A gram of caution is worth a ton of remedy

Identity theft may have the image a complicated new kind of cyber crime but it’s a concept that has been around as long as fraud itself.

The invention of credit cards made identity theft more profitable and the Internet has provided more opportunities for deception, yet our techniques for protecting ourselves lie - as they have always done - fundamentally in the domain of self-governance.

This is not to say that regulators do not have a role to play, even in a decentred multi-jurisdictional world, but our first best defence comes from citizen empowerment and industry self-governance rather than heavy handed government lawmaking.

Citizen empowerment and education are key concepts in crime prevention generally - most people know not to walk alone in dark alleys or take treats from strangers. Similarly, a combination of caution and awareness allows online citizens to be alert to scams, cons and pitfalls.

Our identity is a compilation of various documents, identity numbers, passwords and data. The first step to protecting our identity is to learn how to keep these things secure and what information not to hand out to strangers.

The bag of tricks used by the con artist and identity thief can be a lot more low tech than you would at first assume. While these offenders can hack into secure systems, they often gain information from more mundane sources. By “dumpster diving” fraudsters search through personal or business garbage for discarded bills and letters with scraps of information, post-it notes with vital passwords and other clues. Social engineers inveigle themselves into organisations by appearing to belong there and pick up bits and pieces of overheard information, unfiled memos and other unsecured data.

Neither the most heavy duty computer security nor the most stringent legislative controls can prevent these kinds of low key intrusion. Educating employees and citizens about their information handling practices is the first best method of preventing fraud. Of course all the education in the world will be of no use if it is not backed up with practical and efficient support from businesses and industry.

These forms of education usually target the younger and older Internet users who are perceived to be the most naïve or unfamiliar with technology and therefore the most vulnerable. Nevertheless scams often successfully target those who ought to know better or who lack the humility to perceive they may become a victim.

The ACCC has recently begun targeting corporate CEOs who are unfortunately falling victim to email scams that would be quickly avoided by younger, more sceptical and technologically savvy people.

It can be difficult to establish the right tone for these educational awareness campaigns so they build cautious yet confident e-citizens. Too alarmist or too complicated advice can harm electronic commerce and the confidence that consumers have in the market. Informal and low-key advice risks being ignored. Again there is a clear role for industry alongside government in provided good, concise and rational advice - reassuring citizens and countering media panic stories, while maintaining an appropriate air of caution.

The role of industry goes well beyond being an information point. This is the second important element of self-governance, the role of industry in providing safe online environments and protecting consumers. The commercial part of the Internet could not have grown at the rate it did without the support of credit card services and online services such as Paypal which give consumers access to remedies and refunds when they have been the victims of fraud.

While the cost of these safeguards have been distributed to consumers generally, they provide an important remedy for victims of fraud, particularly on the Internet. Insurance, investigation and remedies form the foundational structure on which confidence in e-commerce has been built.

While quick and efficient refunds are important (and usually available to consumers), industry has taken the initiative in this field of self-regulation - implementing systems that alert consumers of suspicious transactions and automatically block payments. Industry has been able to develop its own expertise in security and knowledge of the profile of online fraudsters. The same technologies that facilitate the fraud can also be used to predict criminal activity and speed up resolution of consumer complaints.

Of course industry does not always get it right. There is red tape in any system and there are inevitable consumer complaints and here the role of government, such as the ACCC and regulatory bodies such as the banking ombudsman are highlighted. Policymakers have a strong role in key areas of identity risk and new problems, such as citizens with a language other than English; or consumers of adult goods and services who are not protected by Paypal and face substantial embarrassment in seeking remedies for fraud.

As with all forms of commerce, the government has an important role in identifying and protecting those most vulnerable to exploitation. The globalised nature of the Internet means that criminal sanctions may not be effective in catching online fraudsters, nor in deterring others, but at the very least a government can pursue criminals operating from their own territory.

Government therefore has an important role in protecting and supporting the self-governance strategies of citizens and industry. Too tight controls inhibit e-commerce and too alarmist warnings would also put the brakes on the online economy.

A gram of caution is worth a ton of remedy, but if remedy is necessary then it is vital that self-governance activities are supported by government. Self-regulation is an important concept in modern governance and identity theft is no exception. There is a mutual three-part relationship between the citizen or consumer, government regulators and industry to provide a safe e-commerce environment for consumers who are wise enough to stay alert but not too scared to venture online lest their identity be snatched away by a thief.