Return to Transcripts main page

CNN Burden of Proof

Protecting Your Identity Online

Aired July 04, 2001 - 12:30   ET

THIS IS A RUSH TRANSCRIPT. THIS COPY MAY NOT BE IN ITS FINAL FORM AND MAY BE UPDATED.


THIS IS A RUSH TRANSCRIPT. THIS COPY MAY NOT BE IN ITS FINAL FORM AND MAY BE UPDATED.
GRETA VAN SUSTEREN, CO-HOST: In this new world of technology- driven commerce, you, as the consumer, may be the target of online thieves.

(BEGIN VIDEO CLIP)

REP. CLAY SHAW (R), FLORIDA: People are relying on Social Security numbers. They're almost freely available. And people give them out freely. And this is what we're trying to put a stop in -- stop to. There's actually commerce going on, people buying and selling Social Security numbers. And this is wrong.

(END VIDEO CLIP)

VAN SUSTEREN: Today on BURDEN OF PROOF: How can you protect your identity in this vast world of ever-changing criminal activity?

ANNOUNCER: This is BURDEN OF PROOF, with Greta Van Susteren and Roger Cossack.

VAN SUSTEREN: Hello and welcome to BURDEN OF PROOF.

It's the type of crime that makes nearly everyone vulnerable. And the criminal isn't interested in breaking into your home or taking your car. The thief wants to steal your identity.

ROGER COSSACK, CO-HOST: It's estimated that 500,000 Americans have their identity stolen each year. In fact, in 1999 alone, identity theft increased almost 50 percent. All the thief needs is a few facts, mainly your Social Security number. And it's easier than you think to find it.

And joining us today from Phoenix, Arizona Rob Hartle -- Robert Hartle, a victim of identity theft.

VAN SUSTEREN: And joining us from New York is "Washington Post" reporter Robert O'Harrow. Here in Washington, Patrick Turpstra (ph), former law enforcement officer and computer crimes expert Morgan Wright, and cyberlaw attorney Richard Marks. And in our back row, Allita Kovic (ph) and Jeff Swenson (ph).

First to you Bob, I want to find out what happened to you -- that your identity was stolen. ROBERT HARTLE, IDENTITY FRAUD VICTIM: Well, my identity was stolen by a wanted and convicted felon out of the state of Florida. He had been convicted of insurance fraud and given probation. And he didn't like the stipulations of his probation, so he moved to Phoenix, Arizona, where my mother lives and I live. And he moved across the street from my mother.

And by speaking with my mother, he found out where I was born. And he wrote and got my birth certificate. And then he took that birth certificate and he made a copy of it. And he wrote to the Social Security Administration and told them that I had lost my Social Security card.

And they provided him with a Social Security card with my real Social Security number on it. And then he took those two licenses -- or two forms of information and got driver's licenses in my name. And he had five driver's licenses at one time in five different states in my name. And they were CDL truck driver's licenses. And he was truck driver by trade.

VAN SUSTEREN: Did he use your identification to purchase things online or to get money from -- or to get credit issues for you?

HARTLE: He used my identity to open bank accounts, get credit cards and buy items on credit. He even bought a house. And he bought several cars and motorcycles in my name.

COSSACK: How much did this eventually end up costing you, Bob, and what have you done about it?

HARTLE: This actually ended up costing me and my wife $15,000 of our own money to get my good name back the way it was before the criminal stole it. And my wife and I decided to get laws passed making people's whose identity is stolen a victim. We got the first- ever law passed here in Arizona, making it a felony. And then we got the federal law passed, making it a federal felony to steal people's identities.

VAN SUSTEREN: Robert O'Harrow in New York.

Robert, stealing someone's identity, you cover these stories for the print media. How prevalent is it that people get their identity stolen and fraud or at least the -- people lose money?

ROBERT O'HARROW JR., "WASHINGTON POST": Well, identity fraud is definitely a growing problem. And it's related to the proliferation of personal data. A lot of companies meanwhile aren't implementing enough security so that, just as he described, identity thieves take scraps of information and parlay them into other information because many banks, securities firms, credit companies, retailers and so on don't take the burdensome -- sometimes burdensome steps to ensure that the person is who they say they are.

We reported in the "Washington Post" not long ago a troubling turn in all of this, in that some identity thieves out in Oregon were actually using fraudulent identities and parlaying them into dossiers that they buy from information brokers online. And those dossiers, which are -- anybody can find -- the people who sell them, by doing a Web search, contain remarkable amounts of information. And in fact, effectively, are what we would call information age keys to stealing identities.

COSSACK: Morgan, in fact, people who use the Internet today willingly give up a lot of information about themselves. If you have purchased one item on the Internet, are -- is it all over for you? Does the -- do the people now know everything there is to know?

MORGAN WRIGHT, CERTIFIED FORENSIC COMPUTER EXAMINER: I'll tell you, with this age of gathering marketing data, information, cross- referencing databases, once you purchase something online and they have a good profile of you, that information can be propagated to a lot of other agencies or places and sold.

Your credit card information is stored at that company. And your security of your information is only as good as the security of the company that's storing your information. If they -- the transaction may have been perfectly safe. You may have done it perfectly safe online. But if they're broken into it and your information is sold or stolen, you've got no control. Once it's gone, it's gone.

VAN SUSTEREN: Which raises another question. Richard, if I buy something online, does the company from which I buy something online -- do they have any right to give the information to anyone else?

RICHARD MARKS, INTERNET PRIVACY LAWYER: Well, they may have. And in fact, they may have obligations to give the information to other folks, including the federal government.

VAN SUSTEREN: Like who?

MARKS: Well, they -- if it's a bank thing, they have contractual obligations to give the information to affiliates, to credit reporting services. And they may want to give the information to marketers. So...

VAN SUSTEREN: But wanting is a little different than having the right to. If I just buy a sweater from a department store online, I assume that the store has my information and that's it. That's not right?

MARKS: Well, if you were to buy the sweater online and then not pay your credit card bill, there would be credit-reporting obligations. And the fact that you weren't paying your debts would go to credit reporting services, where it would be stored, just as an example.

COSSACK: Bob, the notion that you buy something even when you use your credit card and don't use the Internet, and the idea -- Robert, let me give this to you -- the idea, therefore, that -- in fact, you're going to keep that -- that the store is going to keep that information is just not a true one, is it?

O'HARROW: Well, I think it's something that's very important to note here so that the viewers have a broader understanding of this, is that to focus simply online is really narrowing the subject too much. I think that whenever you -- or frequently when you buy things offline, there's more information-sharing going on already systematically than there is online. And so, when you think of these things, it's important to think of it both online and offline.

And to answer the other question, when you share information, there's no telling exactly where it's going or exactly who's using it. And in many cases, it's going to be put to a very good use. They're going to take that information of your purchases and create a profile and then tailor pitches to you. And many people love those. And we know that because people participate.

On the other hand, when it's shared and sliced and diced by people you don't know and you don't understand how they're going to use it, that's very discomforting for many people. So there are benefits and there are drawbacks. It's both online and it's offline.

COSSACK: All right, let's take a break.

Is there any way to protect your identity? Let's find out. Stay with us.

(BEGIN LEGAL BRIEF)

From January to November 2000, there were 617 instances of identity theft reported by banks and other financial institutions. That number more than doubled the number of identity thefts reported in all of 1999.

(END LEGAL BRIEF)

(COMMERCIAL BREAK)

COSSACK: According to the FBI, identity theft is the fastest growing white-collar crime in the United States. So, if stealing a person's identity is really that easy, how can we protect ourselves from being victims of this silent crime?

Morgan, how can we protect ourselves? Or can we?

WRIGHT: Yes, you can. In fact, Robert brought up a pretty good point. Technology is only another enabler for -- to do what we've doing for many, many years, which is sharing information.

Common sense will probably eliminate 95 percent of the problems people have. Just the same way, if somebody came door-to-door, you never saw them before, didn't know the company, you would be foolish to hand out all of your private information.

VAN SUSTEREN: But wait, you get out -- when I was -- buy something on the Internet, I don't know who's receiving the information to other end. I mean, I do that all the time.

WRIGHT: That's true. And that's what -- the last time we talked about this, education was one of the big things we talked about. People have to...

VAN SUSTEREN: I obviously didn't stick with it.

(LAUGHTER)

WRIGHT: We'll have another session. But that's the thing, is education can solve a lot of these problems. If people just become more aware and use some common sense, good judgment. When I share this information is it, whether it's the Internet, whether it's door- to-door, am I comfortable sharing this information?

We easily go into a restaurant, hand out a credit card because it's a place of business. It's bricks-and-mortars. We're getting a service. We're paying for it. They're established. They're in the phone book. We have no problem with that.

COSSACK: But, Morgan, so are some of these companies that are on the Internet. And, I mean, it would seem to me, that what you're saying is that you can never be secure. I mean, they ask you for the most personal information, your Social Security number, your credit card number.

WRIGHT: Sure.

COSSACK: How can you ever be certain that it'll never get broken into and stolen?

WRIGHT: There's no such thing as perfect security. You'll never achieve that. You have to determine how much risk you're willing to take when you give out your information.

VAN SUSTEREN: Go ahead.

O'HARROW: The idea that you can never be secure, I think, is probably overstating things. The reality is that people have to develop good information habits. That means that when you get a warranty card in the mail, think twice before you fill it out. Think twice before you fill out a detailed credit card application.

(CROSSTALK)

VAN SUSTEREN: But Robert, isn't it too late for me? I mean -- you know, not like I'm inviting people to come get my identity. I mean I've already bought things.

O'HARROW: The reality is that it's -- we're at the very beginning of all of this. And so not only is it not too late, you're at very good time to start developing those good information habits.

For example, Greta, when you buy those flowers in New York City, make a mental note of who you're sharing your information with, maybe make an actual note to yourself so that you can better track it. It's a pain. It's going to be a bit of a hassle. But the reality is that we're going to have to make better trade-offs between convenience and security. That's the reality for the rest of our lives.

COSSACK: All right.

O'HARROW: And people should get used to it.

COSSACK: All right, so Richard, there ought to be a law? What should be the law?

MARKS: There are actually plenty of laws. I think right now what we need to do is make sure people start to educate themselves. About 90 percent of security is right between the ears. And people need to be vigilant, need to realize that just as you wouldn't want to walk down a dark alley in a -- at night in a city. You've got to be careful walking in the Internet.

VAN SUSTEREN: But Richard, here's the problem, is that you've got Bob, whose identity was stolen. I mean, he finally -- you know, he finds out. He's got $15,000 of bills to sort of find out and to rectify. I mean, that's not a very good education. I mean, you oftentimes learn after you've been hit.

MARKS: Well, in his case, it turned out to be a great education, but after the fact. But it's a lesson to all of us. It's much easier to deal with these things before the event than after the...

(CROSSTALK)

VAN SUSTEREN: Is it the credit card that's responsible? If someone uses my credit card and buys something online, who gets stuck, the credit card company or me?

MARKS: Let's use his example. His problem arose not from a credit card transaction on the Internet; his problem arose because somebody moved across the street and spoke to his mother and was in a position maybe to go through his trash, to observe his habits. The threats are not just electronic. And it's what Morgan says: You've got to be vigilant. And you've got to realize that your information can be stolen in many different ways.

COSSACK: But here's the point I don't get, Morgan. I understand the idea that you've got to be vigilant. It seems to me that short of going into a store and paying cash for something that you are at risk, short of doing that.

(CROSSTALK)

VAN SUSTEREN: ...drug dealer too.

COSSACK: Yes, that's right.

WRIGHT: Well, you agree to trade convenience and risk when you make credit card purchases.

COSSACK: But I don't -- wait a minute. I'd never agree to have them share my information. No one ever asked me if they can share my information. As a matter of fact, they should pay me. It's my assets. WRIGHT: But you know, as an attorney, the bold print giveth us, but the fine print taketh away. People do not read the Web sites that -- when they have a privacy policy on there, I would challenge a lot of people to see if they've actually read these policies.

VAN SUSTEREN: Oh, those things that pop up. I never read those things.

Go ahead Robert. What were you saying?

O'HARROW: This isn't just about the individual consumer, although that's a fundamental issue. It's that individuals have to have better information habits. But we also probably ought to take a look at security, at banks, credit issuers and so on, because, in many cases, they're the ones that are giving out information to people who are posing as us.

And why are they giving it out? Well, their security is oriented towards convenience, not protecting the information. So if you go to your bank or your mutual fund and so on and ask for information and they didn't ask you for some data about you that's very private, such as a password, then maybe you should start asking for them to implement that kind of program.

VAN SUSTEREN: I've got to tell you. I've got to tell you, Robert, I have so many passwords for so many Web sites, I mean, I have so forgotten any of those passwords that it's hopeless. And I think that probably others might have the same problem.

COSSACK: Well, there you are: end of security.

MARKS: Yes, you can't keep track of them. You know, technology is going to march on and we're going to have spy, counter-spy.

The next frontier is biometrics. So that if you want to make a purchase, somebody will take a palm print or a thumbprint...

VAN SUSTEREN: I'm for that. I'm...

MARKS: ... or a retinal scan.

VAN SUSTEREN: I'm definitely for that, Richard, because I've got to tell you that password business, I mean...

COSSACK: Greta, it's not -- I don't want you to keep saying -- it's not that tough to remember a few passwords.

VAN SUSTEREN: No -- look, every place wants a password. If you use the same password, you've sort of lost the security or secrecy of password unless...

WRIGHT: And so you've brought up the exact point, is that the inherent problem in all of this is people. It's not technology.

VAN SUSTEREN: Blame me.

WRIGHT: Yes. No, but, I mean...

VAN SUSTEREN: Yes, I think that was an overt message.

(CROSSTALK)

WRIGHT: ... me, as part of security system, people are the weakest link. Insider crime does more damage to a company but it's the bank robberies that get reported in news not the tellers who are embezzling tens of thousands of dollars. It's not as dynamic.

In a security system, whether it's your information -- when I was asked to come to show, they said how easy is it to find information. In five minutes, I found resumes on the Internet that gave names, addresses, dates of birth and Social Security numbers. They're easy to do.

People are the problem. And technology only makes it easier for me to commit that crime now. But as Robert said up there, is that this is a broader issue other than technology. We've only come into the technology age. This might accelerate it, but we've had these same problems for thousands of years, people trade security for convenience.

VAN SUSTEREN: All right. And we're going to take a break. When we come back, we will find out from Bob how he found out his identity was stolen. Stay with us.

(BEGIN Q&A)

Q: According to the Privacy Rights Clearinghouse, how long does it take a victim of identity theft to clear his credit rating?

(END Q&A)

(COMMERCIAL BREAK)

(BEGIN Q&A)

A: An average of two years.

(END Q&A)

VAN SUSTEREN: Welcome back to BURDEN OF PROOF.

OK, Bob, how did you figure out that your identity had been stolen? What was the first tip?

HARTLE: Well, I actually received a bill in the mail for $181 from a resume writing company in Las Vegas, Nevada. And when I called the company and gave them my information, they told me that that was the exact same information that they had. But at the time, I was living in Iowa and I had never been to Las Vegas. So...

VAN SUSTEREN: Now, when that happened, Bob -- I mean if that happened to me, I'd figure that, OK, well, they -- you know, the company obviously messed up. I mean, one problem like that might not tip me off. Were there others?

HARTLE: Well, I -- when that happened, I got my credit report. And then when I got my credit report, I've seen all the fraud on it. And I knew that somebody had been using my identity.

COSSACK: Bob, how long did it take them to catch the person that was doing this to you?

HARTLE: Well, actually it took me one year to catch him. Nobody wanted to do anything for me or my wife. That is why we got the laws passed.

We kept repeatedly being told that there's no law against stealing somebody's identity and there was really nothing that they could do to help us. So, through my bills that I was getting in the mail and by making telephone calls and everything, I actually tracked the criminal down. It took me one year to find him, and it took me another year to convince the law enforcement community to arrest and convict him.

VAN SUSTEREN: Did you have a conversation with him? Did you ever call him and say why are you doing this?

HARTLE: Actually, he called me.

VAN SUSTEREN: And?

HARTLE: And he asked me what he could do for me to get me off of his back. And I told him the only thing he could do was come to Arizona and plead guilty to the crimes he committed. And he laughed at me and told me that he committed nonviolent crimes and there wasn't a law enforcement person or a prosecutor in the United States that was interested in his crimes.

VAN SUSTEREN: Is that true, Morgan? I mean I would think a prosecutor would jump on something like that.

COSSACK: You know, isn't it embezzlement? Isn't it counterfeit when he signs his name?

WRIGHT: Part of what you run into...

(CROSSTALK)

WRIGHT: ... and this is where Bob ran into -- and I -- you know, I've worked with a lot of people. In a state, you run into territorial jurisdictional issues, federal laws versus state laws and what you find, and like I say -- I hate to say it -- there's a lot of good people out there, but what you end up with sometimes is if it's too complicated or too difficult it's easier to say let the Feds handle it. Let somebody else handle that. That's not something we do.

VAN SUSTEREN: Robert, you want to get in?

(CROSSTALK) O'HARROW: Well, there's also a problem that ultimately it's for the credit card issuer or the bank to decide if they want to press charges, and typically, they don't want to do that. They'll pay for the bills. They'll cover the costs, which is the good news. The bad news is that by not pursuing these crimes, the individual, like Bob, is stuck trying to clear his or her good name.

VAN SUSTEREN: Robert, why wouldn't the credit card...

COSSACK: They'll cover the costs but, you know, guess who it gets passed on to?

VAN SUSTEREN: Right. Exactly.

Robert, why wouldn't the bank card want to prosecute and make a statement to people so that they don't have to deal with it on a regular basis?

O'HARROW: Well, because law enforcement officials -- people who really focus on this tell me that they're afraid of the news getting out that their customers were tagged, which is their -- in effect, a P.R. issue. And so rather than making it public and letting the sordid details come out, which invariably involve maybe potentially lax security, they would just assume have it not be addressed and to swallow the cost of the identity theft.

COSSACK: All right, Richard, let's talk a little bit about what the laws -- proposed laws would be about sharing information, opt in, opt out. I understand -- I've been getting things in the mail. I understand that most people have been getting things in the mail saying this is what our disclosure policy is. Do you want to be in or do you want to be out?

MARKS: Right.

COSSACK: It puts the responsibility on the shopkeeper or the Internet provider. One puts the responsibility on the consumer.

MARKS: Well, these bank privacy notices are required under federal law now. And July 1 is the deadline so we're all going to be getting many of them. They're very hard to read. And most people look at them and have no idea what they are. But they place the responsibility on the individual of deciding whether they want to receive marketing materials from banks and other firms that furnish financial services. And what you can opt out of is getting on all of these lists and getting marketing information. But as somebody mentioned earlier in the show, many people like to get this marketing information.

VAN SUSTEREN: What did they want from it? I mean I've got to tell you, I always think the -- I mean I don't want any to come to me. I never look at it. It just comes piling in the mail.

COSSACK: But it's also the trading of information, too, isn't it Richard? MARKS: Sure. You may not be, and in fact, you're not, representative of what most Americans want. The surveys show that most Americans love to get this information in their mailboxes. And the direct marketing industry is built on that.

But again, everybody ought to understand that there's a personal trade-off between having information about you widely known and the security and the privacy that you have. There's going to be more of that, more individual choice, more responsibility on the individual to protect him or herself and the data about you.

And by the way, this is not just the United States' problem. The thing about the Internet is that a criminal...

COSSACK: I was going to say we've got to finish this up. So I know it's a worldwide problem.

MARKS: Sure. You -- somebody in Russia or China can be attacking you and it's as if they were right next door. So, it's a real big issue.

COSSACK: I'm afraid that's all the time we have today. Thanks to our guests and thank you for watching.

VAN SUSTEREN: Join us again next time for another edition of BURDEN OF PROOF. We will see you then.

TO ORDER A VIDEO OF THIS TRANSCRIPT, PLEASE CALL 800-CNN-NEWS OR USE OUR SECURE ONLINE ORDER FORM LOCATED AT www.fdch.com