Losing Your Good Name Online

After leasing two high-end sport utility vehicles in just two days last spring, Kenneth Morse was finally stopped by a third dealership on the third day. Noting Morris's suspicious SUV-buying spree through a credit check, the New Jersey Mercedes dealer said no deal. It was a good thing, because the real Kenneth Morse was more than 250 miles away, pushing papers at his desk in upstate New York. With just his name and Social Security number, someone had hijacked Morse's credit-worthiness and was joy riding it for all it was worth. The cops, who weren't much help, knew enough to suspect he had given out his Social Security number somewhere online. The suspect was ultimately caught, and Morse's name was cleared--as best as he can tell. He still doesn't know exactly how it all happened. And he still drives his old Camry, a rusty beater with 160,000 miles.

Morse was a victim of the worst kind of privacy violation--the theft of his identity. This alarming prospect is poised to be an increasingly common nightmare as the tendrils of the Internet take root ever deeper in our daily lives. All it takes is your name and your Social Security number, and your identity can be plucked from you easier than a coat from a closet. With Social Security numbers being used as account identifiers by financial-service firms, health-care companies and motor-vehicle departments--all of which are going online--it is becoming easier for impostors to put on your happy face. Once it's stolen, count on bureaucratic torture: a seemingly endless telephone and letter-writing campaign trying to atone for your alter ego's sins. Peter Neumann of the R&D firm SRI International calls identity theft the "hidden downside of computing."

For crooks, however, it's payday. The Internet hasn't caused the problem--people still rummage through Dumpsters to reconstruct personal details from trash--but the Web has allowed criminals to lock onto marriage licenses, property records and motor-vehicle information with a mouseclick. "Before, you had to go to the county courthouse to find that information," says Beth Grossman, identity-theft program manager (yes, there is such a person) at the Federal Trade Commission. "Not anymore." Computers are powerful enough now to pry open widely used software safeguards, compounding the problem.

The advent of e-commerce is, however inadvertently, endangering privacy. Companies have long boasted about the efficiency, convenience and personalized service that distinguish commerce online. But that promise hinges on the merchants' intimate knowledge of their customers' tastes and behavior. For starters, they know who their customers are, where they live and their credit-card numbers. And the more someone buys, the more the seller finds out about him: likes bourbon and trash novels; sends someone not his wife flowers every Wednesday.

Any Web-site operator can reconstruct a visitor's every move on his site: what pages he viewed, what information he entered and the Internet service he uses. Privacy advocates warn that most online companies won't fight subpoenas seeking access to those logs. Security guru Richard Smith, founder of Phar Lap Software, likens Web sites to VCRs "constantly recording when you come in, who you talked to and maybe what you talked about."

Getting your identity stolen online isn't as unusual as you might think. Three weeks ago John Aravosis, a Washington, D.C., Internet consultant, logged onto AOL and found an e-mail warning that his account was involved in criminal activity in certain chat rooms. Realizing someone had been logging into his account, he wanted to make sure AOL knew it wasn't him in the event any records became public. He began a weeklong lobbying effort, calling AOL, privacy groups and a senator's office. Ultimately, he found out that the "criminal" activity was software piracy, and he's still waiting for a letter from AOL that clears his name.

Aravosis says he never gave out his password, nor did he download a malicious program, but AOL staffers suspect he did. Using AOL's Instant Messenger service, online cons can send a user a missive posing as an AOL employee who needs the user's password for some reason or another. "We are experiencing difficulties with our records... I need you to verify your logon password to me so that I can validate you as a user." If you don't fall for that ploy, you could become the unwitting victim of a "Trojan horse" program--an innocuously named e-mail attachment that stores your password when you open it. The program then e-mails the information to the perp.

So you have to be digitally vigilant. Guard your Social Security number as if it were the master key to your life, which it is. And plead with your insurance company and financial institution not to use the number as your account ID (good luck).

Paranoid, maybe, but it could have saved William Bergau. In May 1998 the 35-year-old college recruiter and his wife had their wallets stolen from their car and returned the next day. But the thief kept checks and Bergau's Social Security card, which he used to obtain a fraudulent driver's license by telling the DMV he had lost the original. He successfully purchased goods and withdrew money. But the real problem hit Bergau when the pretender started getting arrested, under Bergau's name, for drunken driving, marijuana possession and grand-theft auto. A year after the theft, when Bergau was on vacation with his wife and kids in Arizona, thousands of miles from home, he was pulled over for speeding. "His" record--for driving under the influence--came up, and the cop wanted to lock him up. "The kids are in the van thinking Daddy's going to jail," he says. But Bergau explained the theft of his identity and, after more letters and calls, he finally got off the hook. He wasn't ensnared online, but the Internet makes his predicament more imaginable for the rest of us.

Now Bergau carries around a series of letters from agencies and the police explaining his plight. But the notes give him little comfort: "I'm going to spend my whole life picking up the pieces of this guy's dirty work." For him--and anybody whose identity is lifted in cyberspace--it's hard to see if he'll ever truly get his name back.