Spams and Scams: The Privacy Angle
The following is a complete beginner's introduction to identity, written for a UK publication, and is not intended to be a definitive guide or technical document, so please go easy on the criticisms!
Every spam email is an intrusion upon the individual's right to privacy. Every successful scam represents an invasion - or theft - of their identity. The cost of these frauds to UK businesses is substantial, but more worrying is the impact upon individuals whose money is stolen, whose computer is corrupted, or whose identity is abused. If Britain is to take a leading role in the information age, then the public must feel that they can go online without fear of e-crime or the loss of their privacy.
The solution to these problems, however, does not rest with legislation. The law is rarely able to deal with e-crime: it cannot keep pace with the development of new attacks; admissible evidence is difficult to gather from individual victims; and the puzzle of international jurisdictions will always be with us. An effective solution to Internet spamming and scamming will instead require a combination of strong identity, technical controls and user education.
Strong identity is the guardian of privacy. If an individual can assert his/her identity across the Internet without disclosing any more information than necessary, and can trust the identity of the recipient, then the opportunity for scams is massively diminished. If the individual only accepts emails from sources that have proven their identities, then volumes of spam will collapse.
More importantly, each individual should be able to hold many different 'identifiers'. If I can split my identity into the multiple identifiers that I use day to day - for example, all the different identifiers in my wallet, such as bank cards, credit cards, library cards, security passes - then I need only disclose the relevant identifier to a given recipient. My privacy is protected because I release no more information than is necessary to assert my identity.
This approach, which forms part of a technology known as 'federated identity', allows users to mitigate the risk of possible loss or fraud. If I lose my wallet, then all the credit cards in it become vulnerable; but if I lose a federated identifier then no other identifiers are lost, and my overall identity remains secure. By limiting possible losses, identity providers can absorb a proportion of the risk (and possibly even indemnify the user against that loss), and inspire consumer confidence in e-commerce.
The proposed National Identity Cards scheme could facilitate the development of federated identity. Where the Bill falls short, however, is that it does not facilitate multiple identifiers for each individual, but instead uses a single identifier. The Government is consulting with industry about how its cards scheme relates to commercial federated identity, and this relationship must be commended and encouraged while there is still time to incorporate these ideas.
The second component of the solution must be the Government-sponsored provision of low-cost (or free) firewalls, content scanners and anti-virus systems for every UK Internet user. The cost of such an initiative would be relatively low compared with the economic impact of e-crime.
Finally, and most importantly, we need to educate users about the risks associated with the Internet. The Government has numerous initiatives in this area, and these should continue to be supported in partnership with industry to ensure that the message reaches every individual.
This combination of strong identity, good awareness and effective security tools will by no means put an end to Internet fraud, but it will almost certainly be a cost-effective, egalitarian and politically successful scheme that will drastically reduce Internet fraud without any individual being asked to risk their privacy just so that they can go on-line.
8:07:33 PM 
|
