An internationally renowned security technologist, Bruce Schneier is a frequent lecturer on cryptography, computer security and privacy.
He designed the Blowfish encryption algorithm, and has served on the board of directors of the International Association for Cryptologic Research and as an advisory board member for the Electronic Privacy Information Center.
Schneier is the author of eight books, including his latest, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, which covers personal safety, crime, corporate security and national security. His book Secrets & Lies: Digital Security in a Networked World sold more than 80,000 copies; and Applied Cryptography sold more than 150,000 copies and is translated in five different languages.
His free e-newsletter, Crypto-Gram, has more than 100,000 readers.
As founder and chief technical officer of Counterpane Internet Security Inc., which provides managed security-monitoring services to public and private organizations worldwide, Schneier leads the company in maintaining its world-class status in security technology.
He possesses a master's degree in computer science from American University and a bachelor's degree in physics from the University of Rochester.
You call "identity theft" a misnomer, saying that the fight against fraud might be more effective if we thought of it as impersonation rather than ID theft. Could you elaborate on why?
"Identity theft" doesn't make sense as a term. Your identity is the only thing about you that cannot be stolen. The real crime is fraud due to impersonation. Even worse, by calling it "identity theft," we naturally focus on the wrong solution: making personal information harder to steal.
We need to make personal information less valuable, harder to use. By calling the crime what it really is, it's more obvious where the solutions lie.
How should we go about doing that?
It's simply too easy to use identity information to commit fraud. Someone shouldn't be able to complete a form in a magazine and open a credit card in my name. Someone shouldn't be able to guess my password and make large monetary transfers in my name. Financial services needs to slow down and take security more seriously. Europe is a good model here -- identity theft is less of a problem because it's harder to use personal information to commit fraud.
Of course, banks and credit card companies are going to oppose any limits on their business. They like the fact that it's trivially easy to get a credit card. But they're not bearing the full costs of identity theft.
Why is personally identifying information easy to sell? Who should be protecting it, and who isn't protecting it properly?
Personally identifying information is easy to sell because there are no laws against selling it. If we're serious about making it harder to sell, we need to make it illegal to sell. It really is that simple.
The Europeans have comprehensive data protection laws. Information collected for one purpose can only be used for that purpose. It cannot be used for other purposes without going back to the individual and asking permission. That kind of personal privacy regime will make it very hard to sell personally identifying information. Businesses won't like it, though, so it's unlikely to happen in the United States.
Of course, personal information is also easy to steal. So making the information illegal to sell is only part of the solution -- we need to also make organizations responsible for the security of the data they're entrusted with.
What's the role of the federal government in this? What about the role of state governments? Is it a matter of passing different or better laws?