Identity Theft
CC Attribution-Noncommercial 2.0 by Clint M. Chilcott
The problem
Of all the evils endemic to the Internet, perhaps none has as much power to destroy real lives as identity theft. The Privacy Rights Clearinghouse reported that in 2007 over 9.3 million U.S. adults were victims of identity fraud, and the amount taken was over $49 billion. In Code, Lessig argues that this is one of the reasons why regulatory intervention in the Internet is both necessary and proper, however at first blush it seems like this problem is at a congruence of architectural factors that make it uniquely difficult to combat.
The Internet's world-wide nature makes it very hard to prevent theft effectively. Due to the relatively low cost of access in third-world countries and due to the astronomical reward relative to local economies, there is a seeming unending supply of con men lying in wait. For instance, another Internet scam (known as 419 advance fee fraud), which is almost entirely conducted from overseas locations, cost over $4.3 billion in 2007, with an estimated 300,000 perpetrators. Due to competing sovereignities, it's very hard to effectively prosecute these criminals. Due to social norms, it's untenable to blame the victims of fraud, even if they ignored warning signs. And due to market pressure and the cost of holding identity information securely, fiduciary duty to shareholders in many cases dictates that corporations not pursue security measures as effectively as possible.
Analysis
However, there is a theoretical way out of this problem, that seems to be working in practice. Starting with California, many states have created disclosure laws that require companies that become aware of personal information leaks to inform those affected. As this discussion mentions, this has a number of effects, but the most powerful seems to be as a means to shift market forces. Disclosure of leaks is both expensive to carry out (since generally the company must make an effort to track down all of the individuals involved) and potentially horribly costly in terms of reputation. Therefore, the profit-making goal of the company and the public-welfare goal of the government are realigned.
This is not the only method regulators could use. At various times groups have carried out educational campaigns to warn against "phising" attacks aimed at stealing personal information, with the goal of changing social norms such that succumbing to phishing is seen in a similarly dubious light to succumbing to a suspicious real estate deal. Or we could attempt to architect banking systems with precautions such as biometric readers, which are less easily taken from naive clients. Lamentably, the former hasn't been terribly effective, and the latter raises the specter of criminals performing impromptu amputations as a means of identity theft. Overall, this simply demonstrates the necessity of applying the right market force for the given problem.