unlikely to have much to begin with and will likely spend anything they do have trying to defend themselves. It would be much more useful to be able to go after the businesses that can make it more difficult to commit identity theft. If they were partially responsible for the damages done by identity theft, there's a much greater chance that we'd see improved practices and security in the credit issuing industry.

Oh Not This Again

[mpapet]

These issues have been plaguing Credit companies

1. Your premise is wrong. The banks DO NOT assume the costs of fraud. Merchants absorb all of the cost of fraud and pay the bank a penalty too. The costs are shifted to consumers through higher prices. Bottom line: The Association banks benefit greatly from fraud.

2. The bill in question is the wrong way to address the issue. The card associations have a solution to the problem except they won't implement it because it cuts into their fraud revenue and the costs are much higher per-card than dumb plastic/mag-stripe. The standard is called EMV. It solves 98% of fraud issues. Today. The other 2% I'll blame on bad coding.

Re:Can we sue the credit reporting agencies?

[jfengel]

I believe they don't want to push it too hard because easy credit is an important driver in the economy. They give you easy credit, you buy houses and cars and stuff on credit cards, and lots of people get jobs selling you those things.

There's the fact that they make it too easy for people to buy stuff without realizing that they have to pay it back, but it's kind of a separate issue. If they erred on the side of security, the economy would slow drastically. You'd need an economist (which I am not) to run all the numbers, but basically the assertion is that the amount of fraud does less damage to the economy than the good done by easy credit.

What we really need is to make it easy to get credit if you qualify and not if you don't, which means forcing the credit providers to come up with a better mechanism for verifying identity than they're currently using (which is essentially none at all). There are difficulties there with civil liberties, as well as the fact that if you put more faith in a better authentication mechanism you suffer even more when it's broken (and there are no unbreakable authentication mechanisms).

Plus, there's the fact that the credit providers are personally profiting from the current rules. Which means it would be up to government to mandate a better scheme, which (a) they would do badly, like those idiotic RFID passports, and (b) would certainly set records for new forms of civil liberties violations.

Re:Oh Not This Again

[dgatwood]

Credit card number theft is almost an insignificant issue. I've had unknown charges occur on my credit card, and in one of those cases, the card company contacted me. The other one only required a simple phone call. I'm not sure how they got the numbers---one of those cards had only been used once at CostCo---but it happens. Either way, it didn't cost me a dime.

This is about identity theft---stealing enough information to obtain credit cards of your own in someone else's name, then racking up thousands of dollars of debt. EMV doesn't solve any fraud issues because most identity theft is either A. caused by somebody giving out information too willingly to someone who really doesn't need it, or B. caused by somebody who should have been trustworthy not taking care of the data that they retain. EMV won't help either of those situations. (For people who aren't aware, EMV is a smart card system for credit cards. AFAIK, EMV also won't really solve card number theft, since internet purchases have to be made the old-fashioned way unless you just happen to be willing to buy a reader for your computer....)

The only thing that will really solve identity theft is making credit card companies and credit agencies fully responsible for every penny of losses due to identity theft. This law is exactly backwards and should not be passed. The reality is, we wouldn't have identity theft problems if those companies were held liable for losses. You would apply for a credit card, and they would make phone calls to your last known telephone number, give you some code number, and ask you to call a 1-800 number and enter that code in order to complete the request. The fact that they don't do even the most basic checks to verify the validity of a CC request is proof positive that they are content to let merchants and individuals bear the brunt of their own incompetence.

I've never had my identity stolen, but if it happened to me, the first thing I'd do is hire a lawyer to sue every reporting agency that the CC company contacted for credit history information. If the reporting agency were responsible, they would have contacted me and asked for authorization before releasing that information. As far as I'm concerned, a credit reporting agency should not have the right to retain data on me nor to release that data to anyone without my explicit permission. That means checking signatures against known signatures on file, contacting me at known prior addresses/phone numbers, etc. Then, I would follow that by suing the credit card company for similarly failing to properly research the request. When it was all over, my credit history would still be screwed, but at least I'd have gotten enough money out of the dirty scumbags that I wouldn't have to care.

Re:Wow...

[Anonymous Coward]

No, it's the same old sameold. Cyber criminals aren't going to be deterred any more by this than they were the old law. The way TFA reads (and yes, Reuters isn't the most accurate mark on the blackboard), the thief is the one who pays. Good luck collecting any money from someone whose assets have been forfeited to government and who is in a federal slammer.

Now, if a law that actually protected the victims of identity theift passed, it would indeed be Bizarro World. What this law would say would be that the corporation who carelessly lost your data through bad security (e.g. using insecure software, insecure passwords, insecure procedures, leaving data unencrypted, leaving data on laptops in the back seat of a convertable, using Active-X, etc) would be the ones to repay the customer, and the customer would be eligible for triple damages.

Pass a bill like this and the only identities that would be stolen would be from dumpster diving and stupid home computer users who fall victims to phishers and won't patch their home OSes and programs. Double Bizarro if the software manufacturer is liable for losses due to badly coded shitware (hello, Microsoft).

Of course, you will never ever see legislation like this in the US so long as (you can stop reading now, I've been preaching this fantasy for a long time and you've surely seen it by now) the US government is a wholly owned subsidiary of the foreign-owned Multinational Corporations. The two reforms that would acomplish this (that will of course never be passed, since the government is a wholly owned subsidiary of the MNCs):

1. Candidates may not accept money from anyone not eligible to vote for them. As an Illinois voter I should not be eligible to vote for John McCain unless he moves to Illinois or runs for President, and Bill Gates should not be able to vote for Barrack Obama unless Gates moves to Illinois or Obama moves to Washington State or runs for President.
   
   Money should not be more powerful than a vote. Unfortunately we are not a Democratic Republic, we are a Plutocratic Republic.
   
   
2. Nobody should be able to contribute to more than one candidate in any given race. After all, if a fine American voter named Sony Corporation gives ten million dollars to the Republican and another ten million dollars to the Democrat, it doesn't matter which candidate loses, Corporation wins.

</soapbox>
-mcgrew [mcgrew.info]