"The most common method of stealing identities appeared to be data breach notification"

I am indebted to Dave Birch’s blog for the link to an excellent ZDnet report on a US Analysis of ID Fraud Reports. Dave and I often argue when we meet but I nearly always find his views stimulating rather than annoying and he makes some good points as to why those who know most about the practicalities of running ID systems are not interested in sharing their expertise – my words not his.

Where does this leave UK Government ID policy – given the growing political pressure to combat immigration and linked benefit fraud and health tourism by moving to continental style resident’s/entitlement cards?  Also where does it leave the need to rebuild confidence in on-line security, particularly on the part of the small on-line retailers who are disproportionately subject to on-line fraud. 

My immediate concern remains, however, whether the well-intentioned EU Cybersecurity initiatives will end up doing more good than harm. If data breach notification is already the most common means of stealing ID information how will demanding more of it help address fraud? Geothe said that the most dangerous force in thw world is “ignorance in motion”. The time to reset the agenda so that the real issues are addressed is now – not in a couple of years time when we will face a rearguard action. Hence the importance of the plans for scrutiny being made via the Digital Policy Alliance

At this point it may be helpful to remind you whose tribal agendas have to be brought together if we are to make a reality of bringing ID related fraud under control in the UK. I know we have recently been told that Cabinet Office has “taken back responsibility for ID policy from DWP” but has Cabinet Office had the authority to do much more than “co-ordinate” and/or delay progress on what it does not like. Below is my attempt to “Map” the UK ID scene – I would be grateful for comment on the errors and ommissions:   

Enhanced by Zemanta

Extract from Philip Virgo’s “Map”, aliasbrain dump, of Cybersecurity Players and Issues


Section 2.3.3 Identity Assurance (inc electronicIDs, Internet names and addresses)


Home Office

Lawenforcement and Criminal Intelligence files of identities and aliases

NationalFraud Authority and “Fighting Identity Crime Together”

UKBorders Agency: identity of those entering/leaving, acquiringresidency/citizenship

SARS, Anti-Money Laundering and related IDs (see also Treasury)



Identitiesand aliases of those within  justice systems, from prosecutions, throughcourts, prison and probation to criminal and civil records


Lead onEU e-ID initiatives

Exportcontrol orders and sanctions on foreign regimes.
Companies House: legal identities for Companies and Directors

OrdnanceSurvey and Land Registry: legal identities for properties

PostOffice/Royal Mail:  address files

UKTI:programme to encourage inward investment in cyber and ID also ID/VISA issues for those it is seeking to attract


DCMS including via Ofcom, Phonepay Plus and Nominet

PhoneNumbers and Internet names and addresses.


GCHQ,CESG, UKTI (shared with BIS) 


NINO andidentity of benefits claimants, incuidng those from other parts of the EU



NationalHealth Service Numbers and a wide variety of other reference numbers



BankingRegulation “Know your own customer rules”

HMRC:Legal identities of corporate and individual taxpayers and tax credit claimants


Transport :

DVLA,identity of drivers and vehicles .

Cabinet Office


“Co-ordination”of identities for citizen dealings with Government

“Co-ordination”of identities for Government employees

ElectoralRegister (joint with DCLG and Local Authorities)


ID tokensin use across UK as common “proofs” of identity/age


Know Your Customer list:

Local AuthorityID Cards (15 use the Bracknell card)

Widelyaccepted age etc. cards: Citizencard, PASS, OneID4U, ValidateUK


Other ID/Authorisation Tokens andAccess/Transaction Cards

IDs andAccess Cards for public and private sector employees, contractors and agents:from Armed Forces, Police, Emergency Services, Councils, Utilities and othersto Charity Collectors

FrequentFlier cards:

CustomerCards (with or without transaction bonuses)




On-lineID services  Paypal, Google, Microsoft etc.

The list above may help explain why I have more than a little sympathy with those who are expected to produce a coherant policy other than “leave it to the market and use what works and is fit for the purpose in mind”.  That is also why I am so cautious about EU ambitions in this space, given that so many wish to get revenge for world war 2 by doing to London what they have just done to Cyprus. I wonder why removing Luxembourg from the money-laundering and tax avoidance scene is such a taboo subject. Has is something to do with ….

Enhanced by Zemanta