in managing risk and preventing crime. But this responsibilization is far from perfect. Rather than identity theft being the fault of consumers’ poor information-management practices, research suggests that the greatest proportion of this risk can be attributed to the careless or negligent data-management practices of major institutions. More than 50 percent of stolen identities, for example, are taken by employees or people impersonating employees [ 2]. Other research has noted that up to 70 percent of identity theft can be traced to leaks within organizations [ 3]. Yet statistics such as these aren’t common knowledge. When concerned citizens ask their local police, government, and corporate authorities about identity theft, they receive lists of tips on theft prevention, and on what to do once one has (seemingly inevitably) become a victim.

The process of reestablishing one’s identity is the greatest source of frustration. The material costs of the initial fraud or theft of data can pale in comparison with the frustrating and time-consuming work required to rectify the problem. These frustrations are compounded by the fact that victims encounter a reverse onus; they are expected to provide appropriate documentary details in prescribed forms and within a specified timeline to prove their victimization (in duplicate, and by registered mail). The investigation and resolution of their case often depends on the speed and the accuracy of the information they provide.

There is a standardized four-step process for recovering from

identity theft. First, victims should contact the police and file a report—a requirement that has almost nothing to do with the prospect of effective police assistance, but is instead understood as a key component in the documentation process. Police reports are vital when trying to prove victimization to credit bureaus, account providers, and government authorities. Second, victims should contact the three major credit bureaus to acquire copies of their credit report to examine for discrepancies. A client can also register a fraud alert—a form of notification stored on their file to caution agents that someone has been manipulating their data. Third, victims should close any accounts where they suspect involve identity theft activity has occurred. Finally, they should contact government authorities to log their complaint and provide statistical information to the relevant authorities. Reclaiming identities involves intense scrutiny of the bare essences of a person’s life that can resemble a Kafka-esque toil with inscrutable organizational routines and seemingly unending paperwork that on average can take up to 40 hours to complete. Victims of extreme instances of identity theft are best situated to deal with their case if they are familiar with bureaucratic protocols and have a heightened sensitivity to the importance of documentation. They also need perseverance, and, above all, a plan.

Whereas most crime victims are expected to do little more than contact the police, great weight is placed on identity theft victims to rectify their

situation, through an expansive program of self-documentation and mediated communication with social institutions. Indeed, one of the paradoxes of identity theft is that while the crime itself raises questions about institutional trust in documentary identities, this trust can be reestablished only through an elaborate frenzy of further documentation. Ultimately, the victim’s task is to return their data double to the status of one among millions of unremarkable transactions in a global system of informational relays.

Curiously, the discourse on identity theft is almost entirely lacking in specific references to criminals, beyond vague references to hackers (even though most identity theft methods require very little computer skills). It appears to be an almost criminal-less crime. Instead of employing breathlessly moralized accounts of evil criminals, institutions treat the crime dispassionately, as a simple risk to be managed. One consequence of this lack of a conspicuous criminal is that the gaze of surveillance focuses on the victim herself. In the absence of identifiable perpetrators, victims become the predominant object of statistical knowledge, trend predictions, risk profiling, and bureaucratic “dataveillance.”

Victims are often treated with suspicion and must do considerable work to prove their innocence. An extreme example of this involves cases in which a criminal provides someone else’s personal details when they are arrested for a crime. In this case, the victim must report to their nearest

[ 2] Jewkes, Yvonne. “Policing the Net: Crime, regulation and surveillance in cyberspace.” In Dot.cons: Crime, Deviance and Identity on the Internet, edited by Y. Jewkes, 15-35. Cullompton, England: Willan Publishing, 2002.

[ 3] Collins, Judith M. and Sandra K. Hoffman. Identity Theft Victims’ Assistance Guide: The Process of Healing. New York: Looseleaf Law Publications, 2004.