Maze of Contradictory Data Clouds Identity Theft Landscape

Identity Theft Isn’t Just the Fastest Growing Crime—It’s Also the Most Misunderstood

April 2007
The results are so different, it’s hard to believe the three studies researched the same thing.  On the one hand there was Gartner, Inc., the respected research powerhouse, with its findings that 15 million Americans were victimized by identity theft last year, a 50-percent increase over 2003.  On the other hand was Javelin Strategy & Research, a new and tiny outfit making a big splash with findings that identity fraud is down – identity thieves stole $6.4 billion less in 2006 than they did in 2005, and the number of identities stolen dropped by half a million in just the last year.

Between the two stood the Federal Trade Commission.  Its annual report on identity theft found that it was far-and-away the top consumer complaint received by the commission in 2006 (accounting for 36 percent of all complaints).  All three reports landed within three weeks of each other. How could they all have such conflicting results?  The main problem is this: Currently, getting reliable data on identity theft is nearly impossible.  That may sound overstated, but it’s not. Even the FTC report, which is widely considered the benchmark by all competing private research companies, is unable to fully take into account quickly spreading variations of the crime such as “synthetic identity theft” (using multiple people’s information to build a new identity), which now accounts for more cases than “true identity theft.”  The FTC, however, makes this fact clear, as does Gartner.  Additionally, “medical” and “business” identity theft (stealing a business’s identity to charge goods) are rapidly on the rise but still slipping through the cracks in most surveys.

Moreover, all the major studies of identity theft rely on interviews with consumers.  This method is inherently flawed.  What if national statistics on bank robberies and car thefts were compiled this way?  Instead of an accurate list of exactly how many crimes were committed, we’d have polls of just a few thousand people, which may or may not represent what actually happened across the country.  Javelin’s study, for example, draws sweeping conclusions that run counter to common understanding.  Nevertheless, it used public polling, which fails almost completely when it comes to synthetic identity theft.

But we use polls to measure identity theft anyway, and for one simple reason: The numbers generated by local law enforcement agencies are still unreliable because of the different way in which crime is classified.  Fraud by identity theft actually involves three distinct crimes: first, the theft of personal identifying information; second, the theft of the identity when a thief opens a new account; and third, the theft of property.

How do we separate identity theft from related crimes?  Shouldn’t our statistics include new types of identity theft?  If so, how should we standardize the collection and reporting of that data?  Without answers to these fundamental questions, the best we can do to try and understand identity theft trends is compare the inherently flawed reports we have available.

Complete and Utter Confusion

On the surface, the Javelin and Gartner studies seem nearly identical. Both polled 5,000 consumers, asking them whether they had been victimized by fraud as the result of identity theft.  Both studies modeled their questions after the FTC’s seminal 2003 report.  Yet, their conclusions were diametrically opposed:
» “Contrary to popular belief, identity theft is actually going down,” said James Van Dyke, president and founder of Javelin Strategy & Research.
» “Gartner’s 2006 identity theft survey shows that the number of victims continues to increase…” Gartner wrote in its report.

So how did the two studies come to such radically different conclusions?  Right off the bat, Javelin’s results raise serious questions of bias.  To start, it relied on a minority sample— only 42 percent of respondents polled knew how the crime occurred.  Yet Javelin used this minority to draw conclusions about the entire population.  “In order to take a minority of a sample and generalize it to the full population, one must first show that the known cases (the minority) are “exchangeable” with the unknown ones (the majority).  That is, one must show that the unknown cases have similar causes of identity theft as the known ones.  [Javelin’s] attempts to do this are inadequate,” Chris Hoofnagle, senior fellow at the University of California Berkeley Center for Law and Technology, said in a recent blog post (http://chrishoofnagle.com/blog/?p=680).

The Javelin study also took an unusual approach to defining the categories for how the information was obtained.  It claimed that 79 percent of cases were “consumer controlled,” and only 21 percent were “business controlled” (the word “controlled” in this instance essentially reads as “fault”).  The 79 percent of “consumer controlled” cases, however, included items like mail theft.  What consumer mails himself or herself credit-card convenience checks (with the full account number printed on each)?  How can Javelin not classify this as the banks’ fault?

Javelin did correctly claim that paper-free transactions are still safer.  “Research continues to show the essential and exclusive safety advantages of paper-elimination and (electronic) account monitoring…” the study reads on page three, without ever naming sources of this research.  It is true that paper-free transactions are still considered safer.  Nevertheless, the recent deluge of database breaches has made consumers gun shy.  And a recent Wall Street Journal/Harris Interactive survey found that 30 percent of consumers polled are limiting their online purchases, and 24 percent are cutting back on their online banking, due to fears about their identities being stolen online.  Most studies suggest that online fraud is up substantially over last year, a fact Javelin fails to cite; a fact that is also very bad news for online banking.

Why are so many people picking on Javelin?

First, Javelin’s study was funded by Visa, Wells Fargo and CheckFree Corporation.  These companies have made record profits in recent years, thanks in part to the speed and efficiency of online banking.  These companies have a major stake in proving that online banking is trustworthy.  But the FTC found that 45 percent of all fraud is committed over the Internet, up from 33 percent in 2004.  So while the Gartner study, the FTC and the major credit card companies all report that more identity thieves are using the Internet to steal personal information to create new credit accounts, causing a spike in new-account fraud, Javelin’s study said that the overall rate of new accounts opened fraudulently was down—from 1.7 percent of all new accounts in 2005 to just one percent a year later.  By counting a percentage of the new accounts but not the total number of frauds or the total dollar amount stolen, Javelin’s study makes a situation that’s getting worse appear as though it’s getting better.

“I wouldn’t say they’re lying,” says Avivah Litan, author of the Gartner study.  “I just think, given their funders, they don’t have the same incentives to dig deeply as I do.”

Our issue with the study doesn’t stop there.  Throughout its report, Javelin suggests the majority of identity theft cases are the result of consumer-controlled actions, absolving business from 79 percent of the cases reported.  This includes: consumers who don’t use online banking to monitor their accounts for fraud; consumers who simply lose their wallets; consumers who reveal too much of their private information to family and friends.  “Statistically, Javelin’s finding is bogus,” said Hoofnagle.  “(I)f they can shift the blame for identity theft to victims, they can avoid regulatory scrutiny for things like repeated security breaches.”

Javelin’s report states “Our greatest vulnerability” arises from information stolen by family, friends and in-home employees, “those whom we trust most and allow the greatest access to our private information.  There is no simple fix to this problem….”

Both statements are misleading.  Victims only discover the identity of the thief in 26 percent of fraud cases, according to the FTC.  Half of those cases were committed either by someone the victim didn’t know, or by someone other than a relative or friend.  That leaves just 13 to 15 percent of all identity fraud being committed by relatives or friends, which makes this far from “Our greatest vulnerability.”  (Many do agree that the “inside job” factor is large.  But it’s important not to overstate the claim.)  “It would be misleading to suggest that the culprit is likely a friend or relative,” according to an internal FTC memo.

A lot of identity fraud occurs when thieves steal pre-approved credit cards from victims’ mailboxes, says Gartner’s Litan.  Even more occurs when thieves hack into bank and credit card company information systems and cause major security breaches.  There actually are simple fixes to these problems.  If Congress passed laws barring banks from sending pre-approved credit cards through the mail, and imposing tough penalties on financial institutions that allow their weak database defenses to be hacked, perhaps fewer people would be hit by identity thieves.

Many of the questions of bias in the Javelin report come down to emphasis.  Javelin buried its finding that the incidence rate of existing account fraud increased 12 percent in a year near the bottom of page 13.  Whereas Gartner broadcasts its finding of rising online fraud as the first point on page 2 of its report, Javelin tucked the same result at the bottom of page 8, in the same sentence where it states that “(r)esearch continues to show the essential and exclusive safety advantages of paper-elimination and frequent (electronic) account monitoring.”

Not Exactly Perfect

The Gartner study isn’t perfect either.  However, it doesn’t claim to be.  The report begins its analysis section by stating, “Consumer surveys don’t measure all types of fraud – for example, synthetic fraud....” where thieves merge information stolen from multiple victims with fake bits of data to create entirely new identities.

Beyond the type of survey, there’s a potential problem with its methods.  First, the Gartner study is the result of an Internet poll.  Gartner paid for the survey to be conducted by Synovate, a company that solicits online and gathers millions of consumers who are interested in taking Internet polls on various topics.

Right away, this method poses potential problems.  Nearly all Americans have telephones, while only seven out of ten households have computers.  Those who do not have computers are more likely to be lower-income and/or older than the general population.  Also, only a small subset of people with Internet access will choose to sign up for an online poll.  This process of self-selection worries statisticians.

“The online polling is probably just reaching a very specific part of the population,” says Elena Eroheva, professor of statistical methodology at the University of Washington.  “When people decide that they’re going to sign up for a survey, it stops becoming a random selection process.”

Litan’s report acknowledged that its findings may be less reliable.  “Gartner expected numbers yielded by our Web survey to produce a subset of the identity theft incidents yielded by a phone survey, because the online population represents about 75% of the total U.S. population.”

But in a phone interview, Litan criticized Javelin’s phone poll.  “Javelin uses the phone, and I don’t know how good that is for reaching people who’ve been burned by ID theft,” she said.  “It’s hard finding anyone to answer phone surveys anymore. Most people hang up.  By the time you get enough people, I don’t think it’s very representative.”

The second, and perhaps more important, problem is that Javelin accuses Gartner of comparing incomparable data.  “They committed an unpardonable sin in the world of statistical research.  They did something that any high school statistics teacher would not allow,” Van Dyke says.

Javelin’s study compares two telephone polls, one from 2003 and a new one from 2006.  Gartner’s methods are less clear.  In the study, Litan wrote that she compared the results of the FTC’s 2003 poll, which was conducted over the phone, with her own poll conducted online in 2006.

But in a recent phone interview, Litan appears to contradict her study.  “No. We did an internet study in 2003, and an internet study in 2006,” she said.

Which is it?  At this point, no one knows.  Litan declined to answer further questions about her report.

Bad Numbers Abound

What is also striking about comparing the two studies is that their numbers aren’t even in the same ballpark.  According to Javelin, the average amount stolen in identity fraud scams in 2005 was $10,000.  Gartner found that the average was actually $1,408.  The following year, that average dropped by 28 percent, Javelin found, while Gartner said that the average more than doubled.

Both studies agree that consumers are shouldering more of the cost of identity fraud.  But they quantify that similar finding in completely different ways.  The average fraud victim lost $535 in 2006, up 24 percent from the year before, Javelin found. Gartner found that consumers recouped 87 percent of the amount stolen in 2005, but only 61 percent in 2006.  This is a very bad result for consumers.  And it’s worth repeating the obvious: Consumers are the group actually suffering from our collective misconceptions about the crime.

Beyond these dizzying variations in the numbers, both studies overlooked huge areas of the crime, such as “synthetic” and “medical” identity theft and large-scale database breaches.  According to a 2005 study by the research firm ID Analytics, synthetic identity theft is more common than ‘’true-name’’ identity theft.  A full 88 percent of fraudulent new accounts were opened with synthetic identities.  In addition, 73 percent of dollar losses were due to synthetic theft, with only 26 percent attributed to traditional, true-name identity theft.

We Need Some Rules Here

Compiling all these different types of data into a single report on identity theft would give us a better sense of the problem.  Are things really getting better, as Javelin and the banks would have us believe?  Or is the problem actually growing and mutating as identity thieves mine new sources of stolen information that are underground and more difficult to track—i.e. synthetic identity theft, hacking into retirement accounts, etc?  The spotty information we have so far suggests the latter is correct.

But we can’t know for sure until law enforcement, Congressional legislators, and consumers begin to change their thinking about identity theft.  The act of stealing someone’s identity is a crime in itself, just as breaking into someone’s house is a crime.  Both crimes may result in a stolen TV.  But unlike breaking-and-entering, identity theft is often not recorded and tracked as a separate crime.  That needs to change. We need laws at the local, state and federal levels to make tracking identity theft an everyday part of police work.

We also need national standards for what to include in our definitions and studies of identity theft.  Synthetic identity theft must be included, for example.  As the technology and methods of identity thieves advances, what’s our process for incorporating new methods into our definition of the problem?  And what’s the legal distinction between identity theft and plain old fraud?  Without answers to these questions, we may waste precious time and money fighting the problem in ineffective ways, and we may mislead people into believing that identity theft is going down when actually it’s simply mutating and growing.

As long as we continue to misunderstand the problem, it’s unlikely that we’ll effect positive change.  And whether the final tally of victims a year proves to be 8.5 million, 15 million or more, we’re still talking about a huge number of people, and a huge problem that isn’t about to go away.