Ending the online fraud epidemic

Fraud now makes up 41% of all crime in the UK and of that, 80% happens online. These crimes exploit a fundamental weakness in our payments and identity systems that results from the widespread use of personal information.

Whether we're shopping online, or applying for a mortgage, we frequently hand over lots of personal information - from our full name and address to card number, email and phone number. The problem is that these details are easy to steal, sell, and reuse, allowing criminals to make off with £3.4bn in the last 12 months alone.

The government has chosen to ignore this problem and simply discount fraud from the national crime statistics - as the Prime Minister did in Parliament earlier this year - while others have called on the police to do more to tackle the problem.

But what exactly do we expect our local police force to do when a criminal gang based in Armenia buys our information on the Dark Web and uses an encrypted, peer-to-peer network to launch a massive phishing attack then keeps the proceeds in cryptocurrency?

It’s our elected representatives, not the police, who must take responsibility for fixing this fundamental flaw in our digital systems. While this is a complex problem, there is a solution. In June, Demos published Rewiring the web: The future of personal data and proposed a fundamental change to the way the web works.

Instead of asking us for lots of personal information, companies would make specific requests that would be routed to the organisation in our lives that has the information. For example, instead of giving the details on our driver's licence to a car rental company, they would simply ask, "Can you drive?", and this question would be routed to the DVLA, which would respond directly with a yes or no.

This approach allows us to substitute personal information for secure alternatives like unique identifiers, tokens, and claims, and removes the core vulnerability in these systems that currently support a third of all crime.

In the proposed system, our devices would build up a directory of who has what and then route requests, with our consent, between organisations that were approved by a new national certification authority.

To understand how this would reduce fraud we can look at shopping online. Today the card number, name, and address that we type into the website of every online retailer can in theory be used by anyone, to transfer any amount of money, at any time.

Instead, an online retailer would request “payment” and our device would ask us which bank account we’d like to pay from. With one click, this request would be routed directly to our bank which would generate a one-time payment token that only that retailer could use to transfer a specific amount, within a limited time.

This would all happen in a few seconds with no personal information exchanged and no payment processing fee. Currently, a business turning over £10m a year has to pay around £250,000 to payment processing companies. Circumventing these middlemen would save businesses billions and provide a strong incentive to support this approach.

Underpinning this proposal is the long-established concept of a common carrier. The notion is that a “carrier” - be that a ferry operator or internet service provider - can be legally compelled to treat cargo, passengers, or information without discrimination.

The companies that manufacture our devices and operating systems have achieved what the Digital Markets Unit calls "strategic market status". Regulating them as common carriers and requiring them to route requests without discrimination would mitigate their monopoly power while recognising the valuable role they play. 

Establishing this system would require significant political will and a degree of coordination between government, technology companies and industry, but if we can reduce crime by a third, save citizens over £3bn per year and renew our trust in the web, surely the ends justify the means.

Jon Nash is a Fellow at the cross-party thinktank, Demos.