Identity theft is a major problem. According to the US Bureau of Justice Statistics, identity theft cost americans $17.3 Billion over a two year period, with an average out of pocket expense of $1,870. In the past few months we’ve heard several stories of major security breaches resulting in the exposure of personal data. Examples? Here are just three in a much longer list. Sony’s online gaming system was breached earlier this year, and up to 10 million users’ credit card information was compromised. Last week Sega announced that 1.29 million users’ personal data had been lost. Finally, Citigroup recently announced that 360,000 of its customers’ credit cards had been compromised.
How do the criminals get access to large amounts of “secure” data? They ask you for it, and you give it to them. Why do you give it to them? Because the very companies that are being robbed of billions of dollars are contributing to the social conditions that make the theft of personal information so simple. The culprit? Telemarketing.
I’ll get to the link with telemarketing in a moment, but first we need to understand how it is that you come to give your personal information to crooks in the first place.
Of course, you don’t know you’re giving it to criminals. Rather, you think you’re giving your personal information–credit card numbers with security codes, date of birth, account numbers, driver’s license, passport number, address, and so on–to a representative of a company with which you do business, or some other trusted person.
The techniques like these have various names: phishing, vishing, or spear phishing (explained in this fact sheet I helped to prepare while working at the Privacy Commissioner of Canada), and all of them are very problematic.
Here’s an example of the general method that is used to get your personal information in all of them:
Your phone rings. You pick it up and the person on the other line tells you they are calling on behalf of company X, a company you have a credit card with. They tell you that they want to discuss new features on your card and need to confirm that you are in fact their customer. You say something like, “OK.” The person then asks you for your credit card number, the expiry date, and just to be sure the security code. You say something like, “Let me get my card.” And after giving them the information, they launch into a detailed explanation of the new features that have been added to your account, and how the features will be to your benefit. You hang up, not suspecting a thing, they go buy a Playstation 3 at Wal-Mart.
This general method, sometimes called social engineering (a horrible term), was recently used successfully to breach the Canadian government. Emails were sent to government officials that looked like legitimate requests from senior staff. The requests were for information that allowed hackers to break into the government’s network and steal Canadians’ personal data.
But let’s get back to the imaginary case I just outlined. A few days after getting the call from your “credit card company” (who in this instance were criminals) you get another call from a person claiming to be from the same company. That person tells you that your credit card has experienced unusual activity, and that they need to confirm the problem. You say something like, “OK,” they ask you for your name, date of birth, address, and possibly the security code on the back of the card. You give it to them. They explain that someone in Texas (you live in Ottawa) has made a $400 purchase on your card. You explain that you have not recently been to Texas, and they tell you they need to cancel your card.
Later that day, you get another call from someone claiming to be from the cable company, and they want to talk to you about new features that are available on your account…
Notice how little difference there is between the criminal activity and the legitimate activity? You should. And so should the companies engaging in telemarketing.
Privacy experts will tell you that the best way to avoid having your identity stolen is to never give information out to people who contact you. They say you should call them back at a number you get from the back of your card or from your bill (Never use a number they give you). And they’re right.
The problem is that credit card companies, banks, cable companies, and all the other companies with which you do business also know this. They know that you should never give your information up to someone who contacts you on the phone or by email.
Yet the very companies who are being robbed (along with their customers) are contributing to the problem by engaging in the kind of activity that leads to so many of the problems in the first place. They are essentially asking their customers to act irresponsibly. And that is a huge part of the problem.
If companies stopped telemarketing then we would never think to give up information over the phone to a person claiming to be from a legitimate company–we would know that there are no legitimate representatives asking for personal information over the phone.
At the very least, if a company engages in telemarketing, it seems they should be forced to bear the bulk of the cost of identity theft–not the customer. It’s disingenuous to claim that a customer should know better than to give up information, say over the phone, if the very company making that claim is engaged in asking customers to give up information over the phone.
Identity theft is becoming enough of a problem that it should spell the end of telemarketing–a practise that poses a direct threat to privacy by engendering trust in bad business practises.
(Postscript: If you feel like making an economic argument something along the lines that there is a market for telemarketing, or that it is essential to doing business, see my recent post On Exporting Asbestos and Land Mines)