September 17, 2006
On Identity Theft-BECKER
A few months ago I received an email on an official looking United States Treasury letterhead informing me that I was owed several hundred dollars by the federal government that would be sent if I would just provided some personal information. I had not heard of this scam but it seems unlikely that I would be notified in this way about a refund (and even more unlikely that I had a refund!). To make sure I checked with my accountant. He confirmed my opinion, although he had not heard of this scam either.
Identity theft is one among unfortunately many negative effects of the electronic communication age of credit cards, phones, and the internet. A common claim, probably based on limited evidence, is that about 9 million Americans each year are victims of identity theft, and many additional victims are found in Great Britain, Canada, Japan, and other developed nations. $10,000 is said to be the average loss per victim in the United States. If these numbers are in the right ballpark, the annual amount defrauded in this country alone would be some $90 billion. The worldwide incidence and cost of identity theft is rising rapidly over time as credit cards and the internet spread throughout the world.
Identity thieves prey on the fears and greed of people. Greed is the explanation for why many emails, often supposedly from Africa, promise millions of dollars to a trustworthy person if he can take care of huge sums for a while. All that is asked from victims is their information on their bank account numbers and a little other personal information. These promises are so absurd that one wonders why anyone would respond, but they are cheap to send, and can be profitable if only a minute fraction of recipients fall for it.
Other approaches rely on fear rather than greed. Another real example is a telephone call from someone alleging to be a state or local government official. He threatens that the person called is subject to arrest because he did not report for jury duty. However, he reassures that arrest could be avoided if the victim would provide some personal information that could help clear up his record.
It is difficult to sympathize with people who are "taken" because they are trying to get rich quickly in ways that usually involve participating in illegal activities. Still, effective deterrence of identity theft would be desirable since so many people are victims. As Posner indicates, the aggregate amount taken by identity theft, plus avoidance spending by potential victims, plus the spending of time and other resources by the identity thieves themselves, exceed the total cost of many other crimes.
Posner notes that the economic theory of optimal deterrence implies as a first approximation that the expected cost of apprehension and punishment to the identity thief should be at least as large as his expected gain from stealing identities. However, this first approximation may not give a good approximation to the minimum punishment that would deter this crime because there is a very low probability that such identity thieves are apprehended and convicted. Probabilities are low partly because crimes over the internet are difficult to trace to their source as many criminals are located in small out of the way countries, or in other places that are not easily reached by enforcement officials.
Suppose that the probability of solving a representative identity theft was no better than 1/1000, so that out of say 9 million such thefts each year, fewer than 9,000 are solved by finding the perpetrators. If the typical amount stolen is $10,000, making the expected punishment exceed the expected gain implies that a convicted identity thief would be subject to a penalty of $10 million. Since convicted thieves usually do not have so much wealth, punishments typically take the form of significant prison terms. If identity criminals are quite risk averse, a 1/1000 probability of a $10 million dollar punishment would be much more onerous than a $10,000 punishment with certainty. Hence the punishment required to deter could be much smaller than $10 million. On the other hand, if criminals like risk, and the evidence suggest that they often do, adequate deterrence would require an even greater punishment than $10 million, or its jail time equivalent.
The expected punishment required to deter identity theft may also be much less than the loss to victims because in most cases the gain to the thieves is much less than the loss to their victims. The relatively small gain from gaining access to victim's personal information can be seen from how little is asked online for such information-less than $100 is typical. This is partly because victims and credit card companies spend valuable resources on cutting their risk of losses from such theft. The gain is relatively small also because potential victims suffer a psychic loss since they worry about the potential theft of their identities, and actual victims are hurt and angered about the invasion of their privacy. Net gains to thieves are further reduced below the losses to victims because identity thieves put time and other resources into criminal activities, resources that could have been spent on more socially productive activities.
Posted by Gary Becker at 07:42 PM | Comments (5) | TrackBack (0)
Trackback Pings
TrackBack URL for this entry:
http://www.lessig.org/cgi-bin/mt/mt-tb.cgi/1316
Comments
Prof. Becker:
It is difficult to sympathize with people who are "taken" because they are trying to get rich quickly in ways that usually involve participating in illegal activities. Still, effective deterrence of identity theft would be desirable since so many people are victims.
It would be interesting to see some actual data about the relative frequencies of varous forms of identity theft. Many types of identity theft do not involve the Internet at all. In many cases, thieves obtain the victims' personal information by dumpster diving (see for example: http://www.atg.wa.gov/consumer/idprivacy/dumpster_diving.shtml). Even when it comes to spam-based identity theft, many such e-mails are aimed at customers of major banks, pretending to be notices requiring their personal information as a part of a supposed routine bureaucratic procedure. Although I have no hard data to back it, my impression is that spam soliciting illegal activities accounts for a relatively small fraction of the total identity theft crime.
Prof. Becker:
Identity thieves prey on the fears and greed of people.
Again, my impression is that most successful identity thefts are based on naivete and carelessness, rather than fear or greed. People often don't bother to shred documents before throwing them away, or to think twice before responding to a phone call or e-mail asking for personal information. But it would certainly be very interesting if someone could post a link to some concrete data about this.
Posted by Ivan at September 17, 2006 11:51 PM | direct link
A curious feature of phishing spam and spam in general is that the standard of grammar, spelling, punctuation, and so forth is almost always lower, and often much lower, than that in the real business email it is trying to impersonate.
This casts some doubt on the idea that phishers are well-educated people. Of course, in many cases English may not be their first language. Still, it seems odd that phishers do not find it economically worthwhile to enlist good copywriters.
Posted by Richard Mason at September 18, 2006 02:54 PM | direct link
I do not remember the exact number, but the price of human life in Becker's "Crime and Punishment" was about 2 mil.$. 10M>>2M. Does it mean, that Becker thinks, that phishers deserve capital punishment instead of years in jail?
Posted by Muxec at September 19, 2006 12:39 PM | direct link
Richard Mason:
A curious feature of phishing spam and spam in general is that the standard of grammar, spelling, punctuation, and so forth is almost always lower, and often much lower, than that in the real business email it is trying to impersonate.
In my experience, phishing spam purporting to come from banks etc. is usually composed in perfect business English and carefully reproduces the design of the legitimate materials issued by the company being impersonated. The Nigerian-type messages are another story altogether. However, they usually purport to come from people who are themselves non-native speakers (widows of African dictators etc.), so that clumsy English actually adds to their credibility.
Regular, non-phishing spam nowadays has to be badly mangled to avoid filters.
Posted by Ivan at September 19, 2006 04:05 PM | direct link
"Identity thieves prey on the fears and greed of people." - Prof. Becker
"Again, my impression is that most successful identity thefts are based on naivete and carelessness, rather than fear or greed." - Ivan
Isn't there identify theft in other forms that don't require any action on the part of the victim, i.e. thieves acquiring information through avenues that are available through our vast information highway, even when there is no naivete, carelessness, fear, or greed on the part of the victims or their information holders?
Perhaps not carelessness, but not having sufficient protection of information that could be a problem. Stores, banks, credit card companies, other agencies have different standards. I think there is a subtle line between the carelessness and having insufficient protection. There is probably a higher duty of care for these groups and victims, due to the greater availability of information floating around in cyberspace.
Posted by shaum at September 22, 2006 02:15 PM | direct link
