Data theft and Identity theft – a Review
By
R. Ramamurthy, Chairman, Cyber Society of India, Chennai, India
geminirama@gmail.com
Pre-bureaucratic society had little need of identification management, since
social interactions were on a small enough scale to rest on trust and personal
recognition. Computerization has made transactional histories more detailed and
networks have made them available to many. As more data have become
available, data has been integrated into available systems, enabling services
never before possible. Information in the digital world can flow freely, and be
copied and stored at almost no expense, and it is on this information that our
transactions have become more dependent. In the increasingly digital realm,
trust depends on transactional history-credit reports, educational history,
employment history, and even criminal or medical history. The extension of trust
is based on transactional histories associated with some common identifier. For
the purpose of this discussion the identifier of identity is defined as the “the
collective aspect of the set of characteristics by which a thing is definitively
recognizable or known. The world of digital identity is full of concepts that at
first glance appear foreign because of the need to give precise definitions to
terms in order to discuss them and specify system behavior using them.
The key to identity authentication is described as “access to data to assist in the
validation, verification, and authentication of personal identifiers.” Validation of
the data is predicted on trust. The heart of identity management lies in the
creation and maintenance of trust. Trust allows for a consumer to have a defined
level of certainty in the authenticity of a credential based on the process by
which it was issued and the security of the token. Whether between individuals,
in commercial interactions or with government institutions, trust is critical for
any relationship. Trust also requires a reliable identity framework. An individual
must be confident in the relevant attributes of other parties in any relationship.
One vision of trust is predictability, manifest in reputation. A reputation must be
reliably tied to an identity, and this connection must be durable over a long
period of time. Reputations require identifiers, and these too must be bound to
the individual. Reputation is possible in pseudonymous or even anonymous
systems but these systems are identity management systems nonetheless. They
simply manage attribute information in a way that protects all personal
identifiers. In an online world, where all identifiers and attributes are in the form
of personal or public information, proper management of this information is
critical. Too little information accumulated precludes enough trust to build a
reputation. Too much information can have a chilling effect on behavior, as
people fear of too much of identifying information.
Moving on to Current identification systems, they rest on confirmation of
personal information, yet that information is not uniformly secure or protected.
The declining value of this verification poses a growing threat to the validity of
these systems, yet any future verification must depend on currently used
documents.
User-centric identity is changing the way identity information is distributed on
the Internet. Instead of users entering their personal information into each web
application they use, user-centric protocol applications allow users to provide
their data via their desktop or via a third party identity provider. This greatly
reduces the need for applications to store identity-related data, but changes the
user-application relationship by introducing a new third party. That new third
party is part of a new emerging service known as an Identity Provider.
As new authentication architectures are being developed and adopted for an
ever-growing number of applications, the privacy of individuals is being eroded
at an unprecedented pace, often with little or no justification at all. New
electronic communication and transaction mechanisms automatically capture and
record identities in central computer systems without individuals even being
aware of it. As more and more personal information is collected and recorded on
central systems, policies and traditional security safeguards to prevent against
leakage and abuse are rapidly becoming ineffective. In a digitally networked
environment
the
functioning
of
services
requires some
mechanism
for
identification. The issues surrounding identity management are complex in part
because the problem is so hard to bound. The set of risks and required analysis
are completely different depending on the apparent crisis one is setting out to
solve. Identity theft has very different causes than other serious crimes, and
wildly divergent risk analyses in terms of costs, probabilities and viable
alternatives.
Data protection is a global issue. Every nation has its own legal remedies and
ways and means to ensure data protection. ID theft is only a part of data theft almost an off-shoot. Many corporates and governments world over have lost
enormous amount of money and reputation due to data theft and id theft. What
is reported as the official figure of loss is just the tip of the ice-berg. Fearing
loss of reputation and other reasons, many individuals, companies and nations
hesitate to report the exact loss which would give a precise insight into the
magnitude of the problem.
Many cases on data scavenging have been reported worldwide. Data owners
and data custodians have to be careful while discarding used and unwanted
data. While e-waste dealing with used and unwanted disks, chips and storage
devices and electronic gadgets are a globally menacing concern, destroying the
data therein is a technological concern. To avoid scavenging and possible
recovery, disks are degaussed and physically destroyed. Much awareness has
to be spread on the use of degaussers and the technological capabilities of
recovering data from anything which is neither degaussed nor physically
destroyed.
Data Management is a significant step towards which all companies, ISPs, NSPs
and governments are heading for and planning. Hence Data Management is
growing in importance too. Taking it as a subject of study in technological
circles, organizations are struggling to cope with the enormity of the situation.
Corporates are putting in a lot of research work on legal, administrative and of
course technological solutions to the problem. There are many tools available
like anti-stegano software to protect against steganography, anti-key loggers to
guard against the ills of a key-logger software and anti-spyware. Here again
technology has to sync with the law of the land, policy of the company, ethical
standards of the organization, individual and private rights enshrined in the
constitution of the particular country. While a hacker will not care to nor bother
to, as his wont, be worried unduly that he is violating the private rights of the
citizen whose data he is accessing. A government or organization with ethical
standard, moral accountability and legal responsibility cannot deploy any antistegano, or an anti-spyware or an anti-key logger software in any of the
systems lest it also should be accused of spying into one’s system.
The solution thus lies in understanding of the problem, study of the legal,
techno,
administrative
and
cultural
standards
of
the
institution
or
the
organization. However it is beyond doubt that whatever be the express legal
provisions of the country or the lack of it, it is and shall be the responsibility of
the data custodian and the data owners to take care of the three factors of
security, namely confidentiality, integrity and availability of the data and thus
ensure the safety of information making it retrievable any time for the rightful
owner. When outsourcing has become the order of the day, in which most of
your data may be in some other hands , adequate safeguards must be taken on
both sides. Further more, there is the ubiquitous insider threats which should
also be tackled in an appropriate manner. ,
The statutory acts and connected rules in several countries have not envisaged
the severity of the loss that can be caused by the Identity theft and deal identity
theft cases under the existing legal provisions, without looking into the enormity
of the loss of money, goodwill, brand image, credibility , time, energy and the
consequent possible loss of business etc., Many countries have not even passed
separate acts for Data protection and safety, including India. This problem needs
to be addressed immediately.
Now let me briefly describe the present Indian scenario on a massive concept of
allotting a Unique Identity number for the entire population of India. You can well
appreciate that the creation of an identity system for India, a country of 1.17
billion people will pose monumental challenges. The project seeks to assign a
unique identity {UID} number to each and every individual in the country that
would remain a permanent identifier right from birth to death of the individual.
From the point of view of any person in the country, the UID offers many
benefits. First and foremost, it would obviate the need for a person to produce
multiple documentary proofs of his identity and end needless harassment that
people face for availing of basic government services like issuance of passports,
driving licences, voter cards, employment cards, ration cards, etc., Backed by
intensive use of technology, it would greatly facilitate easy verification of a
person’s identity and enable a single communication to trigger address changes
in all relevant agencies records.
The UID would enable government to ensure that benefits under various welfare
programmes reach the intended beneficiaries, prevent cornering of benefits by a
few people and minimize frauds. It will help financial inclusion and also would
enable financial institutions to exchange information regarding defaulters and
encourage responsible borrower behaviour. Mostly importantly, the UID is
fundamentally being prepared to identify Indian residents so that better security
can be provided by identifying illegal immigrants and terrorists.
Government agencies face the intricate challenge of effectively and securely
controlling population flows, identifying individuals and managing their access to
services, while
aligning their
strategies with citizen’s expectations for
convenience, security and privacy. Data Management initiatives, especially after
the increased frequency of terrorist attacks around the world, have become a
political imperative of unprecedented urgency for an increasing number of
governments around the world. India’s answer to this challenge is expressed
through the UID scheme.
Enrolment/Registration will be the process determining the overall success of
the scheme. It is vital that the government agencies, in collaboration with the
subcontracted private sector organizations, build a reliable infrastructure that
will be able to accommodate the diverse needs of India’s population. The
challenges they will face include the enormous volume of applicants, the
coverage of all exceptional cases and the building of trust and familiarisation.
Identity authentication will be the most important operational process of a UID
scheme since it will be the means of providing assurance of the claimed identity
of an individual. However, extensive use of Identity Authentication may raise
concerns about citizen expectations and thus authentication processes should be
limited to the minimum level. In most transactions, the service provider need not
know the identity of the individual but only to verify that the returning individual
is the same individual as the one on the previous transaction. In addition, it is
particularly crucial to regulate the uses of data and purposes of collection to
avoid the catastrophic effects of function and identification creep. However we
are happy that a good business model is being worked to make the system easy
for the citizens and to avoid duplication, etc., We are hopeful that it will help
prevention of data theft and identification problems . Perhaps it may be a good
model for being emulated by other developing countries. We can possibly give a
helping hand in this regard.
-----------------------