Abraham Abdallah, busboy and convict, was recently arrested for allegedly gaining access to the bank accounts of 217 celebrities such as Steven Spielberg, Oprah Winfrey and Warren Buffet. The aim of this endeavour could have netted him some $22 million. He supposedly did this by accessing the Internet using a public library computer and applied his excellent "social engineering skills" or charm to subtly extract vital details from bank employees and others and so gather the information to enable him to access the accounts.
It is as yet unclear whether Abdallah actually stole any money from these accounts. Deception of this kind, "identity theft", is an increasing problem online. A huge amount of personal information is available online, and it is easy to gather enough to submit a fake credit card, bank loan or driver's licence application in the name of a third party. The prominence of this crime in the USA may be a product of that country's absence of data protection legislation. The strict European controls that Ireland is due to implement shortly as an amended Data Protection Act may limit the amount of personal data available online and so limit similar offences here.
Digital signatures and certificates should ensure that identities can be verified, but recently Microsoft issued an alert that an unknown individual posing as a Microsoft employee (those pesky "social engineering" skills again) acquired two digital certificates from VeriSign. A hacker could use these certificates to fool users into downloading and installing a virus or other rogue program, in the belief that it was a legitimate Microsoft upgrade. Ireland is developing laws to deal with these sorts of crimes.
Anyone who misrepresented himself to get access to a digital certificate in Ireland would commit an offence under the E-Commerce Act 2000. The Oireachtas is debating a law that would deal with offenders such as Abdallah; section 55 of the Criminal Justice (Theft and Fraud Offences) Bill 2000 would make it an offence for any person to use "an assumed name with the intention that it be used in the course of or connection with an offence under this Act". Although Irish law does offer protection, in a global network hiding your identity or becoming anonymous online may seem like an appealing prospect.
Commercial sites that will enable users do this are available from providers such as anonymizer.com. But anonymity confers limited protection, and it may be impossible to preserve against a legal challenge. In Totalise v Motley Fool, a user known as "Zeddust" posted defamatory statements on the defendant's website. Although the defendant had promised to preserve Zeddust's privacy, the English courts ordered that it be disclosed to the plaintiff.
The large number of high-capacity, web-hosting services which are due to be sited in Ireland may force this issue before the Irish courts. Ireland's laws on this issue may differ, primarily because of the E-Commerce Act 2000. This makes it a criminal offence for any individual or "public body" to interfere with the privacy of "signature-creation devices" and so electronic signatures themselves. This may enable the users of such signatures to preserve their anonymity, even in the face of a court challenge. So the Irish providers of what amount to "privacy" services should have an advantage over their UK and other rivals, which should help to make Ireland a hub for e-commerce.
The main challenge to Ireland's privacy standards is likely to come from international treaties such as the Draft Cybercrime Convention, which is being proposed by the Council of Europe.
Complying with this convention may cause conflicts with the E-Commerce Act 2000, and providing this assistance can be difficult and costly. But the real cost will be in a lessening of the freedom which enabled the Internet to grow so dramatically. The justification for this legislation may be questioned. There are no real statistics on Internet crime and those few cases that come to light are swiftly sensationalised.
In fact, online fraud is one of the slowest growing credit card frauds; last year it rose from $2 million to $7 million, or around 2 per cent of the $300 million total. Internet fraud may not be regarded as a "very serious issue" by a credit card industry that is far more concerned about organised card counterfeiters who doubled their illegal gains to over $100 million last year. This is reflected in the Abraham Abdallah story, who may have become known for identity theft but actually made money by obtaining 800 fake credit cards and using these to buy $100,000 worth of goods. He got the numbers for his fake cards in a very low-tech manner, copying them from restaurant customers and rummaging through bins. This experience appears to be reflected in the Criminal Justice (Theft and Fraud Offences) Bill 2000, which protects various instruments such as credit cards or documents.
Anyone who forges such an instrument, or possesses, uses, or copies such an instrument will commit an offence. However, the Bill will not make it an offence to possess masses of credit card numbers or to fake a credit card number, although doing so is quite straightforward.
Denis Kelleher is a practising barrister and co-author of Information Technology Law in Ireland (Butterworths: Dublin). http//:www.ictlaw.com