In a world where 10 million people a year can have their identity stolen, where pretending to be someone else is as easy as stealing a wallet, what good are traveler databases and terrorist watch lists? After all, they are easily foiled by impersonation.
But in the nation's most comprehensive look yet at what went wrong on Sept. 11., and what can be done to prevent the next terrorist attack, identity theft gets scarce mention. Buried deep within the 9/11 commission report — on about 10 pages, starting with page 393 — are suggestions for dealing with the deeply connected problems of terrorism and identity fraud.
The report does note the importance of the issue, however. Impersonation is cited as a key tool for terrorists. "Travel documents are as important as weapons," the report says. "Fraud is no longer just a problem of theft. At many entry points to vulnerable facilities, including gates for boarding aircraft, sources of identification are the last opportunity to ensure that people are who they say they are."
And the report makes some specific suggestions, including federal standardization of driver's licenses and birth certificates. Still, experts worry that the issue will get short shrift in congressional hearings, or an overly simplistic solution will be attempted for a very complex problem.
"What it's going to take is somebody who's really going to be married to this issue in terms of some knowledge and ability and skills and devotion and strict focus on this one single issue," said Judith Collins, an identity theft expert and a professor at Michigan State University. "And I don't know who would do it."
Terrorism and identity theft go hand in hand, experts say. The al-Qaida training manual includes provisions for trainees to leave camp with five fake personas, says Collins, who uses a copy of the manual to train law enforcement officials. Terrorists are regularly schooled in the art of subsisting off credit card fraud while living in the United States, Collins said.
The Millennium Plot terrorists, Ahmed Ressam and Mokhtar Haouari, allegedly used credit card fraud, and even made plans to buy a gas station and steal customer account numbers that way, according to a report in the Chicago Tribune. And the indictment of terrorist suspect Ali Saleh Kahlah al-Marri, who has been linked to alleged Sept. 11 paymaster Mustafa Ahmed al-Hawsawi, alleged that al-Marri was arrested with a laptop computer that had 1,000 stolen credit cards on it, along with a host of Internet bookmarks pointing to fraud and fake ID-related sites.
The Sept. 11 hijackers, surprisingly, used their real names when boarding their flights that morning. That kept commissioners from focusing more specifically on ID theft, said commission spokesman Jonathan Stull — after all, its charge was to study what went wrong on Sept. 11. But the hijackers had liberally used document fraud prior to that date, some to ease entrance into the United States, others to move around once they were here and to obtain drivers' licenses they needed to board the airplanes.
Mark Rasch, once head of the Justice Department's Computer Crime unit and now a consultant with Solutionary Inc., said the fact that identity theft is as easy as it is makes terrorism watch lists essentially useless.
"This is even more important as we start to profile terrorists," Rasch said. "With these 'red lists,' we stop someone from boarding based on their ID, but it's all based on a reasonable certainty that we know who the person is."
System flaws repeatedly exposed
Flaws in the nation's identification system are well known. According to congressional testimony, there are 240 valid forms of driver's licenses in the United States, and 10,000 different agencies can issue birth certificates. Such documents, known as "breeder documents," are the cornerstones of identity theft. Because there are so many formats, it's nearly impossible to spot fakes, and there has long been consensus among the security community that a driver's license is an unreliable way to identify a person. In fact, last year, undercover congressional investigators were able to obtain valid driver's licenses from motor vehicle offices around the country using fake documents such as doctored birth certificates. The same investigative team used fake IDs to enter restricted areas in government buildings and airports in 2002.
The flaws are no secret to terrorists, says identity theft expert Rob Douglas, who operates PrivacyToday.com. He's concerned that increased use of passenger screening lists and watch lists might get most of the attention in the wake of the 9/11 report — but without addressing the identity theft issue, all that money and effort would be wasted.
"The way we use driver's licenses (as identification) at the airport today is silly," Douglas said. "Watch lists are great, but if [we] don't use them in conjunction with a secure form of standardized ID, then it just won't work. If you can't identify people up front, what good is the rest of it?"
A spokesman for Rep. John Carter, who authored recently signed legislation enhancing penalties for criminals who commit terrorist acts using identity theft, said the congressman is weighing the commission's recommendations, but had not yet taken a position. Carter had planned on quizzing the commissioners on ID theft issues at Tuesday's hearings, but ran out of time. Among the questions Carter planned to ask that didn't get answered: "Many of the hijackers on 9/11 used false identification. ... Does the commission make any recommendations for steps that can be taken to target and prevent potential terrorists from obtaining false documents via identity theft?
Biometrics seen as key
Rep. Rob Andrews, D-N.J., who has criticized the nation's ID system, said he would support legislation requiring states to add some biometric component, such as a fingerprint or an iris scan, and in fact, such an idea has been bandied about for some time.
"This is an idea whose time has come. In fact, it came about 20 years ago," he said.
But the idea is not without political peril. Discussion of federal ID standards opens a Pandora's box of privacy issues.
"The concern has always been the possible development of a national ID system or internal passport requirement for U.S. citizens. And there has been a long-standing cultural aversion to that approach in this country," said David Sobel, attorney at the Electronic Privacy Information Center.
He said he was more open to implementation of some biometric system, but only if there were severe limitations on what government agencies and corporations could require. He compared the situation to Social Security numbers, which were issued with very narrow expectations and are now a de facto national identifier. "Once the capability exists and there's this database, every aspect of our lives might suddenly become tied into that biometric."
Biometrics bring up other problems too. The systems aren't flawless, says Douglas.
"There's always the initial authentication problem," he said. "You've got to be sure the person getting the card is truly that person."
Civil liberties advocates might also bristle at other suggestions in the 9/11 commission report. It recommends immediate expansion of the US-VISIT program, which forces foreign travelers to the U.S. to submit to fingerprints. Currently, the system only covers 12 percent of travelers. The commission also says U.S. citizens shouldn't be exempt from carrying biometric passports, and should be forced to show them when re-entering the country from Canada, Mexico and the Caribbean.
Meanwhile, the report failed to address another critical area of concern regarding identity theft, says Rasch — corporate America, the main source of stolen identities. A recent study completed by Collins indicates that two-thirds of the time, identity thefts begin with employee theft of data. Rasch says federal legislation must force companies to guard personal data more carefully, decreasing the availability of identities that can be stolen by terrorists.
"We need to have a new regime of privacy," he said. "Where we can't share information so easily."
Traffic light syndrome
Given the complexity of identity theft, the commission didn't offer enough details to implement a nationwide system for dealing with the problem, Douglas said. Still, Douglas, Sobel and others are worried that the 9/11 commissioners, and apparently a possible Kerry administration, are pushing for wholesale implementation of all the report's recommendations — with or without the nuances.
"People are falling over themselves rushing to implement this before the election," he said. "It could be similar to what happened with the Patriot Act."
But Andrews said that's highly unlikely. He expects the administration to focus on creation of the National Counterterrorism Center and a security czar position. Identity theft issues, he said, will likely take a back seat, left for another session of Congress to wrangle with.
"I'm afraid what we'll have is the syndrome of putting a traffic light at an intersection after someone is killed," Andrews said. "What will happen is an act of terrorism will be pulled off by someone with a stolen ID, and then when that happens there will be a rush to enact this kind of legislation."
Bob Sullivan is the author of the upcoming book "Your Evil Twin: Behind the Identity Theft Epidemic," published by John Wiley & Sons.