It’s not me, it’s you

Brian Chau is a JD candidate at Osgoode Hall.

e-Government, e-Commerce, online banking, Facebook – What do these have in common? All these services and functions are made possible by the fact that they are able to associate our activities with our identities. As our reliance on technology continues to grow, the ability to authenticate one’s identity becomes critical in even the most routine social interactions. In this posting, I would like to focus on identity theft specifically in the digital realm.

On October 27, 2009, Canada granted the Royal Assent of Bill S-4, a new addition to the Criminal Code that creates three new offences that are directly linked to the early stages of identity theft:

  • Obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently in the commission of a crime.
  • Trafficking in identity information, an offence that targets those who transfer or sell information to another person with knowledge of, or recklessness as to, the possible criminal use of the information.
  • Unlawfully possessing or trafficking in government-issued identity documents that contain the information of another person.

Each of these offences carries both the potential for imprisonment for up to five years, as well as restitution for victims of identity theft.

These are welcome changes in the law that provides law enforcement powerful tools to use in their fight against identity theft.

However, it begs the question – Are they enough to protect you and I?

What if the perpetrator isn’t under the jurisdiction of the Canadian courts? (See Nigerian 419 scam)

Hi, my password is ‘password’. What’s yours?

Given the high reward and relatively low risk involved with identity theft, attacks and attackers are becoming increasingly sophisticated. There have been reputable claims that even organizations such as crime syndicates and terrorists have become involved, beyond the usual suspects of individually motivated small-time cyber-criminals.

Identity theft can occur in many ways, ranging from complex exploitations of underlying technology flaws to simple common sense, such as brute force (a large number of attempts) or dictionary attacks (trying commonly used passwords). Aside from the sites that are extremely well protected, generally the common sense attacks have worked, often with humiliating and/or devastating results (Case studies: Bell Canada / Voicemail, Passport Canada, Ted Rogers and terrorists).

Come on in, my door is wide open

While it is important to empower law enforcement with the ability to properly prosecute these offences, I believe that there should equally be an onus on the victims (both corporate and individuals) to ensure that their private information is properly stored and secure.

In this day and age, there are many good tools and leading practices to help users and corporations secure their information properly (e.g. OWASP / PCI compliance, Windows Updates, encryption, VPN). It is not likely to stop the most determined attackers, but provides a means of protection against the most common and often very simple attacks.

Given their ubiquity and relatively low cost (as compared to the cost of an adverse effect), it is my opinion that not taking the diligence to secure your information is similar to leaving your front door unlocked. I’m not going so far as to say that unsecured victims are negligent in their own right, but it would be prudent of the government to also enact legislation that would in effect require a higher standard of cybersecurity amongst the general public.

If we, the targets, take the appropriate steps, hopefully the future won’t end up looking like this.