Who Do You Think You Are Online?: Identity Theft, Biometrics and Data Security

February 9, 2007

The Privacy and Data Protection Interest Group met in the Autumn to discuss the issues surrounding identity theft, biometrics and data security. The speakers were Tom Ilube of Garlik and Professor Brian Collins of Cranfield University. The key messages from the session were that, in a personal capacity, we all should be thinking much more carefully about how our personal identity is protected online and that, in a personal and professional capacity, we should also consider the steps that commercial organisations and governments should be taking to protect the identities of individuals.

In the ‘real’ world, how others perceive us depends on how we present ourselves, in terms of the physical, emotional and social attributes that we reveal as well as the information about ourselves that we share with others. While some of these attributes are always on display, we can choose with whom we share much of this personal data, and there are legal, moral and social restrictions governing how far this information may be shared. However, an ever invasive online world means that increasingly we have to consider our ‘virtual’ identity – ie the online projection of one’s self in the virtual world. The pace at which the Internet has developed means that we have far less control over what identifies us in the online community and over how our personal information is disclosed and used online. In fact the growth of the Internet means that there is far more personal information available publicly about us than ever before, and the information is increasingly of an intrusive nature which is capable of exploitation (not always for our benefit).

While there are some legal restrictions, the social nature of the Web and technological tools means that, in practice, there are far fewer restrictions protecting our online identity. Yet we are increasingly using e-mail and the Internet to interact, whether for shopping, banking, mixing socially, for research, entertainment and news and even, potentially in the future, to vote. Alarmingly, very few of us (governments and states throughout the world included) have considered how our digital personas should be managed, to ensure our personal information is not used against us.

Ten years ago, many organisations would not have considered an online presence as essential to their business: today, there are very few organisations without a Web site to promote their products or aims. The fear for these businesses is that, if they do not have their own site, the only source of information about them is information put up on the web by others – ie information beyond their control. Now commentators are suggesting that in another five years there will similarly be little option but for individuals to have their own online persona; otherwise the only source of information about themselves will be information provided by others. The popularity of MySpace and other similar sites has shown that the younger generation is keen on this concept, and are savvy about the risks and rewards of revealing information about themselves.

Many Internet users, however, still are concerned at the risks of sharing personal data online. The media has recently been awash with stories about identity theft – phishing attacks, sale of banking information by criminal gangs, Internet grooming and even the first conviction for ‘web rage’. The Information Commissioner has expressed his concerns about the UK walking into a ‘surveillance society’. The Internet and advances in technology have certainly enabled greater and easier access to information held by organisations (public and private) about individuals. The Government’s new children’s database, the forthcoming central NHS database and the proposed creation of a central Government database combining virtually all public records (education, local government, benefits etc) have each raised public debate, not only about the number and type of people and organisations with whom such personal information will be shared, but also the consequences of ‘meshing’ the different types of data and the additional information that can be gleaned by combining previously separate records.

Data meshing is a growing phenomenon on the Internet. This is where one dataset available on the Internet or in the public domain is combined with another dataset (also known as a ‘mashup’). Alone each set of data may be of interest, but together it can be much more enlightening. Much of the time the meshed data is harmless, indeed even more-user friendly – estate agents combining online street maps with particulars of properties on the market, for example, could be very useful for someone house-hunting. However, think how interesting that information could be, say, to a burglar. Web sites in the US have even combined addresses of paedophiles (available in the US from public authorities) with street maps. Privacy campaigners here have used these as examples of the greater intrusiveness of meshed data to warn of the risks of Governments ‘meshing’ public records about its citizens, or corporations meshing its own customer or employees records with publicly-available data. 

Now not only can existing personal data be combined, but advances in technology, such as the use of biometrics data and location data, has enabled new types of personal information to be collected and shared.
So what should we be doing, and what should we be advising our clients?

1.     Raise Awareness

Firstly, raise awareness of these issues. While the ‘MySpace generation’ are switched on to the risks of unwisely sharing personal information about themselves with the online world, research by Garlik indicates that not enough Internet users (and there are around 10 million people in the UK classed as ‘heavy Internet users’) consider these risks, or indeed really understand them. Their attitude is ‘so what’? However, no doubt they would be alarmed at how much information about them is already available in the online public domain.

2.      Do Something

The Government’s ‘Get Safe Online’ campaign (http://www.getsafeonline.org) provides helpful guides for consumers (individuals and small businesses) on the main security threats and advice on protecting personal data online and protecting PCs. Garlik has just launched what it describes as ‘a revolutionary new service that lets you discover and manage what’s out there in the digital world about you and your family’, offering a monthly monitoring service to consumers that finds, tracks and monitors your personal information online. Consumers do not do enough to exert their current rights to find out what information is held about them by organisations, for example, by making data subject access requests or Experian or Equitrak credit checks.

For those of us who are practising lawyers advising organisations that trade or operate online, our clients need to be aware that protection of personal data and data security issues are no doubt going to become increasingly important to their customers and users.  Individuals will become more sophisticated in their understanding of the threats to the security of their data and become keener on dealing only with organisations with sophisticated security in place which actively address the protection of their customers’ and users’ privacy and security.

This is an issue that also touches contractual relationships between users of IT systems and the IT service providers supplying those systems and services. Contracts with consumers where personal data is collected or processed should as a matter of course contain the relevant data protection notices, but heightened consumer awareness of data security issues mean that these notices may now need to become more prominent, or contain more specific details as to: (i) who is holding the information; (ii) what the information will be used for; and (iii) (although not a legal requirement) even particulars of the operational and technical measures in place to protect the information. If the trend is towards greater security-consciousness, business to business contracts will also have to follow and include more detailed privacy and data security obligations.

3.     And what about the Government: is the law keeping pace?

There is no doubt that there is currently a void in terms of law makers and law enforcement agencies either effectively and in a consumer-friendly way protecting individuals’ data security in the light of new technology or regulating at a higher level the ever increasing aggregation and sharing of personal datasets.  In that regard the Government’s own proposals as mentioned above are likely to make matters worse.  Of course it may be helpful for different departments to have access to all relevant records.  The point is to make sure that no one else does – that a disaffected or penniless clerk will not be able to forward the details to a less-than-reputable newspaper, or, worse, a vigilante or terrorist group.  That comes down to a question of internal security, on which we hear very little from the Government that is reassuring.

The Information Commissioner himself acknowledges that the power granted to his office to enforce the current data protection legislation only goes so far. Increases in his enforcement powers (such as the current proposals for tougher penalties for unlawful selling of personal data) and resources would be welcomed. Current proposals at the European level to oblige organisations to inform individuals of a breach of data security affecting their personal data, as is currently the requirement in some states of the US, would also give individuals greater awareness of potential risks to their personal data and the potential bad publicity would focus the mind of organisations on data security as an important issue.

Reluctance on the part of organisations towards further regulation (or ‘red tape’, as many businesses see it) aside, few of us as individuals would protest at additional layers of statutory protection of our privacy and data security rights, particularly at a Governmental level in relation to public records. One suggestion would be the introduction of an independent custodian of important Government databases (such as the NHS records database and the ID cards register(s), with a scrutiny role similar to the custodian of the National DNA Database. That way, there would be a level of accountability of Government to an independent body charged with protecting individuals’ personal data against misuse or mismanagement.

The response to these issues to date differs from country to country. Nonetheless, there is certainly a debate to be had as to whether there should be greater management of our personal digital rights from a Governmental level.

David Berry (david.berry@charlesrussell.co.uk) is a Partner at Charles Russell LLP and is also the Chair of the SCL Privacy and Data Protection Interest Group. Carolyn Bigg (carolyn.bigg@charlesrussell.co.uk) is an Assistant Solicitor in the Technology Group at Charles Russell LLP.