I was at the gym this morning and a fellow gym-goer left his bag sitting atop the lockers while he went to work out. This is a common occurence, despite the fact there are signs warning about theft in the locker rooms and the fact that there are, in fact, lockers readily available. I started thinking about what might be in his bag for which the risk of theft was more acceptable than the $.25 for a locker. "Probably nothing of value, maybe his gym ID card," I thought to myself. The gym ID card contains a magnetic strip, your name, your membership number, and a rather blurry 'funhouse mirror' kind of image of you. I can only assume the image that appears on the monitor when the staff swipe the card is somewhat more recognizable as a person.

I imagine that many people would happily make the same tradeoff. The information on their gym card isn't worth a quarter, given the perceived risk of theft. But it got me thinking about what one *could* do with such information. Identity theft is not about the wholesale usurping of someone's life, but the subtle use of their external identity for financial gain. I wonder if I could call up the gym, give them a name and account number and ask them to verify 'my' bank details or home address or social security number. With those pieces of information, I could probably do quite a bit more damage, maybe open a line of credit.

This kind of targeted identity theft is pretty rare, I'm guessing. It's tedious, requires work for each person, and the profit is likely minimal. I'm not saying it doesn't happen, but that it's not prevalent. It does, however, illustrate a point about how identity theft is about starting with minimally valuable information and escalating it to profit. It's like the one red paperclip guy, only with information.

The issue here is that large scale commerce makes large scale identity theft possible. If I steal 10000 social security numbers, then find an automated way to open 10000 lines of credit, then use online banking to draw on all of them to fill up a numbered Swiss account, the profit potential escalates significantly. What if I steal those SSNs from the gym? I'm guessing their computer systems aren't that well protected.

Data theft and data loss are fairly commonplace events at this point. We probably don't go a month without some company reporting the disclosure or loss of customer's or employee's data. There are a lot of places one could put the blame for the rise of the incidents (alternatively arguing that the rise is in reporting, not actual incidents): companies themselves, government for not regulating them, the criminals who actually steal the data. When it comes down to it, however, the blame, or rather the responsbility, should lie squarely on the shoulders of the consumer. The more we put our data out there for commerce, the more connections there are by which this sort of data escalation can take place. Right now, your SSN is a key to more data that you can imagine, given an access path. At the same time, it's not easy to avoid giving it out.

Next time someone asks for your SSN, or your zip code, or your home address, try saying 'is that necessary?' The answer is likely going to be yes, but asking the question is just one way to communicate that you're aware of just what information you're giving out.