Identity Theft and the Gullible Computer User: What Sun Tzu in The Art of War Might Teach

• Author: Joseph Savirimuthu
• Position: Lecturer in Law Liverpool Law School University of Liverpool jsaviri@liverpool.ac.uk
• Pages: 120-128

Page 120

1. Introduction

There is a meme - law is an optimal instrument for steering through policies in respect of responsible computer use. As broadband penetration increases, personal internet security has become a live political issue. The reasons are not difficult to fathom. Increased Internet connectivity has led to an explosion of economic and social activity. The exponential growth of the Internet has brought with it a dark side. Criminals have harnessed new information and communication technologies for their own ends. Such is the concern about the threats posed by the new wave of criminal activity that the Internet is even being seen as a playground for criminals (House of Lords Select Committee on Science and Technology, 2007)¹. This view is underscored by the Internet Security Threat Report, issued on 17 September this year, and which describes an increase in the use of new communication technologies in the commission of identity theft and activities relating to breaching network security systems (Symantec, 2007). Phishing is now assuming viral characteristics. 23917 unique phishing reports were received during July 2007 and the attacks continue to increase both in volume and intensity (Anti-Phishing Working Group, 2007). Securing trust is not an option - it is a necessity. Identity theft, phishing and its variants have also raised issues in respect of the role, if not the continued relevance of law in curbing this social problem. These concerns are reasonable - criminal activities transfer onto society significant social and economic costs. As many phishing attacks and security breaches go unreported, true estimates of the costs being internalised by society is difficult to ascertain (Dutton and Helsper, 2007). This poses an important question about the emphasis placed by legislators on the immunizing properties of the Fraud Act 2006 - identifying standards of behaviour and norms are useful. Legal commentators are cautiously optimistic that recent legislative incursions into the realm of information security will pay dividends. That said, we are still left with the issue of what avenues need to be pursued if securing compliance continues to be a problem (Privacy Rights Clearinghouse, 2007). To be sure, the testimonies before the Select Committee rehearse longstanding problems relating to enforcement and raise questions about whether content filtering mechanisms should be used, intermediary and vendor liability and the need to set up a centralised and coordinated task force. The Government's response to the Select Committee's report lacks a proper understanding of the complexities of governance in the online environment (UK Government, 2007). It is also unhelpful. All these are noteworthy matters but the focus on the issues, which continue to be raised, obstructs efforts in undertaking a balanced assessment of how best the threat landscape ought to be managed. The high level policy deliberations and examinations of personal internet security appear not to frame the problem accurately (Team Cymru, 2006). Internet service providers and software manufacturers may have sound commercial reasons for resisting the general thrust of the observations made by the Select Committee. We are consequently left with a mischaracterisation of the problem that can only serve to produce policy initiatives that are incoherent, lead to a dialogue of claims and counterclaims or result in the status quo being maintained. In the light of the Government's response to the Select Committees, the last observation would appear to be true. Accordingly, the paper aims to begin a debate on how we could begin to think about information security and the role of law against the growing threats posed by identity thieves and phishers. There has been very little by way of discussion on the relationship between the converging multimedia platforms and the management of complexity on the one hand and the significance of convergence of data, devices and networks for the continued role of the criminal law. To overcome some of the hurdles that often accompany attempts to look beyond the steering role of law, I draw on the insights of Sun Tzu in The Art of War. A balanced policy debate requires at the very least an understanding of two key matters - 'trivergence' and the 'gullible' computer user ². The hypothesis is that before we can think about regulatory tools to curb practices like phishing and identity theft we need a better understanding of the interactions between data, devices and networks. I frame the governance challenges posed by identity theft and phishing in terms of warfare and suggest a framework that may help us refocus our efforts in developing creative and sustainable solutions. That process can only be initiated if we first make clear what managing complexity entails - an issue that is obscured by the repeated emphasis on the juridicalization of online criminal acts including phishing and identity theft. The paper applies ideas from The Art of War to a phishing scenario, to illustrate the limits of law as an instrument for managing and reducing complexity and suggests practical solutions which may help us overcome the current impasse regarding personal Internet security. This analysis has three implications for current approaches to personal Internet security. First, law should not be viewed as the sole or critical instrument for managing risks. Second, pervasive insecurity is the price we pay for increased connectivity. Third, when thinking about information security we need creative solutions that reflect emerging realities. As 1.3 billion people become increasingly networked, the convergence of data, devices and networks now provides the 'tipping point' for the centralised institutions for control. Sun Tzu's The Art of War contains some timely reminders about managing 'trivergence' and the gullible computer user.

2. The Fraud Act 2006: The Tipping Point?

The idea that the criminal law be used to maintain order and security is not a particularly novel one. Neither, should it be said is the view that the coercive machinery of the law be used to compel individuals to internalise acceptable social norms and values. What follows is a brief description of the role of law in curbing activities like identity theft and phishing.

The term 'identity is often used in an arbitrary and imprecise manner in popular media and literature (Chawki and Wahab, 2006). Identity theft can be viewed as a term of art used to describe activities like the dishonest acquisition of personal information in order to perpetrate fraud, typically by obtaining credit, loans, etc., in someone else's name. It is arguable that the appropriation of an identity of itself will not give rise to a criminal offence ³. Phishing, vishing and pharming on the other hand are more specific in nature. These may arise as a result of identity theft, but can also be self-contained acts ⁴ Phishing, for example, is an online activity that uses social engineering strategies and technical ploys to gain access to an individuals' personal identity, data and other information. 'Vishing' involves criminals sending a spoof emails to unsuspecting businesses and individual. Rather than require the individual to click on the fraudulent link, the email provides a fraudulent customer services telephone number. Spear phishing on the other hand looks very much like an authentic email one expects to receive from an employer, business or organisation. In this type of phishing attack, the recipient may submit relevant information like passwords and login information as they assume that the request has come from a trusted person within that organisation or business.

Policymakers view the criminal law as an important instrument for ordering society. There is undoubtedly some justification for the importance placed on the criminal law as an instrument for promoting order and the requirement that individuals internalize a set of social norms and values. Enacting precise and clear legislation is critical if individuals in society are to adjust their behaviour in accordance with the legal rules and standards. Coercion and penal sanctions are seen as necessary since order and security have a public interest dimension.

2. 1 Key Provisions

Section 1 of the Fraud Act 2006 creates a new general offence of 'fraud', which can be committed in three ways: by false representation (s2); by failing to disclose information (s3); and by abuse of position (s4). Section 2, with which we are primarily concerned here, provides as follows:

' (1) A person is in breach of this section if he-

(a) dishonestly makes a false representation, and

(b) intends, by making the representation-

Page 121

(i) to make a gain for himself or another, or

(ii) to cause loss to another or to expose another to a risk of loss.

(2) A representation is false if-

(a) it is untrue or misleading, and

(b) the person making it knows that it is, or might be, untrue or misleading.'

Liability for the actus reus of the section 2 offence will be established without more where the phisher makes a false representation. For example, an email purporting to come from a trusted source like an online bank, organisation or employer will be regarded false as it is untrue or misleading (s2(2)(a)). Section 2(3)(4) respectively state that a representation will include:

'(3) any representation as to fact or law, including a representation as to the state of mind of-

(a) the person making the representation, or

(b) any other person.

(4) A representation may be express or implied.

(5) For the purposes of this section a...