Saturday, 18 July 2009

Identity theft: is your personal data for sale on the internet? Lucid Intelligence, Garlik etc

This post has turned into a short overview (rather than review) of a couple of digital identity monitoring sites, after the Times reported that:

  • Over 4 million Britons’ identities are for sale on the Net.
  • Some 1/4 million British bank & credit card accounts have been hacked into.

It seems most of the data has been obtained by phishing - tricking people into emailing their user / password details by pretending to be the bank etc, and corporate / organisational emails and passwords have also been compromised. (See also this write up of a fascinating overview of various kinds of cybercrime and how the criminals do it). Bad practices by banks etc don't help. (Talking of bad practices T-Mobile UK actually ask you to email them your customer services password, unencrypted of course, when you email them for help!)

What triggered the article was info provided by a British company Lucid Intelligence which has built up a database of personal data traded over the Web - put together over the last 4 years by retired senior Metropolitan Fraud Squad police officer Colin Holder.

Have your personal details been stolen? Lucid Intelligence database

The Times article says Mr Holder intends to “offset the cost [of building the database] by charging members of the public for access to his database to check whether their data security has been breached”

But the Lucid Intelligence website itself says the searching is free, so the article isn’t quite accurate there. Searches cost nothing, but further information will be charged for. Their FAQ clarifies:

“Searches of the Lucid database will be free. If there is a hit for the information that you search for, we will show you a limited summary of what is held. A key part of that information will be an evaluation of the risk that that data poses to you. If you wish to see the full report with all of the data that we found, a £10 administration fee will be levied. This creates a search profile that you can come back to for a year from the date you request the full report. As we add data to the database, existing search profiles will be updated with new, matching data.”

Note that if you want to try searching their database you have to give them your full name and address plus either your email address or full postal address with postcode. You don't have to do both.

On the usability front, later searches offer a choice of Address or Email search, making it clear you don't have to give both addresses - but the initial search doesn't which makes people think you have to enter both postal and email addresses. They ought to provide the dropdown on the initial search too.

Also, while they do say on the search page that you may have to try variations on your address e.g. abbreviations, they don't explain whether you ought to try variations on your name or not (e.g. initial or full word, middle names etc).

You can search anyone's details that you know, not just your own - they don't require any kind of identity verification before you search. Though they do before you actually sign up.

Without signing up with them you could still do the usual Data Protection Act "subject access request" thing to ask for any info they have about you, but that will cost you a "minimal charge to cover Administration charges" - their FAQs don't say how much but as I recall it's £10 max though it can be more in some cases (according to Google's cache of the ICO webpage - the site itself seems to be down.)


Now this sort of service isn’t new.

The strangely named Garlik have for some time been selling a paid monitoring "Data Patrol" service - for businesses as well as individuals - that keeps an eye out for subscribers’ details being sold on the internet.

I think Lucid have been much cleverer in the way they've gone about marketing their services - not only because of the free publicity they've got through the Times and others through the "Scare 'em" approach that plays on fears about the security of personal data, but also because they let you do the initial search free of charge.

Garlik don't even offer one initial free search, or a cheap short trial, so personally I've never tested their service despite the illustrious history of the people behind them (see also my summary of Garlik CEO Tom Ilube’s comments in a RSA discussion Is Privacy Dead?). As with "experience goods" generally, it's simple diginomics - no free sample has been offered of a service whose value to me is uncertain in advance of my trying it, so I'm not willing to fork out £45 for a year's subscription. I'd be interested to know what people who've tried them think.

Lucid's name is a lot more "You can trust me to help you" than "Garlik", too.

I don’t know how profitable Garlik are in terms of their core services – but I notice that they’ve recently announced the open sourcing of their RDF semantic web platform 4store, developed in-house to underpin their identity protection and fraud prevention services, and will offer support and consultancy services to organisations wanting to use it.

It will be interesting to see how these and other identity monitoring and identity protection services develop, and their rate of take up as people become more nervous about identity theft.

(Times article pointed out by Open Rights Group newsblog).

No comments: