« On Identity Theft-BECKER | Main | Identity Theft--Posner's Reply to Comments »



Feed You can follow this conversation by subscribing to the comment feed for this post.


"It is difficult to imagining identity thieves substituting more serious crimes for identity theft." But won't a more serious punishment tempt them to steal more money?


Not necessarily. It's important to consider that the amount stolen probably [though I haven't seen data] affects the probability of being caught. Someone who steals $50,000 is more likely to be caught than someone who steals $5,000, simply because the victim and the police are more likely to notice such an incident [much ID theft goes undetected for a while] and also more likely to vigorously pursue perpetrators of bigger crimes. Thus, increasing punishments [while keeping probability of apprehension the same] would not affect the amount stolen. Rational thieves already steal the maximum amount they can get away with; increasing punishment if caught does not affect that calculation. Increased punishment merely raises the expected costs of the activity, and the activity would be undertaken in fewer instances.


One argument here is that bank robbers get caught all the time, and for mere pittances. But everybody knows that bank robbery carries severe penalties. And people still rob banks all the time. So what happened to deterrence? I would expect you to be advocating a reduction in sentences for bank robbery, if they're over-deterred. Maybe there are other factors than expected marginal deterrence at play in making these decisions? Like the *real* factors? :-)

Another argument is that everybody would save a lot of money if identity theft could be "stamped out." First, can you name a single common crime in the history that's been "stamped out"? It's absurd on its face. Second, none of the costs currently expended for computer security are expended solely as a result of the fear of identity theft (or if they are, you'd have to argue and prove it). There are plenty of concurrent reasons for self-protection in that area, and no good reason to suppose aggregate costs would go down, at least not from what you've presented. So that argument is weak, too.

Lawrence Indyk, University of Kansas School of Law

Well, the main point about the economic theory of punishment is that an improvement in any of the variables that go into the expected value (expected benefits minus expected detriments) equation will lead to some change in a potential criminal's decisions and behavior. The predicted penalty, either fine or jail-time, is only one of those variables. Some of the other factors are the cost of an attempt, the likelihood of success, the average take, the likelihood of getting caught, and the likelihood of getting punished if caught.

Increasing the penalty alone will undoubtedly produce some additional deterrent effect - but I personally believe it will be at a much higher cost to benefit than modifying the other variables. This is especially true since a large amount of this activity is conducted from abroad where punishment may be near impossible. But certainly it should be used as one of the weapons in our arsenal against a problem of growing social significance.

On the other hand - there are strategies that cost very little which can have significant effect on the expected value equation. For example, users cannot operate a Google mail account without having done a mobile phone text-message confirmation. Nefarious activity conducted from gmail accounts is therefore quickly linked by law enforcement to the personal information (and perhaps even the present location) of the mobile phone account holder. Increasing the probability of getting caught has significantly diminished all sorts of nasty email activity, including ID-Theft from gmail accounts to an incomparably small level in relation to the more anonymous yahoo and hotmail services. Most of these frauds dont even try to use gmail - which is exactly what we want to happen. The social cost of not having truly anonymous (and therefore easily fraudulent) email, or of people not trusting the anonymous emails they receive, is likely very slight.

Another cheap and easy way to deter ID-Theft is to change the nature of the crime. I recently received a call via some 1-800 number that was clearly a "you've won a prize, just call use with your personal info..." scam. After spending a while trying to figure out who to report such things to - I was to told to contact the FBI. I called the FBI and was told (1) It's a number from Canada and we can't do anything about it, and (2) Even if it was in the US, if you haven't actually lost any money, there hasn't been a crime to investigate and we also can't do anything.

Disappointing to say the least. I don't know if this is still the law so maybe it's already been resolved, but if even an unsuccessful attempt to defraud is criminalized, the calculus changes as well - like it does with the crime of attempted murder. Instead of a million attempts with fifty successes, fifty investigations, and one successful prosecution - the investigation of all attempts will add another layer of deterrence.

Specifically, I am thinking of those novices just getting started in the email/ID fraud game. Like anything, it takes time and many failed attempts to become skilled in the art of these crimes - to learn what words work to scam people, how to avoid getting caught, etc... If the learning curve itself is prosecutable (when one isn't making money and there is also a higher chance of making a mistake and getting caught) the incentives are very much against a novice to even begin his dirty career.

And of course - there are other advantages to improved security and legal measures vs punishment because they hurt other criminals who also exploit the public anonymity that email can permit. For example, the gmail confirmation technique could also be effective for law enforcement and national security efforts against drug cartels or terrorist cells who use email to communicate. Harsh punishments will make thieves think twice, but a good change at getting caught for even trying will push them out of the game.


A basic issue that I ahve with Prof. Becker's argument is that it appears to assume a linear (or at least monotonically increasing) deterrence function. In other words given a crime payoff of X and a probability of getting caught Y and a punishment of value Z we need to impose a penalty Y*Z=>X to optimally deter crime. (We could make the function more complex but the basic idea would be the same). This works nicely with a number of crimes. However, I am skeptical that this realtionship would hold for white-collar crime. The basic reason is that most white collar professionals have an intense fear of prison. In other wrods X must be enormous to even risk a small chance of a small prison term (at least for most professionals). In other wrods, I would suspect there is something almost like a jump discontinuity (which of course makes modelling much more difficult). For example does anyone really think that if Jeff Skilling knew he faced a sentence of 60 years rather than 30 he would have acted honestly. Once he'd decided to risk prison additional years in prison would be fairly de minimis (i.e. the marginal deterrence once you get past the jump discontinuity is fairly elastic).

I will admit that all of this is impressionistic and I ahve not researched the literature to see if others have suggested this (or even better tested it empriically). HOwever, from my own experience this seems right. Setting aside all issues of morality, I have difficulty imagining any amount of money for which I would risk more than a few weeks in prison. Given this would even a life sentence act as an optimal deterrent for identity thieves?


I work as a collection attorney and would like to note that with most fraud accounts that I have encountered the credit card information, banking, or social security information was obtained and misused by a relative, friend or acquaintance of the victim, usually by physical access to the victim's vital information, mail or personal documents.

Of course, most obviously fraudulent accounts never reach the stage of being sent to an attorney; but it seems to me that much identity theft is not the work of professional thieves but is rather opportunistic and involves relatively small amounts of money.

I would be interested to know what percentage of identity theft losses are the work of professional identity thieves using technically sophisticated methods and what percentage of losses can be attributed to amateurs.

Should the term identity theft perhaps be limited to the professional thief using computer hacking, e-mail or like means to defraud numerous people? It seems to me that the justification for imposing very severe penalties may be limited to the case of a fraudulent scheme to obtain and use the personal information of many persons, and that the mere fact that credit has been fraudulently obtained by using another's personal information is not sufficient to distinguish the harm to be prevented from more the more usual sort of fraud and larceny.


But perhaps identity theft rings could be set up similarly to drug dealing operations, in which foot soldiers (to use the Levitt and Dubner's term from Freakonoics) assume most of the risk of the very high penalties - and then some higher up still reaps the rewards? In that case, higher deterrance penalties may not help.

Alex Burr

There is an interesting argument (made by Ross Anderson, head of the computer security research dept at Cambridge University) that the name 'identity theft' is part of a general movement by banks to shift the cost of fraud against banks to their customers.

From their blog:
'Identity fraud is not fraud, from the consumer’s viewpoint. If someone pretends to be me, borrows 10K from the Derbyshire Building Society and vanishes, it’s the building society that’s the victim, not me. If Experian then says I’m a loan defaulter when I’m not, that’s libel. Suing for libel may be expensive, but the Information Commissioner has announced his willingness to issue enforcement notices against the credit agencies in such circumstances. [...]

“Identity fraud” is an objectionable concept, an attempt by the banks to dump some liability.'

[from http://www.lightbluetouchpaper.org/2006/08/08/identity-fraud-again/]

I would be interested in whether this is a correct view of the law.

Paul Eberhardt

Alex Burr,

The website you looked at does indeed correctly state US law. I'm a commercial lawyer, and I've had clients who were "identity theft" victims. In this case, the thieves only used publicly available information about the company, and, essentially impersonated it. They were able to induce a *lot* of vendors to ship product to the thief by relying on "fuzziness" in business credit checking.

For example, if Company is located at 1234 West Apple Street, Thief can rent 2134 West Apple Street, have product shipped there, and the vendor will assume that the discrepency in the address is due to a data entry error. In other words, the problem is that many businesses which extend credit are *very* careless about verifying the identity of their borrowers. Recently, banks started requiring people opening accounts for corporations, LLCs, etc. to *prove* their corporate identity. Only problem is that the *proof* required will be given by the government to anybody who asks for it, so this fails, too.

I also found that police agencies were uninterested. I instructed my client to maintain absolutely that *it* was not the victim, because it had not lost any money and was not going to lose any money (and was in no event going to pay). The victims were the gullible vendors. As a result of this stance, every police agency I talked to declined to do anything, because no victim had complained.

I discovered that many large businesses which had been defrauded by professional identity theft spent little or no effort to discover or prosecute the thief, and instead focused in trying to browbeat the innocent party into making good their loss. The correct response is to tell them to get lost. I suspect that much of the reason for this focus is the fact, noted above, than many identity thiefs have a relationship with the "victim," and in many cases the

PS. In the US credit libel is essentially privileged by federal law. The Fair Debt Collection Practices Act requires debt collectors to write a lot of long notices, and to have a "protest" procedure, but most such procedures are basically ineffective for correcting errors. The FDCPA preempts state libel law. It's a messed up area of law.

Steven Cheung's Blog

I'm happy to find this blog of Posner. Maybe you know Steven Cheung? He also has blogs of his own, but in Chinese. Those who can read Chinese can visit his blogs, and they are really very interesting!

There are two main blogs of Cheung in China, one is in Sina (http://blog.sina.com.cn/m/zhangwuchang), the other is in Sohu (http://zhangwuchang.blog.sohu.com/). They are both very hot in China.

Manish Godha

The costs (from the thief's perspective) relating to upfront cost of performing the crime are quite insignificant in comparison to more traditional crimes. A bank thief would have to invest in arms, conveyance and so on. So the impact of costs associated with the expected value of punishment would be based on perceived probability of being caught. This would only increase if security and technology measures as well as identity and access management by banks and such parties are bolstered. Heavier punishment would do nothing to create an incentive for this. Hence, it would be necessary for the inflicted institution (banks etc. -- who have the capability to put up systems to prevent and detect the identity thefts) to bear the impact of the fraud, which currently are largely borne by the impersonated.


Theft is theft and in most legal systems is a crime. Whereas "fraud" is a vehicle used to facilitate a theft. So what's the difference? In reality, identity fraud or theft is just the same old crime, perpetrated with the new technology of the information age. One thing that has not changed and will not change is the concept of "mens rea" or the guilty mind or criminal intent of the perpetrator of identity fraud or theft.

As with any crime in a legal system, a punishment must be established for justice to exist in society (this is as far as I'm going to go in establishing a jurisprudence for the modern age, many others have it done it before me). As for punishment, I've always been of the mind that the punishment ought to fit the crime otherwise there is no justice. So what are the elements that should make up a punishment. As a preliminary, I can think of three; deterence, retribution and reformation. Economic analysis and application of economic punishment can provide for deterence, retribution or reformation. So can incarceration and god forbid, corporal and capital punishment. As to which is most effective, it all depends on the culture and the psychological makeup of the perpetrator with the mens rea.


It seems to me that the formula for calculating the amount of time to be served or the fine imposed for a crime needs to take into account the probability that an innocent person might be convicted.

Alex Burr

Paul Eberhardt,

thanks for clarifying this.

James Sorrell

Please read and energize:
"The Declaration of RE-Independence", the USA's LAST chance to re-invent itself before self-destruction~~~

http://s2.excoboard.com/exco/index.php?boardid=15311 or
http://thekeeperoftheflame.blogspot.com or


Mike Davis

Another cost of increasing the severity of penalties for identity theft (and most other crimes) is that doing so may increase the expected cost of false convictions. These expected error costs are the result of at least three factors.
(1) Convicting an innocent party results in a misallocation of resources (e.g., a skillful programmer spends time making license plates.)
(2) The concern about false convictions leads individuals to avoid engaging in economically efficient activities or expend additional resources to avoid being charged with identity theft (e.g., a lender with a fool-proof security system stops asking for Social Security numbers on loan applications out of fear that it might be accused of being the source of some leak.)
(3) The resources that innocent people devote to establishing their innocence goes up. (This is a more subtle part of the story since as penalties go up, the proportion of false convictions go down as more resources are devoted to the judicial process. That is, as the cost of a false conviction goes up, the probability of false conviction may go down by an amount sufficient to reduce the expected cost error.)

I’m not sure how this would all work out for the problem of identity theft, but an earlier comment suggested that much “identity theft” involves acquaintances. This tells me that intent matters (a case might, for example, turn on the question of whether a woman actually give her ex-husband permission to use a credit card.) Such cases make for great day-time TV but in the real world are messy and prone to error.

Learned Limb

Identity Theft should be punished by death. Original Sin was occassioned by the identify theft by Satan of the lowly serpent. It could therefore be fairly characterized as the Original Crime. Yet I see no Biblical exigesis in your discussion of this Holy violation of His Will. Your comments are simply insufficiently Godly, sir! Good day to you.

Martin Baker

Could this be one of those situations where any potential deterrent effect of increased punishment would be counteracted by the responsive increase in the effectiveness of the criminals' efforts to elude detection and capture?

Dan C

Judge Posner ask a question:

Should we increase the penalties for identity fraud crimes? The current penalties seem mild when compared to the economic impact of such crimes.

Perhaps not: Most of these criminals steal the identities of friends, relatives, employers etc and are probably easily caught and punished. (Except that the sums are so small that the criminal justice system doesn’t want to get involved in these often messy cases.) The punishment needed to deter these criminals may be mild (if evenly enforced). These are crimes of opportunity and the criminals are unlikely to target society in general.

I’m not sure how big a problem “phishing” crimes are. $50 billion is about $200 per person per year in the United States. I image that shoplifting dwarfs this number. As does political corruption, Medicaid fraud, and the damage caused by speeders, not to mention drunk drivers.

Still the potential for identity crimes to escalate, in frequency and amount, is a concern. But much of the current growth seems to be based in foreign countries, away from the reach of American courts. Increased surveillance of large currency transfers could make the criminals easier to track but depending on the home country that may not lead to increased apprehension.

That means that we may need to pass laws that make it easier to track the criminals. I will let the ACLU argue this with Judge Posner. I.E. We may not need to increase the penalties if we can increase the likelihood of being caught.

We could and should increase the penalties for crimes against certain groups (the elderly), above certain dollar levels, or that involve international transfers.


Cool theme.... thx!....


بنت الزلفي


Thank you, you always get to all new and used it
شات صوتي






Thank you, you always get to all new and used it


The comments to this entry are closed.

Become a Fan

May 2014

Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31