Identity theft in AP Computer Science Principles

Identity theft is the criminal use of a person's personally identifiable information (PII), like a Social Security number or financial data, to impersonate them or to help plan other crimes. In AP CSP it appears in Topic 5.6 (Safe Computing) as a major risk of collecting and storing personal data.

Verified for the 2027 AP Computer Science Principles examLast updated June 2026

What is identity theft?

Identity theft is what happens when a criminal gets hold of your personally identifiable information (PII) and uses it to pretend to be you. PII is any information that identifies, links, relates to, or describes a specific person. The CED's examples include Social Security numbers, phone numbers, medical information, financial information, and biometric data. With enough of those pieces, someone can open credit cards in your name, drain accounts, or commit other crimes while wearing your digital identity.

Here's the framing that matters for AP CSP: identity theft is the payoff at the end of an attack, not the attack itself. Phishing, keylogging, rogue access points, and data breaches are all ways criminals collect PII. Identity theft is what they do with it afterward. The exam cares about this cause-and-effect chain, which is why the term lives in Topic 5.6 under the risks of collecting and storing personal data on computer systems.

Why identity theft matters in AP® Computer Science Principles

Identity theft sits in Unit 5 (Impact of Computing), Topic 5.6 (Safe Computing) and connects directly to three learning objectives. Under AP Comp Sci P 5.6.A, it's the headline risk of storing personal data, since every search history, location record, and stored account is potential raw material for a thief. Under AP Comp Sci P 5.6.B, it's the reason authentication measures like strong passwords and multifactor authentication exist. Under AP Comp Sci P 5.6.C, it's the end goal of techniques like phishing and keylogging. If you can explain how PII gets collected, how it gets stolen, and what protections block the theft, you've basically mastered the security half of Unit 5.

How identity theft connects across the course

Phishing (Unit 5)

Phishing is the most common on-ramp to identity theft. The fake email tricks you into handing over personal information, and that information then unlocks bank accounts and email. Phishing is the con; identity theft is the crime it enables.

Keylogging (Unit 5)

A keylogger records every keystroke you make, including passwords and account numbers. It's a quieter route to the same destination, since the stolen credentials feed directly into impersonating you.

Data aggregation (Unit 5)

Individually harmless data points (your age, your city, your pet's name) can be combined to reveal or guess sensitive PII. Aggregation is why a thief doesn't need your Social Security number up front; they can assemble your identity from fragments.

Multifactor Authentication (Unit 5)

MFA is the counter-move. Even if a thief steals your password, they still need a second piece of evidence, like a code on your phone, to get in. It turns one stolen credential into a dead end instead of a takeover.

Is identity theft on the AP® Computer Science Principles exam?

Identity theft shows up in multiple-choice questions, usually in one of three forms. First, scenario identification, where a question describes someone opening credit card accounts using stolen financial and medical records and asks you to name the crime. Second, risk evaluation, like which combination of PII creates the highest identity-theft risk (a Social Security number plus financial info is far more dangerous than an age plus a favorite color). Third, consequence analysis, such as identifying the most severe long-term privacy harm after a data breach. Your job is to recognize the chain: PII gets collected, an attack technique steals it, identity theft is the result, and authentication measures are the defense. No FRQ asks about identity theft directly (the Create performance task is about your program), so this is purely MCQ territory.

Identity theft vs Phishing

Phishing is a technique; identity theft is a crime that uses the results. Phishing tricks you into giving up personal information, often through a fake email or website. Identity theft is what the criminal does next, using that PII to impersonate you. On the exam, if the question describes the trick (a deceptive message asking for your login), the answer is phishing. If it describes the aftermath (accounts opened in someone's name), the answer is identity theft.

Key things to remember about identity theft

  • Identity theft is the criminal use of a person's PII to impersonate them or to help plan other crimes.

  • PII includes Social Security numbers, age, race, phone numbers, medical information, financial information, and biometric data.

  • Phishing, keylogging, and data breaches are methods of stealing PII; identity theft is the crime committed with that stolen information.

  • The riskiest PII combinations pair a unique identifier like a Social Security number with financial or medical information.

  • Strong passwords and multifactor authentication are the CED's main defenses against the unauthorized access that leads to identity theft.

  • Identity theft is tested in Topic 5.6 (Safe Computing) under learning objectives 5.6.A, 5.6.B, and 5.6.C.

Frequently asked questions about identity theft

What is identity theft in AP Computer Science Principles?

It's the criminal use of a person's personally identifiable information (PII) to impersonate them or to aid in planning other crimes. It appears in Topic 5.6 (Safe Computing) as a core risk of collecting and storing personal data.

Is identity theft the same as phishing?

No. Phishing is a technique that tricks you into revealing personal information, while identity theft is the crime of actually using that stolen PII to impersonate someone. Phishing is one way identity theft starts, but they're different exam answers.

Is your age really considered PII?

Yes. The CED lists age, race, and phone numbers as PII alongside Social Security numbers and financial information, because even low-stakes details can be aggregated to identify or impersonate someone.

What combination of information is most dangerous for identity theft?

A unique identifier plus account access. A Social Security number combined with financial information lets a criminal open accounts in your name, which is exactly the scenario AP practice questions describe.

How do you prevent identity theft according to the AP CSP CED?

Through authentication measures. A strong password (easy for you to remember, hard for others to guess) and multifactor authentication, which requires at least two separate pieces of evidence, block unauthorized access even if some of your information leaks.