Identity theft

About: Identity theft is a research topic. Over the lifetime, 2284 publications have been published within this topic receiving 31700 citations.

Protecting Confidential Information Entrusted to Others in Business Transactions: Data Breaches, Identity Theft, and Tort Liability

Abstract: Tort litigation over data breaches — defined here as the theft of one’s confidential information entrusted to another in a business transaction — most commonly involves the negligence cause of action. These claims turn on a number of issues that require searching analysis, including the manner in which the economic loss rule affects the tort duty, the relation between the negligence standard of care and strict liability, and the appropriate forms of compensable loss. Substantive analysis of these issues shows that they all can be resolved in favor of the negligence claim, which in turn justifies a rule of strict liability. The economic loss rule does not provide a substantive rationale for barring tort claims because customers do not have the information necessary to adequately protect their interests by contracting. Moreover, the common-law tort duty can be independently justified by the legislative policy decisions embodied in statutes that regulate data breaches. To prove a breach of the duty to exercise reasonable care, the victims of identity theft will often face considerable evidentiary difficulties stemming either from the complexity of data-security systems or the unreliability of other relevant evidence involving the conduct of defendant’s employees. For reasons recognized by tort law in analogous contexts, the evidentiary difficulties of proving negligence can justify a rule of strict liability for enforcing the tort duty to exercise reasonable care. Finally, the important forms of damages caused by identity theft — the cost of credit-monitoring services and the like, unauthorized charges, and any significant loss of time and emotional distress — are all compensable as a matter of basic tort principles. Strict tort liability in these cases ultimately finds justification in the important public policy of maintaining the integrity of market transactions.

RFID Security and Privacy

Abstract: The European Commission has published in May 2009 a recommendation "on the implementation of privacy and data protection principles in applications supported by radio-frequency identification", which is designed to provide "guidance to Member States on the design and operation of RFID applications in a lawful, ethical and socially and politically acceptable way, respecting the right to privacy and ensuring protection of personal data." This recommendation requires RFID operators to conduct a "Privacy and Data Protection Impact Assessment" before an RFID application is deployed, and make its results available to the competent authority. The RFID recommendation is also designed to promote "information and transparency on RFID use", in particular through the development of "a common European sign developed by European Standardisation Organisations, with the support of concerned stakeholders", designed "to inform individuals of the presence of readers". The RFID PIA (Privacy and Impact Asssessment) process aims to reach several objectives: * to favour "privacy by design" by helping data controllers to address privacy and data protection before a product or service is deployed, * to help data controllers to address privacy and data protection risks in a comprehensive manner. an opportunity to reduce legal uncertainty and avoid loss of trust from consumers, * to help data controllers and data protection authorities to gain more insight into the privacy and data protection aspects of RFID applications. The industry has proposed a RFID PIA framework which classifies a RFID application into 4 possible levels: Level 0 applications, which essentially cover RFID applications that do not process personal data and where tags are only manipulated by users, and which are rightly excluded from conducting a PIA. Level 1 applications cover applications where no personal data is processed, yet tags are carried by individuals. Level 2 applications process personal data but where tags themselves do not contain personal data. Level 3 applications where tags contain personal data. If the RFID application level is determined to be 1 or above, the RFID operator is then required to conduct a four part analysis of the application, with a level of detail that is proportionate to identified privacy and data protection implications. The first part is used to describe the RFID application. The second part allows highlighting control and security measures. The third part addresses user information and rights. The final part of the proposed PIA framework requires the RFID operator to conclude whether or not the RFID application is ready for deployment. As a result of the PIA process, the RFID operator will produce a PIA report that will be made available to the competent authority. For the industry, only levels 2 and 3 are to be submitted to a PIA because it considers that information contained in a tag at level 1 are not personal. However level 1 arises concerns of Article 29 Working Party because tagged items carried by a person contain unique identifiers that could be read remotely. In turn, these unique identifiers could be used to recognize that particular person through time. It raises the possibility that a person will be tracked without his knowledge by a third party. When a unique identifier is associated to a person, it falls in the definition of personal data set forth in Directive 95/46/EC, regardless of the fact that the "social identity" (name, address, etc.) of the person remains unknown (i.e. he is "identifiable" but not necessarily "identified"). Additionally, the unique number contained in a tag can also serve as a means to remotely identify the nature of items carried by a person, which in turn may reveal information about social status, health, or more. Thus, even in those cases where a tag contains solely a number that is unique within a particular context, and no additional personal data, care must be taken to address potential privacy and security issues if this tag is going to be carried by persons. The Working Party has urged the industry to fully address this issue, by clearly mentioning it in the framework as part of a revised risk assessment approach for level 1. This chapter will address the issue of protecting privacy of RFID tag carriers in a privacy by design model which puts them in a position to decide if they accept or not to be tracked at level 1. In case of a negative decision, tags have to be deactivated. Security measures have also to be taken to protect personal information on RFID tags against information leak which could lead to identity theft.

Identity Fraud Profiles: Victims and Offenders

Abstract: This paper examines the demographic characteristics of the victims and offenders of identity fraud. After a brief introduction to identity theft and identity fraud, a literature review of the characteristics of victims and offenders are each discussed separately. Next, case studies are discussed in which information is known about both the victims and offenders. Comparisons are drawn between the general characteristics observed in the literature review and those of the case studies. Finally some research questions are addressed and conclusions are presented.

Panel - Looking ahead: A ten-year outlook for internet security and privacy

Abstract: Summary form only given, as follows. Internet attacks are no longer for fun. Driven by financial gain, well-organized criminal groups, operating internationally while facing little obstruction from law enforcement, are collaborating to rapidly discover and exploit new vulnerabilities. These skilled professionals are using increasingly sophisticated attacks that target both businesses and individuals. The attacks employ multiple methods (e.g., phishing, spam, malware) and can spread in various ways (e.g., email, IM, P2P, Bluetooth, etc). At the same time, users are increasingly relying on the Internet, which poses serious privacy risks such as tracking users' activities and identity theft. The panelists will discuss these threats, describe their current research and bravely predict the state of Internet security and privacy in the coming ten years.

The conjurer's new card trick and the illusion of privacy: a discussion of the privacy and transparency issues associated with the proposed Australian Government Health and Social Services Access Card

Abstract: On 7 February 2007, the Human Services (Enhanced Service Delivery) Bill 2007 was introduced into the Federal Parliament by the Minister for Human Services. The purpose of the Bill was to introduce a Health and Social Services Access Card (the 'Access Card') by 2008 using smart card technology. Registration for the card was to be required by all Australian citizens seeking entitlement to health and social service benefits. The introduction of the Access Card would be within an Australian Government-controlled framework of interoperable smart cards. This structure may not necessarily have been accessed under the Human Services (Enhanced Service Delivery) Bill 2007, but it is certainly available for current and future government smartcard use. The Bill, passed by the House of Representatives on 28 February, and then introduced into the Senate on the same day, was adjourned and later withdrawn that same day. The Access Card and the Register (the database that supports the Access Card) both have the potential to permanently erode the established rights of Australian citizens to information privacy currently secured by the Privacy Act 1988 (Cth). This paper analyses the detrimental impact of the Access Card on privacy with respect to three concerns: the potential for function creep; that it is in all respects a quasi-identity card; and that it provides the opportunity for increased identity fraud and identity theft.