The always brilliant Brian Krebs heroically slogs through the cesspools of the internet to bring us extremely valuable information like this article documenting the security disaster unfolding at the IRS. When I read the article, this bit sounded eerily familiar.
“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information… They basically admitted this was to protect the privacy of the criminal…"
It reminded me of something that happened to me. I was living in Florida for a few months and wanted a library card. At the library they told me I needed a state ID. I went to get the state ID at their DMV and when I got to the front of the line the person asked if I’d "ever been to New Jersey?" I replied, "Yes, I was in New Jersey when…" (A flash of got you scumbag! crossed their face.) "…I was 11 years old." (A new look of confusion now on their face.) They told me that they couldn’t issue me an ID. Why? I asked. They couldn’t tell me. Why? I mean why can’t you tell me?
To protect the privacy of the person who may be involved in preventing you from getting an ID if that person is not you.
What was crazy was I figured out that they were matching people based only on first name, last name, and date of birth. That’s it. I may not be John Smith, but my name is pretty common, or was exactly around my birth date.
I was told to "call this number" and given a phone number on a scrap of paper. So I called the number and told the person who answered that I wanted to make a full confession. Yes, I really am a person with this name and birth date and if that is illegal in New Jersey I’m ready to face "justice". (Pro tip: These people are utterly humorless.)
Then it got very fun because they wanted me to fax a bunch of sensitive stuff (SS card, birth certificate). Ok, so I told them that’d be fine once I confirmed their identity. I pointed out that obviously I’m the victim of some kind of identity fraud or mistake and I don’t want to naively do more of the same. Clearly they were prone to mistakes with these issues. I told them I could have been lied to by the DMV person who scribbled the number I was given. Maybe my official situation was fine, but they were perpetrating a scam as imposters. After all, the problem sounded far more absurd than a well-crafted scam. How could this New Jersey government office, if that’s who they really were, properly identify themselves? They had never thought of that and could not come up with a way! They could give me no published web site or document with that phone number referenced. Maybe it was a scam.
I ended up not getting an ID in Florida. I did write a confession letter to New Jersey governor Christine Todd Whitman asking for a pardon but never heard back and let it drop. When I returned to California, I called the DMV there and told them what had happened. They actually referred me to some kind of fraud office which was pretty helpful and cleared my record in California.
If I was a single parent with complete authority over naming a child, I’d pick a nice name (for human uses), then hash it, and use that on all official documents. Or maybe even something more aggressive.