CDR: Re: Non-Repudiation in the Digital Environment (was Re: First Monday August 2000)

[Tony Bartoletti]

> > Other choices?
> >
> >    Identity Theft
> >    Identity Pollution
> >    Identity Vandalism
> >    Identity Assault
> >    Identity Misappropriation
> >    (Slander in the First Person :)
> >
> > Would it matter if we substitute "reputation" for "identity".  Is my 
> identity
> > (to others) any different than the reputation with which it is associated?
> >
> > Call it what you will.  If institutions that once recognized me fail now
> > to do so, I have lost something-in-general.
> >
> > Name that something-in-general.
>
>Well, you have not lost it nor has it has been "stolen".  You are simply 
>barred
>from using it.  This is the result of impersonation, since now the other 
>person
>is the one that has access to it.

This is a curious viewpoint.  If someone makes off with my car, according to
the DMV the car is still owned by me.  Thus, it has not been stolen, I am 
simply
barred from using it while the other person has access to it.  (And if it has
a hidden tracking device, it has not even been "lost".)

>The use of "identity theft" instead of impersonation is thus utterly 
>misleading,
>even though lawyers and lawmakers are the ones perpetrating such use.  No
>legally relevant conclusions can be drawn from the misuse of the technical
>term "theft" in the soundbite.
>
>In comparison, defining non-repudiation in terms of protocol messages and
>only for protocol messages is, at most, a solipsistic endeavor. However, it is
>IMO a most useful one so that others, including lawyers and lawmakers, are
>prevented from using it in a perverted way just because RFCs are written in
>English.

I appreciate your comments, but I still feel that "impersonation" is too 
general
a term, and lacks important implications of the term "identity theft".

It is one crime to impersonate an officer.  The crime is not one that some 
officer
finds their personal identity subverted or nullified.  The term is often 
used when
an "impersonal role" is assumed.  In some venues, impersonation can be 
flattering.

If I use a sledgehammer to smash a car's windshield, or someone's forehead,
I am not charged in both cases with "sledgehammering".  The name of the crime
reflects the result more generally than the means employed, in this case either
"destruction of private property" or "homicide".

Granted that "theft" is most often associated with the physical removal of
property.  But the import of the term is both that (1) the legitimate owner
finds they no longer have the use of the item, and (2) the "thief" profits
by the misappropriation, as if they were the owner-possessor.

It may not be a complete match, but "identity theft" is well characterized
by points (1) and (2) above.  That the "theft" is accomplished through the
mechanism of impersonation seems at most a related issue.

You might well point out that, unlike an ordinary theft, what was "taken" here
cannot be simply returned.  If, instead of impersonation, I were to access and
modify records and accounts in your name, add police records, medical problems,
and credit anomalies, what term would be appropriate for the crime?  I consider
perhaps "character assassination" to come rather close.  Unlike a "theft", the
perpetrator is not "assuming" the role corresponding to the now-polluted data.

(Note:  "Impersonation" also conveys no direct sense that, once the 
impersonation
is halted, the significant damage remains.  But this is true of "identity 
theft"
as well.  "Identity assault" captures this, but not the misappropriated use.)

Sound-bites (memes) will only persist if they have utility.  Time will tell.

___tony___


Tony Bartoletti 925-422-3881 <azb at llnl.gov>
Information Operations, Warfare and Assurance Center
Lawrence Livermore National Laboratory
Livermore, CA 94551-9900