CyberLawNet.com - Powered by Yip Tse & Tang, Solicitors & Notaries 葉謝鄧律師行

Personal identifiers and ‘indentity theft’

One online user may misuse another person's personal identifiers to forge his/her identity. An Internet user's personal information (such as name, address and identity card number) can be used by a cyber criminal to falsely represent someone online or gain fraudulent access to credit cards or e-commerce sites. Please give an example of how this might occur.

The following link tells you more about how identity theft can occur on the Internet
http://computer.howstuffworks.com/identity-theft5.htm


Personal data protection

Internet users are frequently required to provide personal data online. If you start up a yahoo or hotmail account, register for an online banking service or buy your groceries online, you will be asked to provide personal information about yourself. Whenever you buy goods or services online, you also have to provide highly sensitive information such as credit card numbers or personal identifiers such as your Hong Kong ID card number. Similarly, as corporations and institutions such as hospitals and universities increasingly adopt electronic databases, private information about your health, education, employment and travel histories is increasingly prone to misuse. Although there are measures in the Data Protection (Privacy) Ordinance to protect how these kinds of data are collected, used and shared, a certain amount of responsibility for the protection of data privacy also falls upon individual Internet users.


Extent is privacy ‘protected’ by law?

The principle of privacy is recognized in several international covenants. The United Nations Declaration on Human Rights, for example, says that ‘no-one shall be subject to arbitrary or unlawful interference with his privacy, family, home and correspondence'. The European Convention on Human Rights, and the International Covenant on Civil and Political Rights make similar statements.

Similarly, the Organization for Economic Cooperation and Development OECD issued a set of Guidelines concerning the protection of privacy of personal records in 1980. These broad and voluntary Guidelines were meant to establish standards for privacy rules followed by governments and businesses. You can view these guidelines at the following link: http://www.cdt.org/privacy/guide/basic/oecdguidelines.html (Although many companies claim to have adopted the guidelines, very few have ever implemented practices that directly matched the OECD standards.)

Despite the presence of covenants and guidelines recognizing and supporting the principle and importance of privacy, it must be emphasized that the laws of most places (including Hong Kong's Basic Law) give no general right to privacy. Moreover, courts in Hong Kong have rejected opportunities to create such general rights. For example, in the English case Malone v MPC (No.2) [1979], the contention that the tapping of the plaintiff's telephone in the course of a criminal investigation violated his right to privacy was rejected. The ruling for this cased said that –‘It is no function of the court to legislate in a new field. The extension of existing laws and principles is one thing; the creation of an altogether new right is another’.

Therefore, in Hong Kong, in the absence of a clearly defined legal right, privacy must be looked at in the context of the Data Protection (Privacy) Ordinance which offers data privacy protection, as opposed to personal privacy protection. Hence, personal privacy per se, is not covered by legislative provisions in Personal Data (Privacy) Ordinance. Hong Kong's Data Protection (Privacy) Ordinance is based on a similar 1984 UK act, which is turn was based on a European data protection convention. We will examine the Data Protection Ordinance in more detail later in this unit, but for the moment let's briefly look at how and why the Personal Data (Privacy) Ordinance evolved.


Privacy as Defined Today

Justice Brandeis' definition of being "let alone" no longer adequately defines the concept of privacy in the 21st Century Cyber Age. The modern definition of privacy therefore needs to also include ‘the right to control our personal information, even after we disclose it to others.’ (http://www.cdt.org/privacy/guide/start/). Therefore, a contemporary definition of privacy also needs to include the concept of personal data protection in which an individual has the right to control the flow and access of information and data related to his/her personal details. Professor Raymond Wacks sums up this modern concept of privacy by arguing that ".... at the heart of our concern to protect 'privacy' lies a desire, perhaps even a need, to prevent information about us being known to others without our consent." (Wacks 1996)

Modern technology clearly poses new and increasing threats to this broader definition privacy. As a US Privacy Protection Study Commission argued, "The real danger (posed to privacy by the Information Age) is the gradual erosion of individual liberties through the automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable." (US Privacy Protection Study Commission 1977). In recent years, privacy advocates have increasingly lobbied for measures to safeguard the protection of personal data. One example of an organization committed to defending data protection privacy issues is the US-based Electronic Frontier Foundation www.eff.org


Threats on Privacy in Modern Days

Suppose you receive an anonymous letter one day. The letter describes in details what you have done in the past 3 days. It tells at what time you leave your home, which bus you took, where you have shopped and with whom you have met. It even refers to how you changed your clothes before you went to bed. Your immediate reaction will be anger and then you may become scared because you would wonder how the writer has come to know so much about you. After you have calmed down yourself, you probably would think that you have been psychologically hurt because you have not foreseen that someone have been watching over you in so much detail. Because you have heard about ‘privacy’ before and know that it is known to be a right to a person, you would probably think about the legal remedies in order to prevent that to happen again.

Now ask yourself the following questions:

1. In the above example, you have been hurt psychologically. Do you think that there will surely be a legal remedy to you just because of that?

2. Are you sure that you can find out who your privacy intruder is so that you can have him successfully prosecuted?

3. What remedies you are looking for: civil so that you can get a compensation or criminal so that the privacy intruder can be arrested and punished?


Privacy as Defined Today

Justice Brandeis' definition of being "let alone" no longer adequately defines the concept of privacy in the 21st Century Cyber Age. The modern definition of privacy therefore needs to also include ‘the right to control our personal information, even after we disclose it to others.’ (http://www.cdt.org/privacy/guide/start/). Therefore, a contemporary definition of privacy also needs to include the concept of personal data protection in which an individual has the right to control the flow and access of information and data related to his/her personal details. Professor Raymond Wacks sums up this modern concept of privacy by arguing that ".... at the heart of our concern to protect 'privacy' lies a desire, perhaps even a need, to prevent information about us being known to others without our consent." (Wacks 1996)

Modern technology clearly poses new and increasing threats to this broader definition privacy. As a US Privacy Protection Study Commission argued, "The real danger (posed to privacy by the Information Age) is the gradual erosion of individual liberties through the automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable." (US Privacy Protection Study Commission 1977). In recent years, privacy advocates have increasingly lobbied for measures to safeguard the protection of personal data. One example of an organization committed to defending data protection privacy issues is the US-based Electronic Frontier Foundation www.eff.org


What is ‘privacy’?

Privacy has long been regarded as a right that all individuals are entitled to enjoy. In 1928, American Supreme Court Justice Louis Brandeis defined privacy as "the right to be let alone". (http://www.cdt.org/privacy/guide/start/). He also argued that privacy was a right that was cherished by most people. However, when he defined privacy, Justice Brandeis was living in a simpler world. His definition was made long before the emergence of the Information Age where someone's personal information can be rapidly captured, copied, compiled, published and transported around the world in a matter of seconds.

In the above example, you may just feel angry or scared on being watched. Nothing has suggested that your daily activities have been recorded, processed or even ‘sold’ to a third party. Things have however changed because of technological improvements. This includes the use of high-speed computers which can stored and processed huge amount of data at very low cost. Besides, data can easily be digitized and compressed for easy transmission and sharing. Personal data has a marketing value because it can help marketers to have their services or products promoted and drive sales, thereby leading to huge profits. As a result, in today's digital environment, personal information has become a highly sought after commodity that is collected and compiled, bought and sold. Information that we once regarded as ‘personal’ (such as our medical records, credit histories, spending habits) has now become ‘public’ data which is stored, shared, and even sold on the Internet. As businesses, government offices and web masters gain access to personal data, the protection of this information is becoming increasingly compromised. In addition, every time we click on to the Internet, we increase the possibility of being contacted by advertisers sending ‘spam’ or other unwanted or intrusive information.

In the above example, you will certainly become even more angry if you subsequently find out on an Internet homepage that your meeting with your girlfriend inside a coffee shop has been recorded into a video and displayed there. If you have some knowledge about digital know-how and use of the Internet, you may then know how this comes about. However, you may not have any of such knowledge and will be wondering how this can be so easily done.


E-mail scam hits bank customers

Scammers forged bank's identity and sent emails in massive scale (i.e. spamming). This is called 'branded fake'. Quite often, the e-mail addresses were randomly generated and it then by chance ‘hit’ the bank's customer. UK customers of MBNA had that experience in February 2004 which was widely reported in the news.

The faked emails came with a variety of subject lines such as "MBNA's OfficiaI Notice," "Attention all MBNA users" and "0fficial Notice for all users of MBNA." The message falsely claimed that the “bank” is putting in a new security system to "help you avoid frequently fraud transactions and to keep your investments in safety".

Customer logging in the fake page will have their personal bank information or identity stolen and relayed directly to the crooks who adopted spamming as a cheating tool.

Very often, the link on the email will lead the customer to a site bearing a ‘look and feel’ (colour, lay-out and even fonts) highly similar to the true site but in any event, the site will have a professional look in order not to arouse the customer's suspicion.

To avoid such kind of fraud, customers are advised to note the following:

1. Ensure that the emails truly come from the bank.

2. Don’t click on any links provided in the emails without thoughts

3. Before deciding to take any actions including clicking on the link, visit the true site first

4. If customer has doubts or is not sure, telephone the bank's customer hotline and enquire. Make sure that the telephone number is the number of the true bank.

5. Compare the domain name of the site if you have accidentally clicked on the link with the true site.

6. Report to the bank if you suspect there is a fraud or attempted fraud or you have been cheated.

7. Informing the bank IMMEDIATELY on being cheated is VERY IMPORTANT. This will enable the bank to take immediate step to ban the crook on dealing with your bank account.

In the past few years, many banks in UK and US as well as in Hong Kong had been bit by phishing scams. In Hong Kong, fraudsters were found to attempt to cheat banks’ customers by releasing fake web-site using domain names highly similar to the true banks. To give a few examples, they are: HSBC, DBS and Bank of East Asia.

In December 2003, NatWest of UK temporarily suspended its internet banking facility after some of its customers were sent fraudulent e-mails asking them to divulge their account details.

In October 2003, Nationwide and NatWest in UK were targeted by a similar hoax as was the Halifax, while in September fraudsters tried to trick customers of Lloyds TSB and Barclays.

On 7 December 2001 in UK, a five-strong Net fraud gang has been sentenced to a total of just under eight and half years for a conspiring to defraud online banks.

The four men and one woman made bogus multiple credit card applications with Egg, Cahoot, Smile, Marbles, MBNA, and SonyCard.

The gang, hailing from Buckinghamshire and Northamptonshire, were arrested by officers from the National Crime Squad in August 2000 after a six month operation.