1414thth conference on: conference on: Computers, Freedom & Computers, Freedom &

PrivacyPrivacy

UK Identity TheftUK Identity Theft

Mark WebberMark Webber2323rdrd April 2004 April 2004

UK Identity theftUK Identity theft

• Fraud Advisory Panel ReportFraud Advisory Panel Report– Costs UK £1.3bn ($2.34) Costs UK £1.3bn ($2.34) – Up 39% in 2003 Up 39% in 2003

• Home Office – 300 hours average to Home Office – 300 hours average to set the record straight after ID fraudset the record straight after ID fraud

• £50m of UK benefits fraud based on £50m of UK benefits fraud based on fictitious identitiesfictitious identities

• Impersonation fraud up by Impersonation fraud up by ¼¼

Identity theft in the UKIdentity theft in the UK

• Fraud Advisory Panel ReportFraud Advisory Panel Report– Recommends the UK Government considers Recommends the UK Government considers

data sharing between government and data sharing between government and business to combat the fraudstersbusiness to combat the fraudsters

– Applications fraudApplications fraud– Account takeoverAccount takeover– Wholesale assumption of identityWholesale assumption of identity– Fraudulent use of business identityFraudulent use of business identity

Perception vs. RealityPerception vs. Reality

The TimesThe Times23 Dec 0323 Dec 03

Corporate ID TheftCorporate ID Theft

• Fraudulent use of business identityFraudulent use of business identity

• "account takeover" fraud that hijacks a "account takeover" fraud that hijacks a clean identity for illicit tradingclean identity for illicit trading– UK Companies House – does not validate UK Companies House – does not validate

any data providedany data provided– Spoof emails and "pfishing"Spoof emails and "pfishing"

• Corporate Governance implicationsCorporate Governance implications– UK's Turnbull Report (internal controls)UK's Turnbull Report (internal controls)

Data Protection Act 1998Data Protection Act 1998

• Processing Personal Data in the UKProcessing Personal Data in the UK

– ProcessingProcessing - obtaining, using, - obtaining, using, organising, storing, retrieving, organising, storing, retrieving, adapting, destroying, copyingadapting, destroying, copying………………

– DataData - - can now include paper held can now include paper held informationinformation

– Personal Data Personal Data -- possible to i.d a living possible to i.d a living person directly or indirectlyperson directly or indirectly

8 Principles8 Principles

Personal data must be:Personal data must be:• fairly & lawfully processedfairly & lawfully processed• obtained only for specified and lawful purposesobtained only for specified and lawful purposes• adequate, relevant and not excessiveadequate, relevant and not excessive• accurate and, where necessary, up to dateaccurate and, where necessary, up to date• Kept for no longer than is necessaryKept for no longer than is necessary• processed in accordance with individual rightsprocessed in accordance with individual rights

• securesecure• not transferred outside EEA without adequate not transferred outside EEA without adequate

securitysecurity

Data Protection Act 1998Data Protection Act 1998

Section 55(1)Section 55(1)

A person must not knowingly or recklessly, A person must not knowingly or recklessly, without the consent of the data controller:without the consent of the data controller:

(a) obtain or disclose personal data or the (a) obtain or disclose personal data or the information contained in personal data, orinformation contained in personal data, or

(b)(b) procure the disclosure to another person procure the disclosure to another person of the information contained in personal dataof the information contained in personal data

Computer Misuse Act 1990Computer Misuse Act 1990

Unauthorised access to computer materialUnauthorised access to computer material(1) A person is guilty of an offence if –(1) A person is guilty of an offence if –(a)(a) he causes a computer to perform any function he causes a computer to perform any function

with intent to secure access to any program of with intent to secure access to any program of data held in a computer;data held in a computer;

(b)(b) The access he intends to secure is The access he intends to secure is unauthorised; andunauthorised; and

(c)(c) He knows at the time when he caused the He knows at the time when he caused the computer to perform the function that this is computer to perform the function that this is the case.the case.

Developments Developments

• UK Entitlement / Identity CardsUK Entitlement / Identity Cards– Cut the myriad of means to prove identityCut the myriad of means to prove identity

• Proposed new criminal offence of Proposed new criminal offence of "identity fraud""identity fraud"– Civil liberties argumentsCivil liberties arguments– Criminalize legitimate anonymity?Criminalize legitimate anonymity?

• National Criminal Intelligence ServiceNational Criminal Intelligence Service

n Mark Webber is an English qualified lawyer based in Mark Webber is an English qualified lawyer based in the Silicon Valley office of pan-European law firm the Silicon Valley office of pan-European law firm Osborne Clarke. Since joining Osborne Clarke in Osborne Clarke. Since joining Osborne Clarke in 1997 he has advised on numerous IP and technology 1997 he has advised on numerous IP and technology transactions for a wide spectrum of businesses, in transactions for a wide spectrum of businesses, in particular technology, telecoms and biotechnology particular technology, telecoms and biotechnology companies, concentrating on UK transactions, but companies, concentrating on UK transactions, but also coordinating deals with a pan-European reach. also coordinating deals with a pan-European reach. His experience includes counselling and negotiating His experience includes counselling and negotiating technology deals including: licensing, cross-border technology deals including: licensing, cross-border alliances, the appointment of European agents and alliances, the appointment of European agents and distributors, outsourcing, joint ventures, privacy and distributors, outsourcing, joint ventures, privacy and online issues. online issues.

n Coordinating resources in 15 local European offices, Coordinating resources in 15 local European offices, but permanently based in California, Mark’s practice but permanently based in California, Mark’s practice centres around US mature enterprises or start-ups centres around US mature enterprises or start-ups facing European trading or establishment issues. facing European trading or establishment issues. From the first steps in inward investment to From the first steps in inward investment to managing IP exploitation or partnering opportunities managing IP exploitation or partnering opportunities he focuses on assisting US entrepreneurs navigate he focuses on assisting US entrepreneurs navigate the hurdles of the European legal systems.the hurdles of the European legal systems.

Mark WebberMark Webber

e-mail: mark.webber@osborneclarke.com Osborne ClarkeOsborne ClarkeOffice: Office: Silicon ValleySilicon Valley Address:Address: 200 Page Mill Road200 Page Mill RoadSuite 100Suite 100Palo AltoPalo AltoCA 94306CA 94306Tel: Tel: +1 650 462 4022+1 650 462 4022 Fax: Fax: +1 650 462 4023+1 650 462 4023

Specialism: Specialism: Commercial Commercial Telecoms Telecoms Privacy Privacy Outsourcing Outsourcing Intellectual property Intellectual property Technology Technology