WASHINGTON, DC . The Bureau of the Budget’s proposal was simple yet revolutionary. Instead of each federal agency investing in computers, storage technology, and operations personnel, the United States Government would build a single National Data Center. The project would start by storing records from four federal agencies: population and housing data from the Bureau of the Census; employment information from the Bureau of Labor Statistics; tax information from the Internal Revenue Service; and benefit information from the Social Security Administration. And while the original motivation was simply to cut costs, soon it was clear that there would be additional benefits. Accurate statistics could be created quickly and precisely from the nation’s data.

By building a single national database, the government could track down and stamp out the misspelled names and other inconsistent information that haunts large-scale databanks. And a single database would also let government officials and even outsiders use the data in the most efficient manner possible.

The Princeton Institute for Advanced Study issued a report enthusiastically supporting the project, saying that centralized storage of the records could actually improve the security of the information, and therefore the privacy of the nation. Carl Kaysen, the Institute’s director and the chairman of the study group, further urged that Congress pass legislation that would give the records additional protections, privacy and accountability. Others latched on to the idea, and the concept of the National Data Center slowly evolved into that of a massive databank containing cradle-to-grave electronic records for every US citizen. The database would contain every person’s electronic birth certificate, their proof of citizenship, their school records, their draft registration and military service, their tax records, their social security benefits, and ultimately, their death records and estate information. The FBI might even use the system to store criminal records.

An article promoting the project appeared in the July 23, 1966 issue of The Saturday Review. Its title said everything: "Automated Government---How Computers Are Being Used in Washington to Streamline Personnel Administration to the Individual’s Benefit." But the article didn’t have the intended result. Instead of applauding the technocratic vision, the US Congress commenced a series of hearings on the threats of computerized databanks. Six months later, The New York Times Magazine ran an article titled "Don’t Tell It to the Computer," which viciously attacked the idea of a centralized government data warehouse. Written by Vance Packard, author of The Naked Society, a best-selling book that described the invasion of privacy by government, business, and schools, the Times piece articulated what was to become a key argument against the project:

The tide was turning. By 1968, the Budget Bureau said that it was doubtful that a practical plan for the center would be presented to the 90th Congress. Meanwhile, the House Special Subcommittee on Invasion of Privacy issued a report holding that privacy must be of primary consideration in establishment of computerized data banks, that no work should be done on a national data center until privacy could be guaranteed, and that the Budget Bureau was at fault for not developing procedures to insure privacy.

A poll by the Harvard University Program on Technology and Society the following year found that 56% of Americans opposed development of the National Data Center, on the grounds that it would invade their privacy. That same year, in his book The Death of Privacy, Jerry M. Rosenberg opened with this grave warning:

The National Data Center was never built. Instead, each federal agency was told to continue building its own computer system. In lieu of creating a single databank, which could be used by unscrupulous bureaucrats to exercise inappropriate control over some person’s life, the government created dozens of databanks.

American businesses followed the government’s example, often purchasing the same models of computers that had first been developed to fill government needs. The political decision not to build a central data repository set the direction that computers would evolve for the next thirty years.

Thirty-Two Years Later

SEATTLE, 1997 - I order a pair of white chocolate lattès, and hand my Mileage Plus First Card to the barista for payment. Although the drinks cost only $3 each, I’d rather charge the transaction than pay cash. By putting every single purchase on my credit card, I’ve managed to accumulate a balance of more than 50,000 frequent-flyer "miles" in less than a year---enough to buy my wife and myself a pair of round-trip tickets anywhere in the United States.

Thirty years ago, the idea of a centralized computer tracking one’s every purchase seemed like part of an Orwellian nightmare. Ten years ago, the mathematical genius Dr. David Chaum invented "E-Cash," an anonymous payment system designed to let consumers buy things electronically without revealing their identities. Who could have imagined that the day would come when millions of people would not merely wish to have their purchases tracked---but would complain when transactions were missed?

I call my mother when I get home. In the back of my mind, I know that a record of that call is being kept in the phone company’s computer system. My records will probably never be reviewed by a human being, but at least once a month I hear about some big crime in which the suspect’s guilt was "proved," in part, by these kinds of telephone records. In the Oklahoma City bombing case, for instance, one critical piece of evidence was calling records from pre-paid telephone cards. Right wing extremists in the militia movement thought that calls made with these calling cards were anonymous and untraceable. But in fact, records of every call for each card had been carefully kept, and the prosecution was able to show that the defendant Timothy McVeigh had purchased the card in question, then presumably used to help plan the largest single act of terrorism in US history.

In the 1960s, the federal government operated most of the computers in the country. Commentators warned that the centralization of personal information might be planting the seeds of some future totalitarian regime. "My own hunch is that Big Brother, if he comes to the United States, will turn out to be not a greedy power-seeker but a relentless bureaucrat obsessed with efficiency," wrote Vance Packard in The New York Times Magazine.

Articles written by journalists like Packard killed the National Data Center. But they did not stop data-progress. Today a mesh of computers operated by banks, utilities, and private businesses record an astonishing amount of information about us on a daily basis. In many cases, personal information is there for the taking. Instead of building a national databank, we have built a nation of databanks.

How We Got Here

If you want to blame somebody for the computerization of America, go no further than the Framers of the Constitution. Way back in 1787, Thomas Jefferson and company decreed that the new republic would conduct a census every ten years. It sounded easy enough at the time, but as the United States expanded in both geographical size and population, the job of the census takers became increasingly difficult.

The problem wasn’t just the growing numbers of "huddled masses" docking at US ports, in search of freedom. Like any federal program, the census suffered mission creep. By 1880, the census was much more than a simple head count: it had become a tool for learning more about the people who made up the nation. Congress ordered the recording of people’s gender, their marital status, age, place of birth, education, occupation, and literacy. All this information was sent to Washington, DC, for tabulation, where census clerks made repeated passes over the forms, counting the number of responses which matched particular criteria. The 18-week process was slow and error-prone. And it was getting harder all the time.

Herman Hollerith was a young man who came to the Census Office after graduating from Columbia College in 1879. Hollerith saw the Census problems and soon became obsessed with the idea of building a machine to automated the clerical work. He spent a year looking at the problem, then left and spent a year teaching mechanical engineering at MIT. Then he returned to Washington, this time spending a year in the Patent Office. Finally he quite government service 1884 to become a full-time inventor.

Hollerith’s genius was in realizing that information from the census could be stored on punched pieces of paper, and that by repeatedly counting different holes on a set of punched cards in different ways he could perform the basic statistical operations that the census office required. In 1889 he entered and won a competition organized by the Census Office, earning a contract to provide the Census with his tabulating machines the following year. With the new machines, the census was tabulated in just six weeks, and Hollerith became famous with census officials around the world.

In 1896 Hollerith incorporated his business, the Tabulating Machine Company. He sold the business in 1911, receiving $1 million for his stock and a promise of continued employment with the successor firm, the Computing-Tabulating-Recording Company (CTR). Three years later, CTR hired Thomas J. Watson, who in 1924 renamed the company the International Business Machines Corporation (IBM).

Throughout the 1920s IBM continued to improve its tabulating machines and find new markets for the equipment. The company built a Type 1 printing tabulator, which recorded counts on paper. It developed the Type 80 Sorter, which automatically sorted a stack of cards, depending on the placement of the punched holes. In 1928, IBM developed a card that had 80 columns of 12 rows each---a format which remained in use until the 1980s.

Ironically, IBM’s biggest boost came from the Great Depression. A third of the nation’s workers were unemployed. People were starving and in poverty. President Franklin D. Roosevelt’s solution was to create the modern welfare state.

In 1935, Congress passed President Franklin Roosevelt’s Social Security Act. Under the plan, a portion of each American’s earnings would be deducted from their paychecks by their employer, who would add a matching "contribution," and send the money to the federal government, where it was put into the Social Security Trust Fund. Using this money, the Social Security Administration would send monthly checks to people who had retired or become disabled, or to the families of workers who had died.

Greatly complicating things for the new Social Security System was the requirement that benefit payments received by each worker be dependent in part on one’s lifetime contribution to the Trust Fund. This meant that the Social Security Board had to monitor how much money each employee in the United States earned, and it had to keep track of this information, from a worker’s first day at his first job until long after he did (and his family had stopped receiving his death benefits).

When the Social Security Board opened for business in 1936, it was immediately "the largest bookkeeping operation in the history of the world." The Board had expected that it would receive requests from 25 million workers; instead, it received 45 million. To keep the accounts straight, the Board assigned each worker a Social Security Number. The number was sent back to each worker to keep for his or her records, and additionally punched onto a "summary-of-earnings" punched card. Each year, the Social Security Board found each employee’s card and punched it with that year’s earnings. By 1943, Social Security had more than 100 million cards on file, filling six and a half acres of storage space.

Then, in 1951, Congress changed the rules under which Social Security benefits were calculated. Complying with the changes meant storing additional information on each card---information that would fill up the original cards within just five years. The newly renamed Social Security Administration couldn’t give everybody a second card: that would have doubled the number of acres necessary to store them all. With no other choice, Social Security turned to the young field of electronic data processing, and IBM’s first generation tube-based computer, the IBM 705. The nation’s work history would no longer be stored on punched cards, but on magnetic tape. The machines were installed in 1956, just as the first punched cards were filled up.

Social Security Numbers Considered Harmful

Although the Social Security number was never designed to be a universal identifier for American citizens, less than a decade after the number’s creation it became just that. In 1943 President Roosevelt issued an executive order that required federal agencies to use the Social Security number for identifying people, rather than each agency wasting money developing their own numbering systems.

The Department of Defense discarded military-service "serial numbers" and adopted the Social Security number instead. The Veterans Administration used the number to keep track of returning soldiers’ benefits. The FAA adopted SSNs as pilot license numbers. The Civil Service Commission adopted the number to keep track of federal employees. In 1961, the Internal Revenue Service tried to buck the trend and issue its own numbers. The plan was shot down as being too expensive. The IRS was told to use the Social Security Number instead.

Early into this process, some statisticians realized that the Social Security number was a bad choice for a national identifier. The first problem was the number itself: with just 9 digits, the SSN simply wasn’t long enough to handle every citizen, every visitor to the country, and every resident alien through the end of the 21st century. Because the Social Security number is so small, any randomly chosen 9-digit number has a good chance of being a valid SSN---raising the possibility of fraud and tax evasion. Another problem with the SSN is the way that the number is assigned. Instead of assigning the number in a uniform manner at birth, the way many European nations do, SSNs are assigned when a letter is sent to the Social Security Administration. And the SSN lacked what’s called a "check digit" --- a digit that doesn’t actually store information, but which verifies that the other digits are correct. Without a check digit, there’s no way to detect swapped digits or mistyped numbers. All of these problems would only increase the amount of invalid information will be stored in databanks that used SSNs for identifiers.

For all these reasons, in 1948 the US National Office of Vital Statistics proposed that our country adopt a national Birth Certificate Number. Starting on January 1, 1949, each birth certificate would be stamped with its own unique number. In a few years, that number could replace the SSN. But the country didn’t want a uniform national number that was well-designed and properly administrated. "The idea was denounced in 1949 and 1950 in many newspapers as a potentially regimenting ‘police state’ measure, and angry cartoons raised the ‘Big Brother’ argument," wrote Columbia University professor Alan Westin in 1967. "The opposition was sufficiently strong to persuade twenty-four states to reject participation in the plan and to cause Congress to drop legislative proposals that had been put forward to provide for federal participation in the program."

For better or worse, the US government was saddled with using the SSN to identify citizens in its computers. Certainly the government couldn’t use names: more than one person can have the same name, spellings are easily changed by accident or on purpose, and they were too unwieldy for the computers of the times. But nobody was happy with the numeric alternative either. Speaking to a researcher from Harvard University in 1969, a respondent from Boston summed things up pretty well: "Well, they have all this information ... [and] if they’re going to put it all together, there’s nothing we can do about it. But I don’t want to be known by my Social Security number. I have a name. No one else has this name. I’d like to have this name until I die, and I don’t want to be known by a Social Security number."

America Adopts the Harmful Number

The US Government wasn’t the only organization to adopt the Social Security number: increasingly, SSNs were being used as the single "universal identifier" to arrange files on Americans. Many states adopted Social Security numbers for state income taxes and drivers license numbers; libraries used SSNs for library cards; colleges used SSNs for student ID numbers; hospitals used SSNs as patient identification numbers. And in the world of private business, one of the most aggressive users of the number were consumer reporting bureaus, who were in the process of computerizing their files in the 1960s and found the SSN to be a valuable tool for the process.

Credit reporting didn’t start in the 1960s, of course. Americans had been making major purchases on credit since the end of the Civil War. And since the turn of the century, specialized credit bureaus in cities across the country had been keeping files on Americans, that recorded both their ability and their past willingness to pay their debts. Credit bureaus had even created their own trade organization, the Associated Credit Bureaus, to facilitate the exchange of consumer credit information.

By 1969, credit bureaus were widely used by businesses, but most Americans were only dimly aware that these files existed. Indeed, many credit bureaus had policies that forbade consumers from seeing the contents of their own files.

One reason for the secrecy was the content of the files themselves. The companies that held them said that they contained factual information: loans that hadn't been repaid, overdue credit card payments, and multiple address changes by people constantly trying to escape creditors. But testifying before Congress in March 1970, Alan Westin said that the files "may include 'facts, statistics, inaccuracies and rumors' ... about virtually every phase of a person's life; his marital troubles, jobs, school history, childhood, sex life, and political activities." Apparently, business leaders of the time thought that if a person beat their spouse or engaged in deviant sexual practices, they probably couldn't be trusted to pay back a loan. But they were understandably afraid of letting the public discover just what kind of knowledge was being collected on the American public.

Between 1965 and 1970, three Congressional committees and five state legislatures held hearings on the practices of the growing credit-reporting industry. Lawmakers were attempting to understand this industry, which had heretofore largely been secret, and they were trying to determine if computers were making it more unfair. At many of those hearings the star witness was Alan Westin, who attacked the industry for its cavalier attitude toward the accuracy of its information on consumers, and for giving out that information to practically anyone who asked for it---except the consumers themselves.

"Almost inevitably, transferring information from a manual file to a computer triggers a threat to civil liberties, to privacy, to a man's very humanity because access is so simple," argued Westin. Computers would make it possible to create an indelible history of a person’s life mistakes, making it impossible for them to ever get a second chance.

Others agreed. In his book The Naked Society, Vance Packard recounted a story of an 18-year-old man who couldn’t get a job with any department store in Michigan, despite letters of praise from his teachers, clergy, and even his town’s chief of police. The reason: when he was 13 years old, he had been caught shoplifting. His name had been placed in a computerized file shared between all of the region’s stores. Thanks to the power of the computer to store data away for years yet keep it instantly accessible, the man had been blacklisted forever by Michigan’s merchants.

Then there were numerous stories of people who were denied credit, insurance, or jobs because of a mistake: erroneous information that somebody had entered in to the computer’s databanks. Sometimes two people with similar-sounding names would get their records confused. Occasionally a store would say that a customer owed money, but the customer denied it. In these cases, the customer was always wrong, because the businesses controlled what information was entered into the credit files.

Credit bureaus responded to the criticism by saying that their industry was a vital part of the nation’s growing credit-based economy. Without these credit reports, the bureaus argued, how could you tell who has good credit and who doesn’t? Banks couldn't write mortgages. Department stores wouldn't be able to sell anything to anyone on credit. Not only would the growing credit economy collapse, millions of people would be denied the credit they deserved.

Packard, Westin, and other commentators of the time said that moving manual files to computers would create unprecedented opportunities for new kinds of abuse. For this reason, computerization should be stopped. But experts familiar with the technology said otherwise. The computer creates "more opportunity for control than it does for hazard," said Dr. Harry C. Jordan, founder of the California-based firm Credit Data Corporation. (In 1968, Credit Data Corporation was bought by TRW, Inc., and the company’s name was changed to TRW-Credit Data. The company was divested from TRW in 1996 and its name changed again, to Experian.) Testifying in 1968 before the Congressional Subcommittee on Invasion of Privacy, Jordan said that computers could be programmed to enforce pro-privacy policies such as automatically discarding old data.

As a result of the hearings, Congress ultimately passed the Fair Credit Reporting Act in April 1971. Instead of putting the brakes on computerization, the Act gave consumers new rights regarding information stored about them in credit-related databanks, including the right to view the contents of their own file, challenge erroneous information, and insert their own version of events if a creditor insisted that deleterious information in a consumer’s file was correct.

The industry complained. Credit Data’s executives said that the Act would "create a landslide" of consumer requests to see their files, but Westin’s 1972 survey of the company found that the Act had merely increased the number of inquiries from consumers requesting to see their own files from 0.5% to 0.7%. That was hardly a landslide. If anything, the Act merely gave consumers a tool for fighting back against the most egregious practices of the industry.

The 1970s and 1980s saw considerable consolidation in the credit reporting industry, to the point that today there are basically three companies in the business: Equifax (formerly Retail Credit); Experian (formerly Credit Data Corporation); and Trans Union. Each company’s credit report contains more or less the same information: a list of credit cards, bank loans, student loans, and other credit a person has been granted over the past 7 years. (Negative credit assessments remain on the report for 7 years, bankruptcy proceedings for 10 years, and all "good" credit behavior stays on your record for life.) For each loan, the report records the person’s payment history: how often a payment was made on time, and how many times payments were 30, 60 or 90 days late.

The credit reports produced for banks frequently include a credit "score" as well. This score looks at a consumer’s credit history and rates that person, for example, on a scale of one to ten. Although many consumers have demanded to see their scores, the reporting companies have never released them. You would think that this is a violation of the Fair Credit Reporting Act, but it isn’t. The score is not technically part of the consumer’s file.

Despite the reforms, many consumers have continued to complain that a significant amount of the information stored in the nation’s credit banks is either misled or just plain wrong---and that this inaccurate information turns people into innocent victims by denying them credit for no good reason.

The credit reporting firms have also fought for their right to release certain kinds of information in a consumer’s file---the consumer’s name, address, phone, and Social Security number---to anybody and for any purpose. The firms maintain that this information is not credit information and this not covered by the FCRA, which forbids the release of the information for non-credit or insurance purposes, such as direct marketing or "people-finding" services.

Of course, nobody is entitled to credit. But in a society where credit is required by all but the very richest families to buy a house, to buy or to rent a car, to get an education, denying somebody credit effectively denies that person the privileges of being a member of that society.

It Could Happen to You

Many people in American society do their best to follow the rules but inadvertently get ground up by inflexible computer systems, which somehow just can’t quite cope with the messiness of day-to-day life. Just take the case of Steve and Nancy Ross, who did a lot of traveling in the early 1980s and paid for it with a ruined credit report, courtesy of the Internal Revenue Service.

In 1983 Nancy Ross won a fellowship to spend six months on Hawaii, paid for by the Japanese American Institute for Management Sciences. At the time her husband Steve was a freelance writer and self-employed computer consultant, so the two of them packed up their kids and went off on their Pacific adventure. At the end of the trip they returned to their home in Leonia, New Jersey.

A few months later, Nancy was invited to spend a year in the Far East and Japan. It was the chance of a lifetime for her kids, so they packed their bags and left. By this time Steve had accepted a job in the journalism department with Columbia University, so he stayed behind. To save money, the family rented out their house in New Jersey and Steve moved into a tiny apartment in the City.

Shortly after Steve and Nancy moved back home, they received a nasty letter from the IRS: a lien had been placed on their house. "I immediately called the IRS in Holtsville [NJ] and said essentially, ‘What are you talking about?’" recalls Steve Ross. "I reached a good clerk. We were on the phone for about half an hour. She figured it out. She said, ‘I bet I know what happened.’ She called out to California, and within six hours I had a call back for the IRS. She said ‘Just to set your mind at ease, you are clean. We are sending you a letter.’" The lien was immediately removed.

What had happened was one of those weird confluence of errors that have a way of popping up whenever computers are involved. Because Steve and Nancy were both self-employed, they had to make quarterly income tax payments to the IRS. During the summer of 1983, they sent their $3500 check from Hawaii to the regional IRS processing center on Long Island. But the Post Office saw that the check was going to the IRS in Long Island, and redirected the check to an IRS processing center in California.

Now, it turns out that during the summer of 1983 the IRS was deploying a new computer system, and that year the quarterly payments from the various regional processing centers weren’t properly cross-posted to the other regions of the country. Instead, the California processing center simply opened a new account for the Ross family.

When the IRS processing center in Long Island got the Ross family’s 1983 tax returns, its computers detected an inconsistency: the Rosses had reported paying $3500 more in taxes than the IRS computers (in New York, at least) had received. So the computers sent Steve Ross a letter demanding the $3500 payment.

By that time, Nancy was in Japan and Steve was living in a tiny New York apartment. Although they had arranged for their mail to be forwarded, the letter from the IRS had the words "do not forward" stamped on the outside. So Steve never saw it. The IRS also sent a "to whom it may concern" letter to the tenant at the family house, advising that a lien was about to be placed on the house, but the tenant refused delivery of the letter because he was also in trouble with the IRS.

Next, the IRS tried to find the family’s bank account in New Jersey, but the family had closed that account and was using new accounts in Hawaii and New York. The IRS couldn’t find the new accounts, so the IRS put a lien on the home.

I’ve gone into this level of detail because many of these stories of credit mishap are equally complicated. There’s always a long story. But that story doesn’t show up on the computers at TransUnion and Equifax. All these companies knew was that a lien had been placed on the Ross house for $10,000. So when the family’s Mid Atlantic Mastercard came up for renewal in May 1985, instead of automatically renewing the card, the bank canceled it.

"I call up TRW first," says Steve Ross. "They said ‘no problem, send a copy of the letter and an explanation, and we will put that with your credit report.’ I said, ‘Aren’t you going to expunge the record?’ They said ‘No.’ They don’t do that. When you have an unfavorable note in your credit report, they don’t take it out, they just put your explanation with it.

"We sent two copies off. And true to their word they put in notice---they summarized my explanation in a paragraph, and they confirmed that the IRS had sent a letter saying we were clean. The problem is that those two [TRW and Equifax] had already sold the credit data to something like 187 independent bureaus. And there was just no way that I could ever keep up with it," he says. Like a computer virus, the information from the independent credit bureaus’ computers kept re-infecting TRW’s computer with the incorrect information---that the IRS had a lien on the family’s house in Leonia. As far as the Ross family was concerned, the correction provisions of the Fair Credit Reporting Act just didn’t work. "There was literally no way to get that information out of the system."

The Ross family eventually convinced Mid Atlantic to re-issue the credit card. And it was a good thing, too: for the next seven years, the Rosses couldn’t obtain a new credit card, they were rejected for bank loans, and they were unable to refinance their house. And they were effectively grounded: with a bad credit rating, they couldn’t move and get a new mortgage on a new house.

The situation would have been much worse without that Mid Atlantic credit card: "I travel a lot on business. How can you rent a car without a credit card? How can you rent a hotel room without a credit card? It’s just part of life. It would have destroyed my ability to make a living," says Steve Ross.

"By the end of the 1980s, our family income was well into six figures. But it was not until 1992, seven years later, that the obnoxious credit-card salesmen began calling," and the offers for low-interest-rate credit cards started appearing in the mail. After seven years, the lien was removed from the credit-reporting databanks, thanks to the Fair Credit Reporting Act.

As a side note, when the Rosses first received a copy of their credit report, they noticed something else on it that was wrong as well: a record of an item ordered from the Spiegel catalog in Chicago, that had never been paid for. "Spiegel claimed that we had ordered it and never paid for it. Now, the fascinating thing was we had never done business with them, and they had never dunned us. They had probably dunned someone in Texas [where the item was shipped]. TRW did investigate that one, [at least] they tried to. By the time we had noticed that, Spiegel no longer had those records in their computer, so they had no way of verifying it, except by hand. So it just stayed there," on the family’s credit report.

The Ross family’s experience is far from unique. In 1991, James Williams of Consolidated Information Service, a New York-area mortgage reporting firm, analyzed 1,500 reports from TRW, Equifax and Trans Union, and found errors in 43 percent of the files. Privacy activists say that more than 50% of all consumer files have a significant error in them. Some errors were relatively minor, such as an incorrect address. In other cases, the files mix credit information from two people with similar names. Or the files contain information that is simply wrong.

Associated Credit Bureaus, the industry’s trade organization, disputes these figures. ACB claims that more than 550 million credit reports are sold each year with little mishap. According to a 1991 study funded by ACB and conducted by the consulting firm Arthur Andersen & Co., errors critical to the decision of offering credit turn up in fewer than 1 percent of all consumer files. Still, that is more than two million people who are being denied credit unfairly.

Both studies are probably correct. Many people who see their credit reports spot errors on them, but usually they are not significant. Indeed, there are so many errors on so many credit reports that credit cards companies have come to expect them, and as a result a single black mark no longer keeps a person from getting new credit. But this approach is far from the most fair, because it invariably offers credit to some people who shouldn’t get it, while it keeps credit from others who should.

Identity Theft: A Stolen Self

Stories like what happened to the Ross family used to make up the bulk of credit reporting problems. But in recent years, there has been a sudden and dramatic growth of a new kind of crime, made possible by the ready availability of both credit and once-private information on Americans. In these cases one person finds another's name and Social Security number, applies for a dozen credit cards, and proceeds to run up huge bills. (Many banks make this kind of theft far easier than it should be, by printing their customers’ Social Security number on their bank statements.) Sometimes the crook gets the personal information from inside sources: in April 1996, federal prosecutors charged the Social Security Administration employees with stealing personal information on more than 11,000 people and selling them to credit fraud rings, who used the information to activate stolen credit cards and ring up huge bills. Other times, crooks pose as homeless people and rummage through urban trash cans, looking for bank and credit card statements. This crime has become so common that it has earned its own special name: identity theft.

A typical case is what happened to Stephen Shaw, a Washington-based journalist. Sometime during the summer of 1991 a car salesman from Orlando, FL, with a similar name --- Steven Shaw --- obtained Stephen Shaw's credit report. This is actually easier than it sounds. For years, Equifax had aggressively marketed its credit reporting service to car dealers. The service lets salespeople weed out the Sunday window-shoppers from the serious prospects by asking a customer’s name and then surreptitiously disappearing to the back room to run a quick credit check. In all likelihood, says the Washington-based Shaw, the Shaw in Florida had simply gone fishing for someone with a similar-sounding name and a good credit history.

Once Steven Shaw in Florida had Stephen Shaw’s Social Security number and credit report, he had all that he needed to steal the journalist’s identity. Besides stating that Stephen Shaw had excellent credit, the report listed his current and previous addresses, his mother’s maiden name, and the account numbers of all of his major credit cards. Jackpot!

"He used my information to open 35 accounts and racked up $100,000 worth of charges," says Stephen Shaw. "He tagged me for everything under the sun---car loans, personal loans, bank accounts, stereos, furniture, appliances, clothes, airline tickets."

Because all the accounts were opened with Stephen Shaw’s name and Social Security number, all of the businesses held the Washington-based Stephen Shaw liable for the money that the other Shaw spent. And when the bills weren’t paid, the companies told Equifax and the other credit bureaus that Stephen Shaw, the man who once had stellar credit, was now a deadbeat.

Not all cases of identity theft start with a stolen credit report or a misappropriated bank statement. Some cases begin with a fraudulently filed change-of-address form, directing the victim’s mail to an abandoned building. And no paper trail need be created at all. In May 1997, the Seattle Times reported that hundreds of people in the Seattle area had received suspicious "crank phone calls." The caller claimed to be from a radio station that was giving away money; the check would be in the mail as soon as the person picking up the phone provided their Social Security number.

Some people found the calls suspicious and telephoned the station or the police. Others presumably handed over the information. Similar scams are epidemic on America Online, the world’s largest online service. On computer systems, in fact, the scam is so common that it has its own name: "phishing."

Shaw says that it took him more than four years to resolve his problems---a period that appears to be typical for most victims. That’s four years of harrassing calls from bill collectors, of getting more and more angry letters in the mail, or not knowing what else is being done in your name. Four years of having your creditors think of you as a deadbeat. During this period, it’s virtually impossible for the victim to obtain a new credit card or a mortgage. One of the cruelest results of identity theft is that many victims find themselves unemployable; in addition to references, many businesses routinely the check credit reports of their job applicants.

Identity theft is made possible because credit-card companies, always on the lookout for new customers, don’t have a good way to verify the identity of a person who mails in an application or orders a credit card over the telephone. So the credit card companies make a dangerous assumption: they take it for granted that if you know a person’s name, address, telephone number, Social Security number, and mother’s maiden name, then you must be that person. And when the merchandise is bought and the bills aren’t paid, that person is the one held responsible.

Identity theft isn’t a fundamentally new kind of crime. There are many stories from fairy tales and from the American West of con men who scammed a place to stay, fancy meals, and even the affection of an unknowing lady, by claiming to be somebody else. What’s different now is that corporate willingness to extend credit has made many more people vulnerable to having their identity and reputation exploited without their knowledge. And because the credit is offered by mail or by telephone ---often by either a computer running a program or a low-paid customer service rep reading a script---it has become near impossible for the true prince to convince the shopkeeper that he has been duped by a rogue.

***

Looking back from thirty years, there are a lot of lessons to learn from the failed federal National Data Center proposal and the nation-wide system of databanks, access terminals, and computer networks that private industry built in the resulting vacuum.

Perhaps the most important lesson is that you can’t prevent the adoption of a technology simply by deciding not to use it: if the technology is widely available and there are no barriers to its use, some other business or government agency or individual will deploy it if you don’t. If it can be done, someone will do it. The US government didn’t link together all of its databanks, but private industry is well on the path to it.

We have also learned that decisions made early on, have far-reaching effects. Designed in 1932, the Social Security number has had its role in society constantly expanded over the last two-thirds of this century. No matter how you look at it, the SSN is a bad number. But our country has been unwilling to stop using it.

We have learned that consumer-friendly identification is hard to do---and that many companies are unwilling to do it, even if the result is increased fraud and shattered lives.

It has never been easier to impersonate somebody else as it is today. Banks and credit-card companies offer easy, high-interest loans at the drop of an SSN, and when they screw up, it is the defrauded customer who pays.

At the same time, we have seen that regulations designed to balance the power between Big Business and the general public can be and have been effected. Thanks to the Fair Credit Reporting Act, even inaccurate and grossly unfair information is eventually removed from a person’s credit history; it does not haunt for a lifetime. On the other hand, it is clear that incremental reform, such as the FCRA, is not the most effective way to change legislative policies: despite many attempts on the part of some activists, Congress has never passed important revisions to the FCRA or created a watchdog agency charged with protecting consumer privacy and freedom. Indeed, the time for pushing those stronger reforms was when the FCRA was first being drafted.

We’ve seen that business fights any attempt at privacy regulation---just as the chemical industry fought attempts at environmental regulation. Yet in both cases, the predicted dire consequences somehow failed to materialize. In fact, just as environmental regulations forced the chemical industry to be less wasteful---and thus more profitable---the few privacy regulations that have been adopted have generally improved the quality of the information stored in corporate and government databanks, thus making these systems more valuable, useful, and profitable. Indeed, protecting consumer privacy and freedom is in the best long-term interests of both business and society. But because most business leaders are focused on the next 12-month cycle, they cannot appreciate this simple fact.

The need for government to step in and create pro-privacy standards will become increasingly clear in the coming years. We are moving past the 1960s vision of computers that hold financial, educational, and credit information. In the future, computers will be holding everything.

(This chapter is from Simson Garfinkel's book on privacy, 2048: Privacy, Identity, and Society in the next century. This chapter is © 1997, 1998 Simson L. Garfinkel.)