***

In June, Sens. Bob Bennett, R-Utah, and Tom Carper, D-Del., introduced in Congress the Data Security Act of 2006, a reaction to the rising crime of identity theft. Its essence: safeguarding requirements for data holders. Whatever the details of this safeguarding turn out to be, they are guaranteed to be no more than a fun challenge for the hackers of this world.

Regretfully, we go on with a tradition of offering legal remedies for yesterday's ills. Computer crime is perpetrated by some of the cleverest individuals around. They are innovative and inventive. They succeed by moving forward with tools, technology, and methods. Boasting staffs of lawyers, our senators and representatives seem to lack technological vision. A leader should focus on the future, and intercept the attacks that have not yet materialized.

Data theft is not an issue of lax safeguarding of Social Security numbers. The Internet revolutionized our life on earth. More and more human exchange in general, and commerce in particular, is carried out between parties who never eyeball each other. I have been buying and selling my books on Amazon for years, and I never met an Amazon employee in my life. As far as Amazon is concerned, I could be a virtual entity, or a 13-year-old girl.

This electronic fog is what creates the opportunity for crime today, and for terrorism tomorrow. This virtualization of life should attract visionary legislators who can give us what we badly need: the legal means to ensure deterrence, defense, and recovery.

Deterrence: This must be legislated for data holders and data thieves alike, and must take the form of painful punishment. Deterrence brings accountability. Today, I can build and sell you software equipped with a trapdoor that would allow a thief to steal your private data. Under current law, neither I nor the thief would be liable.

Today, only the abuser of your private data stands to pay up, if caught. But he is the last link in the chain. The rest of the chain is unindictable. Deterrence is the first line of defense, and the cheapest, too.

Defense: Law and technology today focus on walls. But for every wall, there is a hole. Hackers and intruders will penetrate the walls that we are going to erect against them via legislation. And these walls will unduly burden our customers and users at the same time.

The fundamental key to fighting back against the bad guys is through their behavior, using pattern recognition. If a hacker steals my identity, then quite soon there will come a day when I get a haircut in Washington, D.C., and 20 minutes later someone using my name pays for a meal in Chicago. It does not take complicated software to spot that thief. What it takes is raw data plus legislation. Why not add legislation that would charge the government (not the public, for a change) with the burden of searching for transactional patterns that raise suspicion.

Recovery: Foul-ups and data fiascos are bound to happen, as we have all seen lately. Given this fact of life, why not legislate this simple command:All Internet-transportable personal identification data should be readily replaceable. That means you can't identify a person by his Social Security number, his date of birth, or his mother's maiden name.

The reason is that these are immutable pieces of data. Today we have countless online stores, clubs, and other organizations, each of which holds our personal information in its data vaults. A thief can compromise one such vault and then use that information to steal a person's identity elsewhere.

The alternative is to follow on Microsoft's Passport idea: Hard personal data are stored in a few mandated locations that issue replaceable ID strings (RIS) for the public. Anyone can verify the RIS, and, if stolen, it can be readily replaced. And here comes the neat part: an RIS can be coded. Say, then, that a convicted data thief gets an RIS that identifies him as an ex-con data hacker. This would alert stores and other parties that might wish not to do business with that individual. Imagine: an Internet thief who lives online, yet cannot transact online. Here's punishment and deterrence (and no jail cell needed).

It takes quite a bit of work to translate a vision like into prosecutable legislation, but that's the challenge for Congress. We should expect them to focus on this job every free minute between their re-election campaigns.