Database Nation: Chapter 2, Sample Sections

Many people in American society do their best to follow the rules, but inadvertently get ground up by computer systems that have been poorly designed--systems that somehow can't quite cope with the messiness of day-to-day life. Just take the case of Steve and Nancy Ross, who did a lot of traveling in the early 1980s and paid for it with a ruined credit report, courtesy of the Internal Revenue Service.

In 1983, Nancy Ross won a fellowship to spend six months in Hawaii, paid for by the Japanese American Institute for Management Sciences. At the time, her husband Steve was a freelance writer and self-employed computer consultant, so the two of them packed up their kids and went off on their Pacific adventure. At the end of the trip, they returned to their home in Leonia, New Jersey.

A few months later, Nancy was invited to spend a year in the Far East and Japan. It was the chance of a lifetime for her kids, so they packed their bags again and left. By this time, Steve had accepted a job at the journalism department of Columbia University, so he stayed behind. To save money, the family rented out their house in New Jersey and Steve moved into a tiny apartment in New York City.

Shortly after Steve and Nancy moved back home, they received a nasty letter from the IRS: a lien had been placed on their house. "I immediately called the IRS in Holtsville [New Jersey] and said essentially, `What are you talking about?'" recalls Steve Ross. "I reached a good clerk. We were on the phone for about half an hour. She figured it out. She said, `I bet I know what happened.' She called out to California, and within six hours I had a call back from the IRS. She said `Just to set your mind at ease, you are clean. We are sending you a letter.'" The lien was immediately removed.

What had happened was one of those weird confluences of errors that have a way of popping up whenever computers are involved. Because Steve and Nancy were both self-employed, they had to make quarterly income tax payments to the IRS. During the summer of 1983, they sent their $3,500 check from Hawaii to the regional IRS processing center on Long Island. But the post office mistakenly redirected the check to an IRS processing center in California.

Now, it turns out that during the summer of 1983, the IRS was deploying a new computer system, and that year the quarterly payments from the various regional processing centers weren't properly cross-posted to the other regions of the country. Instead, the California processing center simply opened a new account for the Ross family.

When the IRS processing center on Long Island got the Ross family's 1983 tax returns, its computers detected an inconsistency: the Rosses had reported paying $3,500 more in taxes than the IRS computers (in New York, at least) had received. So the computers sent Steve Ross a letter demanding the $3,500 payment.

By that time, Nancy was in Japan and Steve was living in a tiny New York apartment. Although they had arranged for their mail to be forwarded, the letter from the IRS had the words "do not forward" stamped on the outside. So Steve never saw it. The IRS also sent a "to whom it may concern" letter to the tenant at the family house, advising that a lien was about to be placed on the house, but the tenant refused delivery of the letter because the tenant was also in trouble with the IRS.

Next, the IRS tried to find the family's bank account in New Jersey, but the Ross family had closed that account and was using new accounts in Hawaii and New York. The IRS couldn't find the new accounts, so they put a lien on the New Jersey home.

I've gone into this level of detail because many of these stories of credit mishap are equally complicated. There's always a long story. But that story doesn't show up on the computers at Trans Union and Equifax. All these companies knew was that a lien had been placed on the Ross house for $10,000. So when the family's Mid Atlantic MasterCard came up for renewal in May 1985, instead of automatically renewing the card, the bank canceled it.

"I called up TRW first," says Steve Ross. "They said `no problem, send a copy of the letter and an explanation, and we will put that with your credit report.' I said, `Aren't you going to expunge the record?' They said `No.' They don't do that. When you have an unfavorable note in your credit report, they don't take it out; they just put your explanation with it.

"We sent two copies off. And true to their word, they put in a notice--they summarized my explanation in a paragraph, and they confirmed that the IRS had sent a letter saying we were clean. The problem is that those two [TRW and Equifax] had already sold the credit data to something like 187 independent bureaus. And there was just no way that I could ever keep up with it," he says.

Like a computer virus, the information from the independent credit bureaus' computers kept reinfecting TRW's computer with the incorrect information--that the IRS had a lien on the family's house in Leonia. As far as the Ross family was concerned, the correction provisions of the Fair Credit Reporting Act just didn't work. "There was literally no way to get that information out of the system."

The Ross family eventually convinced Mid Atlantic to reissue the credit card. And it was a good thing, too: for the next seven years, the family couldn't obtain a new credit card from any other financial institution; they were also rejected for bank loans, and they were unable to refinance their house. And they were effectively grounded: with a credit report that said the IRS once put a lien on their home, they couldn't move and get a new mortgage on a new house.

The situation would have been much worse without that Mid Atlantic credit card: "I travel a lot on business. How can you rent a car without a credit card? How can you rent a hotel room without a credit card? It's just part of life. It would have destroyed my ability to make a living," says Steve Ross.

"By the end of the 1980s, our family income was well into six figures. But it was not until 1992, seven years later, that the obnoxious credit card salesmen began calling," and the offers for low-interest-rate credit cards started appearing in the mail. After seven years, the lien was removed from the credit reporting databanks, thanks to the Fair Credit Reporting Act.

As a side note, when the Rosses first received a copy of their credit report, they noticed something else on it that was wrong: a record of an item ordered from the Spiegel catalog in Chicago. "Spiegel claimed that we had ordered it and never paid for it. Now, the fascinating thing was we had never done business with them, and they had never dunned us. They had probably dunned someone in Texas [where the item was shipped]. TRW did investigate that one, [at least] they tried to. By the time we had noticed that, Spiegel no longer had those records in their computer, so they had no way of verifying it, except by hand. So it just stayed there," on the family's credit report.

The Ross family's experience is far from unique. In 1991, James Williams of Consolidated Information Service, a New York-area mortgage reporting firm, analyzed 1,500 reports from TRW, Equifax, and Trans Union, and found errors in 43% of the files. That same year, roughly 1,400 homeowners in the town of Norwich, Vermont (population: 3,000) were listed on TRW's computer system as tax delinquents "because [a] TRW contractor gathering home mortgage information mistakenly noted tax bills on town records as tax liens." Despite considerable publicity on the case, some of the residents encountered difficulty convincing TRW to correct their files. The same thing happened in Cambridge, Massachusetts, in 1992, when an Equifax contractor mistakenly reported tax bills as tax liens.

Privacy activists say that more than 50% of all consumer files have a significant error in them. Some errors are relatively minor, such as an incorrect address. In other cases, the files mix credit information from two people with similar names. Or the files contain information that is simply wrong.

What's worse, reporting agencies frequently do not correct errors when the mistakes are brought to the agencies' attention. For example, in 1989 Bonnie Guiton, then the White House Advisor on Consumer Affairs, requested a copy of her credit report and discovered an account she knew nothing about: a stranger had apparently applied for, and received, a credit card under Guiton's name. So Guiton wrote to the bureau and asked that the erroneous information be deleted. "They wrote me back and indicated that they had corrected it, it had been taken off my record," Guiton testified before Congress in September 1989. A few months later she requested her report again, and discovered the fraudulent account was still listed.

Errors are pervasive in credit files. When she testified, Guiton noted that her staff members had all requested their own credit reports; many found errors in their own files. In my personal experience, I do not know of a single person who has ever requested a copy of his or her own credit report and not found something in it that was wrong--not just a typo, but something that was detrimental to the overall credit rating.

Associated Credit Bureaus, the industry's trade organization, disputes the 50% figure. ACB claims that more than 550 million credit reports are sold each year with little mishap. According to a 1991 study funded by ACB and conducted by the consulting firm Arthur Andersen, errors critical to the decision of offering credit turn up in fewer than 1% of all consumer files. Still, that is more than two million people who are being denied credit unfairly.

Both studies are probably correct. Many people who see their credit reports spot errors on them, but usually they are not material. Indeed, there are so many errors on so many credit reports that credit card companies have come to expect them, and as a result, a single black mark no longer keeps a person from obtaining credit. But this approach is far from the most fair, because it invariably offers credit to some people who shouldn't get it, while it keeps credit from others who should.

Identity Theft: A Stolen Self

Stories like what happened to the Ross family made up the bulk of credit reporting problems in the 1980s and early 1990s. But in recent years, there has been a sudden and dramatic growth of a new kind of crime, made possible by the ready availability of both credit and once-private information on Americans. In these cases, one person finds another's name and Social Security number, applies for a dozen credit cards, and proceeds to run up huge bills. (Many banks make this kind of theft far easier than it should be by printing their customers' Social Security numbers on their bank statements.) Sometimes the thieves enjoy the merchandise for themselves, go on lavish trips, and eat in fine restaurants. Other times, the thieves fence the ill-gotten merchandise, turning it into cash. This crime has become so common that it has earned its own special name: identity theft.

Sometimes the crook gets the personal information from inside sources: in April 1996, federal prosecutors charged a group of Social Security Administration employees with stealing personal information on more than 11,000 people and selling the data to credit fraud rings, who used the information to activate stolen credit cards and ring up huge bills. Other times, crooks pose as homeless people and rummage through urban trash cans, looking for bank and credit card statements.

A typical case is what happened to Stephen Shaw, a Washington-based journalist. Sometime during the summer of 1991, a car salesman from Orlando, Florida with a similar name--Steven Shaw--obtained Stephen Shaw's credit report. This is actually easier than it sounds. For years, Equifax had aggressively marketed its credit reporting service to car dealers. The service lets salespeople weed out the Sunday window-shoppers from the serious prospects by asking a customer's name and then surreptitiously disappearing into the back room and running a quick credit check. In all likelihood, says the Washington-based Shaw, the Shaw in Florida had simply gone fishing for someone with a similar-sounding name and a good credit history.

Once Steven Shaw in Florida had Stephen Shaw's Social Security number and credit report, he had everything he needed to steal the journalist's identity. Besides stating that Stephen Shaw had excellent credit, the report listed his current and previous addresses, his mother's maiden name, and the account numbers of all of his major credit cards. Jackpot!

"He used my information to open 35 accounts and racked up $100,000 worth of charges," says Stephen Shaw. "He tagged me for everything under the sun--car loans, personal loans, bank accounts, stereos, furniture, appliances, clothes, airline tickets."

Because all the accounts were opened using Stephen Shaw's name and Social Security number, all of the businesses held the Washington-based Stephen Shaw liable for the money that the other Shaw spent. And when the bills weren't paid, the companies told Equifax and the other credit bureaus that Stephen Shaw, the man who once had stellar credit, was now a deadbeat.

Not all cases of identity theft start with a stolen credit report or a misappropriated bank statement. Some cases begin with a fraudulently filed change of address form, directing the victim's mail to an abandoned building. And no paper trail need be created at all. In May 1997, the Seattle Times reported that hundreds of people in the Seattle area had received suspicious crank phone calls. The caller claimed to be from a radio station that was giving away money; the check would be in the mail as soon as the people picking up the phone provided their Social Security numbers.

Some people found the calls suspicious and telephoned the station or the police. Others presumably handed over the information that the callers requested. Similar scams are epidemic on America Online, the world's largest online service, where they have been given the evocative name phishing.

Shaw says it took him more than four years to resolve his problems--a period that appears to be typical for most identity theft victims. That's four years of harassing calls from bill collectors, of getting more and more angry letters in the mail, of not knowing what else is being done in your name. Four years of having your creditors think of you as a deadbeat. During this period, it's virtually impossible for the victim to obtain a new credit card or a mortgage. One of the cruelest results of identity theft is that many victims find themselves unemployable; in addition to job references, many businesses routinely check the credit reports of their job applicants.

Identity theft is made possible because credit card companies, always on the lookout for new customers, don't have a good way to verify the identity of a person who mails in an application or orders a credit card over the telephone. So the credit card companies make a dangerous assumption: they take it for granted that if you know a person's name, address, telephone number, Social Security number, and mother's maiden name, you must be that person. And when the merchandise is bought and the bills aren't paid, that person is the one held responsible.

Of course, it's relatively easy to learn a person's name, address, telephone number, Social Security number, and mother's maiden name. Credit bureaus hand this data out to their customers. Lookup services make this information available, at minimal cost, over the Internet. And many consumers, unaware of the risk, will readily divulge this information to people who call on the phone and claim to be from a bank or credit card agency.

Identity theft isn't a fundamentally new kind of crime. There are many stories from fairy tales and from the American West of con men who scammed a place to stay, fancy meals, and even the affection of an unknowing lady, by claiming to be somebody else. What's different now is that corporate willingness to extend credit has made many more people vulnerable to having their identity and reputation exploited without their knowledge. And because the credit is offered by mail or by telephone--often by either a computer running a program or by a low-paid customer service representative reading a script--it has become nearly impossible for the hero to convince the lady that she has been duped by a rogue.

Nobody is really sure how prevalent identity theft is today--estimates vary between 100,000 and 400,000 cases a year--but it is definitely on the rise. Ideally, the perpetrators should be jailed, fined, and otherwise punished. But law enforcement agencies are overwhelmed, and the courts have not allowed the true victims--the people who have had their identities stolen--to press charges against the perpetrators. That's because the law sees the company that issued the credit as the aggrieved party, not the people who have had their identities stolen. And most banks won't prosecute; it is easier to simply write off the loss and move on.

There are lots of technical changes that could be made to lower the incidence of identity theft. One change, for example, would be to require a person applying for a credit card to show up in person and have a photograph taken, recorded, and put on the back of the credit card. This would act as a deterrent, since most identity thieves don't want to have records created that could be used to trace back to the their actual identity. But few credit card issuers would ever mandate the use of photographs, since it would effectively end the industry's marketing strategy of sending credit cards to new customers through the mail, without the need to have local branch offices.

Ultimately, identity theft is flourishing because credit-issuing companies are not being forced to cover the costs of their lax security procedures. The eagerness with which credit companies send out preapproved credit card applications creates the risk of fraud. When the fraud takes place, the credit issuer simply notes that information in the consumer's credit file and moves on; the consumer is left to pick up the pieces and otherwise deal with the cost of a stolen identity. It stands to reason, then, that the easiest way to reduce fraud would be to force the companies that are creating the risk to suffer the consequences. One way to do that would by penalizing companies that add provably false information to a consumer credit report in the same way we penalize individuals who file false police reports. Such penalties would force credit grantors to do a better job of identifying the individuals to whom they grant credit, and this, in turn, would do a good job of limiting the crime of identity theft.

Database Nation

The Death of Privacy in the 21st Century

Chapter 2

Sample Sections:
It Could Happen to You

Identity Theft: A Stolen Self

Database Nation

The Death of Privacy in the 21st Century

Chapter 2

Sample Sections: It Could Happen to You

Identity Theft: A Stolen Self

Sample Sections:
It Could Happen to You