The New York Times has a story on the web -- "With Personal Data in Hand, Thieves File Early and Often" -- by reporter Lizette Alverez for Sunday's paper. It describes an "epidemic" of tax identity theft. Thieves file fraudulent tax returns and receive a legitimate taxpayer's refund before he or she does, often on a hard-to-trace prepaid card. It's a very good story that explains how the crime works, how it disproportionately harms retirees and how -- despite massive efforts by agencies from the IRS to the post office -- it's a growing mess. From the NYT:
"J. Russell George, the Treasury inspector general for tax administration, testified before Congress this month that the I.R.S. detected 940,000 fake returns for 2010 in which identity thieves would have received $6.5 billion in refunds. But Mr. George said the agency missed an additional 1.5 million returns with possibly fraudulent refunds worth more than $5.2 billion."
So, losses are huge, losses are increasing and legitimate taxpayers are waiting a long time to get their refunds after filing a claim. Unfortunately, the reform promoted by some policymakers quoted in the story -- increasing criminal penalties-- has never worked to stop identity theft. Bad guys don't have to carry guns to commit identity theft -- a key reason they teach the crime in prison yards: "after you get out, stop carrying a gun, do identy theft." Besides, not enough ID thieves get caught, so the crime is booming. Sure, it doesn't hurt to increase penalties, but it is not enough. We need to protect personal data better. Relying on increasing penalties is a feel-good solution that won't work on its own. It's also a "look the other way" strategy that the credit bureaus and other members of the "Big Data" industry have used for years to deflect attention from their own failings. The credit bureaus, of course, are wrong. They remain among the leading exponents of the Bart Simpson defense in America today: "I didn't do it, nobody saw me do it, you can't prove anything (youtube)."
But the credit bureaus and other powerful special interests have successfully resisted proposals to protect personal information better-- they prefer to "blame the bad guys" not their own sloppy practices. The real solution is to better protect personal information. We could start with limiting the availability of Social Security Numbers as identifiers in the private sector, but businesses led by the powerful credit bureaus and less-well-known data brokers like the convenient crutch of using the number. As long as we use the SSN as both an identifier and an authenticator, any reform is doomed. As the privacy gurus at the Electronic Privacy Information Center have pointed out:
"Serious security problems are raised in any system where a single number is used both as identifier and authenticator. It is not unlike using a password identical to a user name for signing into e-mail. Or like using the SSN as a bank account number and the last four of the SSN as a PIN for automated teller machines."
This 2011 Reuters story also includes comments from our colleagues at the authoritative Privacy Rights Clearinghouse about some of the other roadblocks that the IRs and other agencies face in stopping the crime and catching the crooks.