In this article, the concept of 'data responsibility' is proposed, a concept which requires the realization that - in the modern electronic age - owners and users of information which may be regarded as private (credit card details and other personally identifiable information) must take some responsibility for the guardianship of this information.
This translates into an increased awareness that personally-identifiable information must be adequately secured by both the owner and the user, who are by no means the same entity. Identity theft can be seen as an example of how this data responsibility is lacking.
Identity theft
Although identity theft has as its ultimate victim the consumer, there are many parties to whom the term 'irresponsible' can be applied, not including the perpetrator of the crime, who is criminally guilty. Examples include the credit-reference agencies such as Experian and Equifax; information-brokers on the Internet who deal in social security numbers, dates of birth and existing credit card numbers; and business and credit card companies who do not secure customer data in an appropriate fashion. This all points to the concept of a 'dependency chain,' where at any point along this road, someone could act irresponsibly with identity-related data, thus leading to the potential for misuse. This chain cannot exclude the consumer who owns the data.
Recent statistics by the Federal Trade Commission (FTC) indicate that, in the United States, the crime of identity theft is growing at an alarming rate. The FTC reports that since November 1999 there have been over 82,273 cases of identity theft. In the first six months of 2001, the FTC handled 36,650 complaints - this was more than in all of 2000. Most of the crimes involved obtaining the credit card information of the victims.
Some debate still exists as to whether this crime is new and directly related to the information age, or whether it is simply computer-assisted crime where the presence of information technology has made it easier to achieve simple 'old-fashioned' crimes. Law enforcement believes it to be a new take on an existing crime. It is certainly one that has become more commonplace since the increasing availability of technology such as cheap computers and Internet connections. U.S. Department of Justice representatives have stated, in testimony to Congress, that technology has made this crime an easy 'no-brainer' that can be accomplished in seconds and is almost impossible to trace.
The FTC reported that the majority of the cases of identity theft were concerned with obtaining credit card data, particularly for opening new lines of credit (19,856 cases). This seems to indicate that credit card fraud is evolving to take advantage of new technology. In 6,997 cases, charges were based on existing credit cards and 3,297 cases were those where a line of credit was otherwise abused (probably by relatives). Household data was the next most popular target; 17.36 percent of victims of identity theft had a phone or other household utility service signed-up to illegally.
Rogue employees working for credit card companies are also a big threat, as investigators say that such criminals can harvest thousands of numbers in a single sitting and apply for new credit lines in bulk. Such employees use their status as the first line of customer contact to obtain new cards and abuse lines of credit already applied for.
As with many other more serious forms of crime, most of the victims of identity theft know the perpetrators: a fact which seems to debunk the myth that identity theft is easy to conduct due to the electronic connectivity present in modern day society. Experts have argued that the presence of personal data held on a variety of electronic networks makes it a simple task for a stranger to defraud someone of their identity. However, the fact that the modus operandi and prime target is credit card information indicates that criminals are not too concerned about hacking into databases containing different types of identity information. They are more concerned with a single source of identity information: credit card data.
Law enforcement officials suggest that, paradoxically, they must let identity thieves get to a certain level of fraudulent transactions before swooping in to make arrests, as making any move beforehand is simply not cost-effective. It is commonly believed that a figure of US$100,000 is regarded as a threshold for this to occur. On average, it takes a year for people to realize that they have been defrauded, by which time around US$100,000 has been incurred in costs. Although this is little succor to victims, data that suggests credit card information is the biggest target does provide a shred of hope for all those who fear that they may become a 'non-person' as a result of the abuse of electronically-stored personally-identifying information. This demographic seems to have altered of late - although instances of the crime are still growing, credit card information is now the greatest target.
The reason this is possible is generally poor database security at the storage end of the previously discussed dependency chain. Unfortunately, both in North America and Europe, this has yet to be resolved in favor of the consumer. Businesses worldwide have yet to realize properly the dangers of failing to provide adequate protection for personal information (although awareness is slowly increasing). Despite the publicity surrounding the compromise of personal credit card information from online companies, and the admission by household Internet names like Amazon that their facilities are nowhere near secure enough, in 2001 there were still too many examples of businesses (particularly 'dot-coms') putting time to market ahead of security.
The Lack of Data Responsibility
Why should businesses be bothered about this crime? Here in the U.K., we have the lowest regulatory profile in Europe and there are important protections against misuse of personal data (more so than in the United States, where identity theft is a increasingly common occurrence), but this problem is one that only highlights a greater affliction to which all members of the online society may be prone. This is the lack of 'data responsibility.'
The average consumer has a limited knowledge of computer security and is, thus, a weak link in the security chain from corporate web site to home user. Therefore, with a suitable education campaign, citizens should be made more aware of the use that their data can be put to - both good and bad. Although some knowledge of this has come about as a result of the European Union's attempts to ban 'cookies,' everyday users are - to a great extent - unaware of the liberties being taken with their data. Such a government-backed campaign could empower citizens to 'take control' of their data. Online citizens would then be properly armed to ask questions like: 'Where is my data going?' and 'What will it be used for?' If users were more knowledgeable, then businesses would soon make it a central part of their strategy to prove to the customer that the data entrusted to them is adequately secured.
This has already been witnessed to a certain extent in the U.K. with the Home Office-sponsored 'think u know?' campaign, designed to alert younger Internet users to the dangers of pedophiles in online chat rooms. The campaign, whilst recognizing the duties of parents to protect their children's safety, urges children not to give out any personally-identifiable information, and to use caution when revealing to others facts that could possibly be used to track them in real life.
The same principles could be applied in the adult world too. Although many individuals understand the trade-off between giving out credit card information and getting something back in return (i.e. a product), they still fail to accept the necessity of understanding the protections that the custodian of their data should have.
Another interesting question posed is what amounts to a reversal of the burden of protection. In other areas of civil liability against criminal activity, the average citizen expects, as part of the social contract between state and citizen, that the police, justice system and law enforcement will protect him or her from forms of crime.
This can also been seen to be happening in the U.K. in the area of mobile-telephone theft. The Juvenile Justice Board, a group which advises the Home Office on crime and justice issues, stated in late-2001 that people should do more to mitigate the risks against this particular form of crime. Although this advice may be of a similar vein to "don't go down dark alleys late at night," it was argued in the public debate surrounding mobile phone crime that people who chose to have such devices should make themselves more aware of the risks as a consequence.
The question therefore becomes, what should be the balance of protection of customer rights in this modern electronic age? We cannot, for instance, apply the same principles to protect ourselves from other forms of crime, such as homicide or drunk driving, or else we would never leave the home.
Conclusions
There are a number of technological developments that may bode ill for identity security in the 21st century. The increasing appearance of smartcards - the next generation of payment devices - will have important consequences for consumers. Smartcards, or 'stored value instruments,' provide another means by which personally-identifiable data can be stored. Although current versions such as the AMEX Blue card are generally regarded as insecure, the U.S. Postal Service and other agencies are working on secure and traceable versions.
However, technological solutions do not a secure environment make. Regardless of how many chip systems are released, or how many new payment systems introduced by big credit card companies, it won't come to anything unless consumers - and the companies trying to make money out of them - are aware of their roles in guarding personal data. Furthermore, a cursory look at identity theft (still only a small part of the problem) reveals the nature of a bigger chestnut regarding security generally. If credit card companies cannot get such a simple thing as consumer privacy right, then what hope is there for more important information such as national defense secrets?
Neil Robinson is the research coordinator for the U.K.'s Information Assurance Advisory Council (www.iaac.org.uk).
