Anti-ID theft tools
OUT-LAW Radio, 18/01/2007
We look at what you can do to avoid having your digital identity
stolen, and discover why Britain's doctors may be about to derail
the NHS's £12bn IT system.
A text transcription follows.
This transcript is for anyone with a hearing impairment or who
for any other reason cannot listen to the MP3 audio file.
The following is the text spoken by OUT-LAW journalist Matthew
Magee.
Hello and welcome to OUT-LAW Radio, the weekly podcast that
keeps you up to date on all the twists and turns in the world of
technology law.
Every week we bring you the latest news and in-depth features
that help you to make sense of the ever-changing laws that govern
technology today.
My name is Matthew Magee, and coming up on this week's show with
identity theft and fraud dramatically increasing, we talk to some
of the companies that can help you protect your digital self. And
we talk to the doctor's representative body on the cusp of
de-railing the NHS' £12 billion IT system.
But first, the news.
- Dishonest data protection notices could earn jail time;
and
- Cisco's iPhone trade mark under threat in US
People who gather personal data without issuing a valid data
protection notice in the course of their business could in theory
face up to 10 years in jail under the UK's new Fraud Act which came
into force on Monday.
The Act was passed by the House of Commons in November but only
came into force this week. Though legal experts say that a 10 year
jail sentence seems extremely unlikely for an improperly-worded
data protection notice or the absence of one, the law does make
such a term possible.
Section 3 of the Act creates the new offence of failing to
disclose information. The Act also outlaws the possession of
'phishing' kits. Phishing is the act of sending a fake email to
many people pretending to be from a well known company, usually a
bank. It sends readers to a fake site which can then gather the
person's banking details and defraud them.
Previously it was not an offence to possess the software and
tools necessary to launch phishing attacks, but the new law does
make that an offence.
Cisco may lose the rights to the term iPhone in the US, it has
emerged. The news follows last week's revelation by OUT-LAW that
the company is in danger of losing the European trade mark.
Last week OUT-LAW exposed the legal loophole that could be used
to put the trade mark rights in Apple's hands. A US lawyer has
found a similar loophole there.
Cisco currently holds the trade mark rights to the term iPhone
but Apple last week launched its mobile telephone which it called
iPhone, even though it had been negotiating under 24 hours earlier
with Cisco over a licensing deal. Cisco immediately filed a law
suit claiming infringement of its mark.
In order to keep a trade mark in the US a company has to file a
declaration of use to the US Patents and Trademarks Office by the
sixth anniversary of the registration of the mark. Jay Behmke, a
partner at trade mark law specialists CMPR in the US, told Ed
Burnette's Zdnet Blog in the US that the company's filing a
year ago may not be good enough to keep the trade mark in its
possession.
That was this week's OUT-LAW news.
Identity theft and fraud resulting from it are fast becoming
serious problems for millions of Britons. As chip and PIN
technology makes physical card fraud harder to do, criminals have
moved on to identity theft, where rather than use your existing
card, a thief will pretend to be you and apply for a whole new card
that you never know about until it is too late.
Up to four million people in the UK could have been affected by
the problem and the Government says it costs £1.7 billion a
year.
So what can you do about it? Sainsbury's bank, a joint venture
between the retailer and Halifax Bank of Scotland, has just
released a new product which warns users when someone applies for
credit in your name. It also offers help in sorting everything out
if your identity is stolen.
Don McLeod, Credit Manager at Sainsbury's Bank, says that ID
fraud is growing at an alarming rate.
"The data that we have is that in the last five years it's grown
from around 20,000 cases in 1999 to about 140,000 cases in 2005 and
that data came from CIFAS, the UK fraud agency. So it is a
significant issue and it's also growing in scale."
Thieves are moving from cloning and stealing actual cards to
pretending to be you on a long term basis to take out loans and
credit cards, set up mortgages and even get married for money to
help someone skirt immigration laws.
Though in most of these cases the financial institution or the
shop involved will eventually pay for whatever the fraudster spent
in your name, you still need to prove that the transaction was not
carried out by you.
That laborious task is where McLeod's case management team comes
in.
"The fraud is really against the bank, it's not against you
which also causes for you if you are a victim of ID fraud because
the Police, the crime is against the bank rather than you so for
the Police it's a very ambiguous position for them to be in and the
level of support and service they can provide you is fairly limited
because there has been no crime committed directly against
yourself. We would direct you to our victims of fraud team which is
a dedicated case management team. So they would take your case on
and look to have your file cleared and get your credit history
restored and ensure that all these other loans and applications
that have been made in your name are all cleared and everything is
restored to the position it should be."
The proliferation of personal information that is publicly
accessible means that ID theft is easier than ever. From Friends
Reunited to eBay, MySpace to Google, a person could build a pretty
complete picture of our lives with greater ease than ever
before.
Tom Ilube and Mike Harris founded internet bank Egg, and they
have just launched a new company designed to help you keep track
and some control over all that information. Called Garlik, its
first product is data patrol. Ilube explains:
"What it does, is it essentially scans the digital world so it
looks at about 4 billion web pages, it looks at most of the main
public records that are available such as electoral role, Companies
House, Land Registry, geodemographic information and it pulls
together as complete as we can a picture of you in the digital
world. And then what we do on a monthly basis is we repeat that
sweep of the digital world and see if anything new has appeared, if
anything material has changed and we alert you to those changes and
any actions that you should take."
Before launching, Garlik commissioned some research from
criminologist firm 1871. They actually talked to some ID fraudsters
to find out how the burgeoning industry works and found some
interesting results.
"What they told us is that the industry of identity theft is
much more organised than you might think. It is actually quite
structured and there are people who focus their attention on
collecting information. They then sell that information on to
people who are then going to go on and exploit it. The second thing
that they said is that identity fraudsters are definitely becoming
aware and acting on the fact that there is a lot of personal
information on the internet that didn't used to be available and
the third thing that they came back to us with is that it is
possible to quantify approximately how much the average UK citizen
is worth to an identity fraudster and they put the value at
£85,000."
Nobody can keep track of or control all the information that is
out there identifying them, but Ilube says you just need to make
sure that you are slightly harder to defraud than the next guy. He
also has some worrying news for the law profession.
"If you have taken more action than the other people around you
then you are less likely to be a target. The criminals who are
doing this sort of thing are resourceful but they will take the
easiest route. If you are smart enough to reduce your profile then
you just reduce the risk of becoming a victim. The types of people
who are particularly attractive to credit card fraudsters are
lawyers as it happens, because as lawyers they tend to be high
earning, they tend to have quite a lot of information about
themselves in the public domain, it is very easy to find names and
addresses and phone numbers etc."
With the average person worth about £85,000 to a fraudster, this
is a lucrative trade that will not disappear any time soon. Ilube
says that we will all need to re-evaluate the way we think about
ourselves and our information.
"We need to accept that this is the digital world we live in. In
a way part of what we are doing is making people aware that they
have got a personal identity, they have got a digital identity
which is as important in some ways in this world we live in now as
their physical identity."
The Government's record on major IT projects looks set to take a
further battering, this time from an unexpected source: doctors. A
major new NHS computer system will rely on doctors inputting health
information, but the Department of Health (DoH) recently turned
down a large number of requests from patients not to be included in
the system.
Though Ministers said people would be able to opt out, the DoH
refused people that right in these cases. Doctors are up in arms
and, as OUT-LAW recently revealed, are on the brink of boycotting
the system. The issue is one of control of information: the DoH has
now asserted its rights as data controller. Doctors think it has no
right to do that and that they are still in control of our
records.
Data protection expert Dr Chris Pounder, of Pinsent Masons the
law firm behind OUT-LAW, confirms that the DoH's actions are
reserved to the data controller.
"By stating in his letter the fact that the DoH will be offering
the right to object to processing of personal data the Department
of Health is claiming the status of data controller under the Data
Protection Act and as a data controller the Department of Health
can determine the purpose and manner of the processing of the
nations health records."
Richard Vautry is the British Medical Association's negotiator
on IT issues and a member of its GP committee.
"The Secretary of State is the owner of the record, but
nevertheless for all intents and purposes the record is held by the
practice and the practice is the data controller. I mean we believe
this particular suggestion by the Department of Health is unlawful
and certainly it is outwith our understanding of the Data
Protection Act."
Vautry says that the BMA is prepared to act.
"If they insist on that position, which we think is untenable,
but if they do then it would mean that we would be obliged to
advise practices not to get involved in giving any information to
the Summary Care Record. And I am sure GPs would be very
unwilling to do so because they would put them in a very legally
indefensible position."
Though Vautry told OUT-LAW that he believed the Department of
Health's line was softening, the Department did not comment to
OUT-LAW but Pounder says that the dispute underlines the fears of
the system's critics.
"This gives the Department more control over the information
that is currently in its posession and this could play into
the hands of critics that argue that once the NHS system is up and
running, the DoH will be in a position to exploit medical records
for different purposes."
That's all we have time for this week, thanks for listening.
Why not get in touch with OUT-LAW Radio? Do you have a legal
problem you would like us to discuss on air? Do you know of a
technology law story? We'd love to hear from you on radio@OUT-LAW.com.
Make sure you tune in next week; for now, goodbye.
OUT-LAW Radio was produced and presented by Matthew
Magee for international law firm Pinsent Masons.
