Identity theft

About: Identity theft is a research topic. Over the lifetime, 2284 publications have been published within this topic receiving 31700 citations.

Federated Identity Management: Balancing Privacy Rights, Liability Risks, and the Duty to Authenticate

Abstract: In an online environment, identifying and authenticating a person or entity that seeks remote access to a corporate system, that authors an electronic communication, or that signs an electronic document, is the domain of what has come to be called "identity management." It is essential to establishing the trust necessary to facilitate electronic transactions of all types, plays a key role in fighting identity fraud, and in many cases has become a legal obligation. Yet it is also a process that typically requires the disclosure, verification, storage, and communication of personal information, and thus, by its nature, raises significant legal, privacy and liability concerns, among others. This paper outlines the basic concepts behind identity management and the developing concept of federated identity management, and identifies and examines some of the key legal risks that must be addressed to make it work. In particular, it: • Explains the basic principles that underlie the concept of commercial identity management; • Identifies the numerous legal issues raised by the use of identity management systems; • Focuses on the privacy implications of the collection, verification, storage, communication, and disclosure of personal information in the context of identity management systems; • Examines the role of identity management in addressing the legal and risk-based obligations to authenticate remote parties; and • Evaluates the legal requirements applicable to all identity management systems, and how the operation of those systems raises issues of concern relating to the privacy and security of personal information

Contextualizing the Tensions and Weaknesses of Information Privacy and Data Breach Notification Laws

Abstract: I. INTRODUCTION Data breach notification laws appear to have been a successful addition to legal frameworks relating to the protection of personal information. For example, as a result of these laws, numerous information security failings have been reported that have affected both corporate and governmental institutions. (1) They have uncovered a major social problem that has the capacity to affect millions of citizens. (2) They have highlighted that general levels of corporate information security practices are inadequate. It is not surprising that these apparent successes have been instrumental in the proliferation of data breach notification laws throughout the United States (US) and beyond. only a handful of US state legislatures have not yet enacted a data breach notification law (3) and it is possible that a federal law will be implemented this year. (4) other jurisdictions have also followed suit, including the European Union (EU), (5) and comprehensive proposals have been put forward in a number of other jurisdictions including Australia, (6) Canada, (7) New Zealand (8) and the United Kingdom (UK). (9) At face value, there are apparent similarities between data breach notification laws and information privacy laws as they both involve legal obligations relating to the protection of personal information.10 Both laws seek to foster better security practices and have an information dissemination role that provides an individual with greater knowledge about how his or her information is stored and used. However, the development of data breach notification laws relates to a fundamental difference within information privacy legal regimes that is typically highlighted by distinctions between the sectoral approach to information privacy adopted by the US and the comprehensive approach to data protection adopted by the EU and other countries. (11) These distinctions manifest in different ways and this article identifies vertical tensions between both laws and shared horizontal weaknesses within both laws. Data breach notification laws were developed in the absence of a comprehensive data protection framework as a specific law for a particular problem, (12) whereas they are now being implemented within the generic rights-based frameworks founded on comprehensive approaches to data protection or information privacy. (13) Data breach notification laws consequently not only attempt to fulfill a specific purpose, the mitigation of identity theft, but also have expansive conceptual aims originating from the conflicting goals of consumer protection and corporate compliance cost minimization. Comprehensive information privacy legal frameworks, on the other hand, have an expansive purpose, namely, to ensure legal protections related to the protection of personal information. Information privacy laws set minimum standards that relate to fair information practices and provide individuals with a series of limited rights of involvement in the process of personal information exchange. (14) The different developmental rationales behind encryption safe harbors for data breach notification demonstrate differences in the types of regulatory responses adopted by both laws. Data breach notification laws adopt market-based initiatives that are cognizant of corporate compliance cost burdens, whereas comprehensive information privacy laws adopt rights-based protections that favor individual interests over corporate requirements. (15) Combined with vertical tensions, there are also shared horizontal weaknesses because both laws are predicated on overt information-based foundations. (16) Both laws focus too much on the type of information regulated rather than the social contexts and relationships that are involved in the personal information generation and exchange processes. Regulatory responses are formed upon the creation of chains of accountability and "one size fits all" remedies. These chains are founded upon binary relationships involving three parties: a personal information provider, a personal information collector, and a personal information re-user. …

Data sovereigns for the world economy

Abstract: With the rise of data capital and its instantaneous economic effects, existing data-sharing agreements have become complicated and are insufficient for capitalizing on the full value of the data resource. The challenge is to figure out how to derive benefits from data via the right to data portability. Among these, data ownership issues are complex and currently lack a concept that enables the right to data portability, is conducive to the free flow of cross-border data, and assists in the economic agglomeration of cyberspace. We propose defining the term “data sovereign” as a person or entity with the ability to possess and protect the data. First, the word “sovereign” is borrowed from the fundamental economic notion of William H. Hutt’s “consumer sovereignty.” This notion of sovereignty is strengthened by Max Weber’s classic definition of “power” – the ability to possess any resource. We envision that data capital would provide greater “cross-border” convenience for engaging in transactions and exchanges with very different cultures and societies. In our formulation, data sovereign status is achieved when one both possesses the data and can defend any attack on that data. Using “force” to protect data does not imply an abandonment of data sharing. Rather, it should be easy for an organization to enable the sharing of data and data products internally or with trusted partners. Examples of an attack on the data might be a data breach scandal, identity theft, or data terrorism. In the future, numerous tedious, time-consuming, non-artistry, manual occupational tasks can be replaced by data products that are part of a global data economy.

Security Challenges For Expanding E-governments' Services

Abstract: In the scope and vision of using and expanding the types of services e-government portals can offer to citizens, one of the major challenges and possible barriers is the security concern. Unlike typical websites that include largely data to browse and download, such portals are expected to have sensitive private personal data about country citizens. The threat of possible intrusion or identity theft is high and may cause serious consequences. This paper proposes a multilevel security layered architecture for e-government websites based on the data access privileges. The paper evaluates the current security status of selected e-government portals in Jordanian e-government suite of websites. The focus of the evaluation is on possible vulnerabilities in securities and possible candidate threats. The study focuses on showing the weaknesses and problems that face the expansions of egovernment services in Jordan to be fully active in the e-business to provide services to citizens throughout the Internet. The study makes some recommendations on how to approach such problems.