Becker–Posner Blog

Unofficial archival reconstruction

All discussions

September 17, 2006 to September 24, 2006

On Identity Theft

BeckerPosner 3 entries Grouping confidence 0.90
Becker September 17, 2006 Opening 97 comments

On Identity Theft-BECKER

A few months ago I received an email on an official looking United States Treasury letterhead informing me that I was owed several hundred dollars by the federal government that would be sent if I would just provided some personal information. I had not heard of this scam but it seems unlikely that I would be notified in this way about a refund (and even more unlikely that I had a refund!). To make sure I checked with my accountant. He confirmed my opinion, although he had not heard of this scam either.

Identity theft is one among unfortunately many negative effects of the electronic communication age of credit cards, phones, and the internet. A common claim, probably based on limited evidence, is that about 9 million Americans each year are victims of identity theft, and many additional victims are found in Great Britain, Canada, Japan, and other developed nations. $10,000 is said to be the average loss per victim in the United States. If these numbers are in the right ballpark, the annual amount defrauded in this country alone would be some $90 billion. The worldwide incidence and cost of identity theft is rising rapidly over time as credit cards and the internet spread throughout the world.

Identity thieves prey on the fears and greed of people. Greed is the explanation for why many emails, often supposedly from Africa, promise millions of dollars to a trustworthy person if he can take care of huge sums for a while. All that is asked from victims is their information on their bank account numbers and a little other personal information. These promises are so absurd that one wonders why anyone would respond, but they are cheap to send, and can be profitable if only a minute fraction of recipients fall for it.

Other approaches rely on fear rather than greed. Another real example is a telephone call from someone alleging to be a state or local government official. He threatens that the person called is subject to arrest because he did not report for jury duty. However, he reassures that arrest could be avoided if the victim would provide some personal information that could help clear up his record.

It is difficult to sympathize with people who are "taken" because they are trying to get rich quickly in ways that usually involve participating in illegal activities. Still, effective deterrence of identity theft would be desirable since so many people are victims. As Posner indicates, the aggregate amount taken by identity theft, plus avoidance spending by potential victims, plus the spending of time and other resources by the identity thieves themselves, exceed the total cost of many other crimes.

Posner notes that the economic theory of optimal deterrence implies as a first approximation that the expected cost of apprehension and punishment to the identity thief should be at least as large as his expected gain from stealing identities. However, this first approximation may not give a good approximation to the minimum punishment that would deter this crime because there is a very low probability that such identity thieves are apprehended and convicted. Probabilities are low partly because crimes over the internet are difficult to trace to their source as many criminals are located in small out of the way countries, or in other places that are not easily reached by enforcement officials.

Suppose that the probability of solving a representative identity theft was no better than 1/1000, so that out of say 9 million such thefts each year, fewer than 9,000 are solved by finding the perpetrators. If the typical amount stolen is $10,000, making the expected punishment exceed the expected gain implies that a convicted identity thief would be subject to a penalty of $10 million. Since convicted thieves usually do not have so much wealth, punishments typically take the form of significant prison terms. If identity criminals are quite risk averse, a 1/1000 probability of a $10 million dollar punishment would be much more onerous than a $10,000 punishment with certainty. Hence the punishment required to deter could be much smaller than $10 million. On the other hand, if criminals like risk, and the evidence suggest that they often do, adequate deterrence would require an even greater punishment than $10 million, or its jail time equivalent.

The expected punishment required to deter identity theft may also be much less than the loss to victims because in most cases the gain to the thieves is much less than the loss to their victims. The relatively small gain from gaining access to victim's personal information can be seen from how little is asked online for such information-less than $100 is typical. This is partly because victims and credit card companies spend valuable resources on cutting their risk of losses from such theft. The gain is relatively small also because potential victims suffer a psychic loss since they worry about the potential theft of their identities, and actual victims are hurt and angered about the invasion of their privacy. Net gains to thieves are further reduced below the losses to victims because identity thieves put time and other resources into criminal activities, resources that could have been spent on more socially productive activities.

Posner September 17, 2006 Opening 103 comments

Deterring Identity Theft--Posner

"Identity theft" (or identity fraud) refers to fraud effectuated by stealing personal identifying data, such as a credit card number or a social security number, often by means of computer hacking or by emails in which the sender impersonates an individual, firm, or agency that has a legitimate need for the identifying data. Identity theft has become extremely common and is estimated to be defrauding Americans of a total of more than $50 billion a year. This is an understatement of the social costs of identity theft because victims often must spend hundreds of hours restoring their credit. Maximum punishments are severe, but the garden-variety identity theft is not heavily punished relative to potential gains. For example, an identity thief who steals $1 million and has no previous criminal record is (if prosecuted for violating federal fraud law) likely to receive a prison sentence of less than five years, except that as a result of the recently enacted Identity Theft Penalty Enhancement Act another two years will be tacked on.

The economic theory of punishment teaches that, at least as a first approximation, the expected cost of the fine or other punishment for crime should just exceed the expected gain to the criminal from committing the crime, in order to make it worthless to him. If we are not completely confident about what the gain from the crime is likely to be (or if we think some crimes, like breaking into an unoccupied vacation house in a snowstorm, should not be deterred, we may want to base the sentence on the victim's loss instead of the perpetrator's gain. In the usual case of identity theft, the loss to the victim will exceed the gain to the thief, because the time costs to the victim are not recouped in any form by the thief. Oddly to a noneconomist, those costs, together with the costs of efforts by potential victims of identity theft to avoid becoming actual victims and the costs incurred by the identity thieves themselves to accomplish their thefts, are the real social costs of identity theft. The mere transfer of wealth from victim to thief does not reduce the social product, but merely rearranges it.

The word "expected" which I used in the preceding paragraph is intended to distinguish between a certain value and a probabilistic one. The expected value of a 100 percent probability of incurring a cost of $100 is $100, but so is the expected value of a 1 percent probability of incurring a cost of $10,000 ($100 =.01 X $10,000). If the probability of apprehending and punishing an identity thief is very low, the punishment will have to be jacked up very high in order to deter. Suppose an identity thief who sends out 100,000 "phishing" emails (impersonating persons or firms who would have a legitimate need for access to the recipient's personal identifying information) anticipates a $10,000 profit. If the probability that he will be caught and punished for his fraud is 1 percent, then a fine slightly in excess of $1 million would be necessary to deter him. Probably he could not pay such a fine, and so a prison sentence would have to be substituted, designed to impose the equivalent disutility on him.

My guess is that very few identity thiefs are caught, and also that many of them make a lot more than $10,000 per fraud, given such techniques as phishing that enable a fraudulent solicitation to be disseminated essentially without cost to an immense number of potential victims; if even a minute percentage of the recipients are hooked, the identity thief can make a killing. If this analysis is correct, the optimal punishment for identity theft is extremely heavy; it might well be life in prison.

Any proposal for punishment that strict would encounter a variety of objections--all superficial. The first is that punishment should be proportional to the gravity of the crime, in the sense of the cost that the crime imposes on the victim. By this criterion, bank robbery is a more serious crime than identity theft (and in fact is punished much more severely) because it frightens and sometimes endangers the bank's employees (only sometimes, because most bank robberies nowadays are "robbery by note"--the robber gives the teller a note saying that he is armed, but he isn't). But bank robbery is actually a sucker's crime; almost all bank robbers are caught because of a combination of surveillance cameras and the money packs that tellers are instructed to give robbers, which explode after a few minutes, covering the robber with indelible ink. Moreover, it is only because crimes that create a risk of physical injury are treated as categorically more serious than white-collar crimes that bank robbery is deemed a more serious offense than identity theft. Probably identity theft is a greater social problem (the average bank robbe's take per robbery is only $7,000), and, even if it is not, almost certainly it should be punished more severely because the probability of apprehension and punishment is much lower than in the case of bank robbery.

Nor would we have to worry, as we do with many crimes, that making the punishment for a particular crime very severe may increase the incidence of a more severe crime--may in other words impair "marginal deterrence." That is the policy of imposing heavier punishments for more serious crimes not because the punishment must fit the crime in a retributive (eye for an eye) sense, but in order to deter the substitution of more serious crimes for less serious ones. Were robbery punished as heavily as murder, robbers would have a greater incentive to murder their victims because that would reduce the probability of punishment (by eliminating witnesses) without increasing its severity. It is difficult to imagining identity thieves substituting more serious crimes for identity theft.

A further argument against severe punishment is that identity theft is easily prevented by potential victims, and it is less costly to society for them to take their own precautions than for the taxpayer to pay for more prisons. There are two fallacies here. The first is the assumption that increasing the length of prison sentences increases the number of prisoners. That depends on the responsiveness of potential criminals to a higher expected cost of punishment. If it is high, then an increase in punishment may reduce the number of prisoners by increasing deterrence by a greater percentage than the added length of the sentence. (Below I argue that it is likely to be high in the case of identity theft.)

The second fallacy is to disregard the heavy aggregate costs of self-protection against identity theft. Everyone who has a credit card or social security number or other personal identifying information (which is to say everyone), and in addition has some financial resources, is a potential victim of identity theft. Among this large group of people, all who are cautious will take some steps to prevent identity theft, as will the custodians of their personal identifying information. These costs, which would be avoided if identity theft could be stamped out, must be compared with the costs of increasing the punishment of identity thieves. Those costs might be slight if the threat of heavier punishment had such a strong deterrent effect that the threat had rarely to be carried out.

A reason to expect a more than average responsiveness of crime to punishment in the case of identity theft is that identity thieves tend to be educated people, or at least to have pretty good technical skills. Educated people tend to have low discount rates because education entails deferral of earning. And people with low discount rates are more responsive to increased prison terms, which involve adding years at the end of the existing term. A person with a very high discount rate might not be deterred when his expected sentence for committing some crime increased from 20 years to 25 years, but a person with a low discount rate might consider that extra five years a significant present cost (that is, after discounting to present value--the lower the discount rate, the higher the present value of a future stream of costs or earnings). Moreover, an educated person is likely to have superior legitimate alternatives to crime than an uneducated person; and the closer a substitute a legitimate earning opportunity is for earnings for crime, the less the expected earnings from crime need be reduced by increased punishment in order to induce the substitution. This is the other side of my earlier point about marginal deterrence.

Posner September 24, 2006 Response To Comments 93 comments

Identity Theft--Posner's Reply to Comments

Two of the comments make the excellent point that much, maybe most, identity theft consists in a friend or relative stealing personal identifying information and that such "retail" theft should not be punished nearly as heavily as the kind of professional identity theft that my post focused on. The way to deal with this problem, however, as in the case of most crimes that embrace acts of widely varying gravity, is to set a broad statutory sentencing range--say from fine and probation at the bottom to 25 years in prison at the top--and within the range to promulgate sentencing guidelines based on the magnitude of the particular defendant's conduct and other relevant factors, such as his criminal history.

A recurrent issue in criminal law enforcement is how much responsibility for crime prevention to place on potential victims. In principle, it is always cheaper to deter crime by threat of punishment than to require victims to incur expenses to protect themselves from crime, because maintaining the credibility of the threat is likely to be much cheaper than victim self-protection because the latter requires every potential victim to incur costs to avoid being a victim. (It's the difference between penning danagerous animals in zoos and leaving it to every homeowner to fence out dangerous animals.)

But this is in general rather than in every case. The more costly it is for the state to apprehend and prosecute and punish criminals, the more likely it is for victim self-protection (or some combination of public enforcement and victim self-protection) to be optimal. In this vein, some comments express concern that banks and other vendors are not doing enough to prevent identity theft of their customers because they hope to shift the loss to the customers. I doubt that this is a serious problem, but if it is it may argue for requiring protective measures by the banks and vendors.

One comment puzzles over the fact that bank robbery should be a sucker's crime--that is, that though the expected gain is slight relative to expected punishment costs, the crime is still common. It is a puzzle. But my impression is that bank robberies nowadays are committed mainly by stupid or mentally unstable people, who are tempted by what seems the simplicity of giving a bank teller a threatening note. When as perhaps in that instance deterrence fails, the alternative is incapacitation--long sentences to prevent the bank robber from repeating his crime if it is thought unlikely that he will be deterred by the threat of a longer prison sentence the next time (recidivists get longer sentences, having shown by their first crime that they are less deterrable than the average person).

I greatly enjoyed the comment that pointed out that the first and most consequential identity theft was that of the serpent in the Garden of Eden, by Satan. This is not in Genesis, where Satan is not mentioned, but in later versions of the Fall of Man, notably Milton's* Paradise Lost*, where Satan takes over the serpent while the latter is sleeping, and convinces Eve that she should eat the forbidden fruit because he, the serpent, did and it did him no harm--indeed, it enabled him to learn to talk!