Thursday, 26 April 2007

Who is stealing my identity?

With yet another IT bungle, today we learn that the NHS has exposed personal information about junior doctors to the public at large. The abysmal tech failures of the mammoth health care organisation are widely reported and continue to bleed UK taxpayers dry, so I won't labour the point here. This latest gaff points to another major concern - the vulnerability of individuals to protect their identities in the most surveilled society in the west.

On the one hand, we are bombarded with dire warnings about the increasing dangers of identity theft while, on the other hand, our personal information is required to perform the most mundane transactions. Here are just a few examples I personally experienced. I learnt on the news recently that my bank information was compromised following the theft of an employee's laptop. Breaking the story, the BBC informed us that the theft occured some months ago but the bank had not bothered to alert its customers. Charming!

Hot on the heels of this story, I learn that my credit card details may have been included in the theft of customer details from a UK-based retailer - another stolen laptop - this time in the US, owned by the parent company of the retailer. And again, first thing I hear about it is on the news - not a word from the company responsible.

Against this backdrop, I am bombarded by unsolicited phone calls from a credit card company that wants to sell me identity theft protection. Seemingly incapable of protecting my data, they spot an opportunity to play on my fears to charge me even more money for their incompetence. Who are these jokers?

It's not easy (in fact probably impossible) to avoid giving your information to banks and retailers and their negligence is nothing short of criminal. But the danger doesn't stop there. Recently, I was in the market to rent a house. Property rental agencies require a myriad of references for would-be tenants, and charge hefty fees for the "service". After finding a suitable property, I picked up the referencing paperwork from the agency. This agency outsourced the referencing process to a third party, passing not only bank details but also tax and employment information to an anonymous internet-based service. They wanted to charge me 100 pounds for the service for which they paid less than 20 pounds (I did my homework), and if I failed to meet the secret criteria of this third party my fee was forfeit. The agency were surprised at my misgivings - am I the only person that notices such things? I looked elsewhere for a house.

At the same time I replied to a telecommuting job advert posted on Craigslist and was pleased to receive a positive response. Until I looked at the fine print which required me to scan my university transcript, proof of ID (such as passport or driving licence) and email them to some stranger. And, of course, if I wanted payment, they would also require my bank details, a nice haul for any criminal. That's one job I won't be taking up.

Fortunately, because I try to avoid driving, I was not a victim of the major credit card fraud that has been occuring at petrol stations across the length and breadth of the UK. There is a suspicion that these thefts are the work of a ring of Sri Lankan criminals and that the proceeds are being used to fund the Tamil Tigers. Isn't that just fine and dandy.

With the exception of the job advert, these dangers are of a physical nature. The online threats are even scarier. Maintaining my list of online passwords is a total pain and gets worse by the day - especially since I'm one of those paranoid people that likes to have a unique password for each site I join. The response from the great and the good of the internet is the Open ID initiative, described as a free distributed authentication systems. The idea is that we all set up a personal ID and password, either on our own servers or with an Open ID provider, and we can then use this single ID to identify ourselves at all internet sites that participate in the system.

Getting rid of the password hassles is very appealing but at what price? Corporate identities can be safely managed by company servers and subject to their security policies, but what of the individuals that have to purchase the service from an Open ID provider. I don't expect they will provide the service free of charge so the system will introduce a cost for internet entry which might prove prohibitive to many. And why should I trust the security policies of any of these providers which must, surely, be a magnet for hackers and criminals?

Something else that bothers me about Open ID is the profound lack of negative commentary about the initiative. With giants like Microsoft and AOL coming on board, the idea is gaining ground rapidly. But, as I said earlier, corporations can run their own servers and can impose heavy-duty security policies on their implementations. For them, the system is practical and provides them with greaters controls than before. Are these the same giants that favour the two tier internet and fight against net neutrality I wonder? Will Open ID emerge to be just another attack on internet freedom, excluding the poor and making them even more vulnerable to fraud?

No comments:

Post a Comment