THIS TRANSCRIPT IS ISSUED ON THE UNDERSTANDING THAT IT IS TAKEN FROM A LIVE PROGRAMME AS IT WAS BROADCAST. THE NATURE OF LIVE BROADCASTING MEANS THAT NEITHER THE BBC NOR THE PARTICIPANTS IN THE PROGRAMME CAN GUARANTEE THE ACCURACY OF THE INFORMATION HERE. MONEY BOX INVESTIGATES: PRIVACY IN PERIL Presenter: CHRIS A’COURT TRANSMISSION: 29 AUGUST 2006 2000-2040 BST BBC RADIO 4 BREACHES LIST: Bank of America - lost back up tape: one million, two hundred thousand records exposed. Card Systems, hacking, forty million records exposed. Lexus Nexus … (fades under) A’COURT: Identity theft is the crime of the information age. New victims are created every day. The list you’re hearing catalogues just a few of the blunders in America that have exposed the personal information of millions of people. It’s a pernicious crime. First your personal privacy’s destroyed; then your money stolen and the chain of misery can last for years. It happens so simply too, often with just a few clicks of a criminal’s computer mouse. Across the Atlantic ID theft and fraud has reached such epidemic proportions that the rest of the world is now on a warning. HILLEBRAND: Identity theft is a very simple crime. If you have brainpower, some stolen information and an internet connection, you can be anywhere in the world and steal from someone anywhere else in the world. DARK TANGENT: There’s no knobs I can turn to really help my privacy besides I try to pay for everything I can in cash, I try not to send any e-mails I don’t care about the world knowing, and there’s really not much I can do. It’s almost like you have to come to terms that your identity is out of your hands. GOOGLE MAN: We’re entering into an era where the information being collected is staggering. It’s unprecedented in the history of mankind, this amount of information we’re disclosing. A’COURT: In the US 10 million people are being hit every year. In the UK identity crime is affecting 100,000 people annually and it’s costing £1.7 billion. As more and more of our private information is stored on giant computer databases and our appetite for internet banking and online shopping grows, almost no one should feel immune. Even if we protect ourselves, there’s increasing evidence that others fail to keep our information secure. In this programme, we’ll uncover what’s wrong both here and in the US and investigate some practical solutions that might stem the seemingly unstoppable rise in ID crime. Innocent victims like Neil and his partner from London already know what it’s like to suffer. Neil had no warning -there was just the sudden discovery that an identity thief was already pretending to be him and had swiftly run up huge debts on a card account. NEIL: The account address had been changed to an address in Stratford. They were ordering things, that’s where they were going, and I was shocked, it was down to us to sort it out. Things were happening that affected mine and my partner’s life very, very closely. You know it basically blocked off our lines of credit, which made planning for anything in the future that involved any finance impossible. A’COURT: Neil and his partner can hardly believe how devastating identity theft can be. NEIL: We’ve lost money because we have to pay a mortgage at a higher rate of interest than the one that we would have got. I’m self-employed and I have spent hours of time to try and sort this out. And apart from that, it’s also been a huge headache and a lot of stress. A’COURT: Like other identity crime victims, Neil struggled through his ordeal. There was little sympathy, no source of independent help. The first problem is that in law there’s nothing to define Neil as a victim at all, as the National Consumer Council’s Claire Whyley explains. WHYLEY: One of the big problems is that organisations are seen as the victims of identity theft because it’s them who’ve lost money out of it. The individual isn’t necessarily identified as a victim and clearly that doesn’t work for the individual because their name is still being used. Their access to future goods and services – credit cards, mortgages, bank accounts, that kind of thing – will all be affected if their name has been used to take out loans which aren’t being repaid. A’COURT: Banks will eventually refund stolen money to victims who prove they’ve been targeted by identity thieves, but the damage to your credit history may last for years. If more people aren’t to suffer experts say the UK must wake up now or risk identity crime reaching US style proportions. Author and personal finance broadcaster Alvin Hall knows both sides of the Atlantic. HALL: The US is 5 years ahead, if not more, compared to the United Kingdom. That’s because there are so many more credit cards, so many more debit cards, so much more money to be made. A’COURT: If something isn’t done to stop identity theft soon, what is the worst do you think could happen? HALL: The worst-case scenario is that a big bank or a big issuer of credit cards is bought to its knees, is hit with such staggering losses that it has to go bankrupt. A’COURT: The US is already reeling from a series of identity disclosure scandals, one so huge that it stunned the nation. It involves the US government’s Department for Veterans Affairs. ATMOS: WASHINGTON METRO A’COURT: I’ve come to Washington. What’s happened here, almost unbelievably, is that the highly sensitive, private information of all America’s service men and women, both past and present, may have been released to criminals – all through the simple act of just one government employee taking his laptop computer home. ENSIGN: What we have here is a high level VA employee taking his laptop home with this data, unsecured outside the agency. He was allowed to take this home, probably to suit his own personal needs and his own leisure, so that 26 million records of veterans – and, by the way, included in that number is 1.8 million active duty soldiers, many of whom are serving in Iraq and Afghanistan right now, that was part of that database as well – and this person is able to take this data home and bring anything he wants to up on the screen, read any private record he wants to. That is an egregious violation of people’s privacy rights and he should be punished. A’COURT: Todd Ensign of Citizen Soldier, a veterans' representative group. It wasn’t just that veterans' privacy rights were infringed when that government worker took home the laptop with all their details on it. It was then stolen from his home and all 26½ million people whose names were on it instantly became potential victims of identity thieves. And it’s that which has sent the nation reeling. ENSIGN: What could happen is people could gain very, very personal information such as credit cards, such as HIV status, blood type, insurance status, mental health status. The VA keeps an enormous amount of records about veterans. That’s the kind of data that’s valuable, can be sold, has commercial value. A’COURT: The stolen laptop was missing for 7 weeks, then recovered. The government and FBI have said they don’t believe the highly sensitive information was viewed or copied, but no one can know for sure. There was no security protection called encryption. Criminals could take an image of all the data in just a few minutes, leaving no telltale signs. So a war veteran like Joe from Washington must live in the constant knowledge that identity fraudsters could use his information at any time. JOE: This is something I think about each day. Everybody I talk to have grave concerns. They’re concerned as to what to do for the long-term. Maybe nothing has happened yet, but how do we know nothing will happen down the road, so now you’re always thinking about it. You always you know go do your credit check you know more regularly to see if anything changed, anything unusual. You know it’s just creating a whole bunch of anxiety that didn’t have to be there. A’COURT: If the veterans’ agency didn’t take security seriously before, it certainly must do now. The veterans are demanding $1,000 compensation from the VA for each of the 26½ million people whose private information was compromised. If successful, the government will need to pay $26 billion. And theft of government computers isn’t confined to the United States. Several UK government departments have recently confessed that they’ve also had laptops stolen, owning up only after a journalist’s freedom of information act request. What’s on those missing machines remains a mystery, but Alvin Hall believes there’s now a major problem with storage of sensitive personal data on portable computers. HALL: We can put all of this information into this little computer and let people carry it around. People lose wallets, people lose keys, people even lose their children in malls. They’re going to lose a laptop. And when somebody gets that information, today, with the speed of the Internet, it could be in Nigeria, it could be in Russia, it could be in Latin America, just like that. A’COURT: Here a lack of transparency in government or businesses may be preventing us from knowing just how much private information is lost or stolen, but across the Atlantic there’s a new climate of openness. In America it’s mandatory that people are told each time any of their personal information is lost or stolen. The change came after a company called Choice Point carelessly sold to identity thieves the financial details of 140,000 people. BRODER: Choice Point are one of the largest aggregators of consumer information and they make it available for people with legitimate need for that information – employers, insurance brokers, government agencies. But there was a ring based out in Los Angeles of people who realised that this was gold with respect to identity theft and so they pretended to be people with legitimate need to get this information, but they logged on to the Choice Point system from the photocopying shop down the street and they used free e-mail addresses to identify themselves and they were able to get consumer records, and they used that in many cases to commit identity theft. A’COURT: Betsy Broder is from the US Federal Trade Commission, similar to our own Office of Fair Trading. When Choice Point first discovered it had been duped by criminals, it warned the people whose information had been sold but only those living in California. Only California had a law which demanded it - those in the rest of the US could be left in the dark. But there was an outcry and Choice Point was forced to tell every one of the potential identity theft victims. Now two thirds of all American states require firms to send out warning letters whenever private information goes astray. So Choice Point’s sloppy security brought major change in the US as well as a multi-million dollar fine from the FTC. BRODER: We assessed a $15 million payment upon them. Some of that was civil penalties and some of that was consumer redress for the people who actually experienced the identity theft. I would like to think we’re turning a corner. I think we’re turning a corner for a couple of reasons. First of all, cases like Choice Point show that the federal cop is on the beat and we’re going to expect companies to have appropriate data security. Even if these are practices that they engaged in before and they’re able to cover it because it was just the cost of doing business, we don’t think it’s the cost of doing business. When you don’t give proper care to consumers’ records, we think that there are consequences. A’COURT: Since I’ve already heard that the law’s making such a difference, I’m on my way to the place where it was born - Sacramento. Each part of this landmark legislation was drawn up and then closely scrutinised by Senator Debra Bowen and that’s who I’m going to see now. BOWEN: The way our law works is if information is stolen or there’s a hack into a database, the business in question must inform the public that that has occurred. And it has helped strengthen security because retailers who have valuable clients don’t want to have to tell them that they’ve lost people’s drivers licence number, social security number, credit card numbers and so forth, so it acts as a deterrent. A’COURT: So what was it about California that made Senator Bowen so passionate about introducing a law there ahead of anywhere else? BOWEN: Identity theft was the fastest growing crime in California and we were beginning to see gang involvement from overseas gangs. So it had gone from a situation where there was an occasional theft of a credit card application from someone’s mailbox to massive fraud, causing enormous personal losses as well as a big negative for the business community. A’COURT: And how did that change? BOWEN: We have slowed the incidence of identity theft dramatically and that means fewer people are being victimised. A’COURT: While the Senator’s delighted with the impact her law has had, she says there’s still more that can be done. BOWEN: We are seeing an unprecedented number of places where our private information is available both in the public sector to governments and in the private sector where we’ve got a wholesale market in the sale of people’s personal financial information. We have to do a better job in an economy that runs on information and numerical identification. ATMOS: ID THEFT RESEARCH CENTRE A’COURT: California isn’t just leading the way with its identity theft law. I’m standing in what’s a unique centre to help victims of identity theft. It’s on the outskirts of San Diego and it’s run by Jay and Linda Foley. It’s totally independent, unlike anything in the UK. ID theft victims can come directly for help here and get an immediate response. J. FOLEY: Here is the main call centre section of our office. We have people working and dealing with victims all across the United States - calling in, sending in e-mails, letting us know what their problem is and getting our advice and guidance to deal with it. L. FOLEY: It’s everything from “How do I know if I’m a victim of identity theft?” all the way through to the worst-case scenario, which is “I’ve just found out someone has opened up 20 credit cards in my name. There’s warrants for my arrest because they say I owe money”. A’COURT: And the Foleys told me how I could become a victim in the United States the moment I walked out the door. J. FOLEY: You’re going to leave here today and you’re going to drive off and you’re going to stop at the gas station over here on the corner and you’re going to whip out your debit card or your credit card and you’re going to put it in there and it’s going to call for your PIN number. And you put it in and then you drive off and I walk over and I smash my elbow into the front of that gas pump and pull the hard drive out of it. Now I’ve got your credit card number, your address, your name, all because it came off your credit card, and I also have your PIN number, so I gotcha. It’s as easy as that, unfortunately. L. FOLEY: And it’s not exclusive to the United States. Unfortunately in the UK people go to cemeteries. They go and they look at the gravestones and they see a child that has died in childhood and then they go and they get paperwork, birth certificates and such and take over that child’s identity to be used for fraudulent purposes. A’COURT: There are significant differences which make identity theft easier in the US compared to the UK. Not least there’s the US system which links just about everything one applies for to a social security number. Once a thief has that number, along with name and birth date, it’s simple to start opening bank accounts and credit cards or even take over a person’s whole identity. ATMOS: DEFCON BACKGROUND A’COURT: I’ve discovered that it’s possible to meet some of those who know most about how to steal identities not that far away. This is Las Vegas and every August it’s the world centre for computer hackers. Thousands of them come for two events called Black Hat and Defcon. I’m at Defcon and it has the feel of an underground event, organised by a figure known only as ‘The Dark Tangent’. There’s no advertising outside. Getting in is strictly by paying cash at the door. And around me I can see hackers huddled around tabletops, ringed with laptop computers, but they’re also mingling with visitors from the US military and the FBI and some of the things you hear can’t fail to alarm. MALE 1: We’re entering into an era where really the information being collected is staggering. It’s unprecedented in the history of mankind, this amount of information we’re exposing. MALE 2: The most popular thing right now is these schemes that they call phishing scams where the criminals will send out hundreds of thousands of e-mail messages, try to make it look like it’s coming from a legitimate financial institution. The victim goes to a website, enters in their personal information. The criminal now has their personal information and can go out and commit crimes related to identity theft. A’COURT: And the shadowy founder of the conference, the Dark Tangent himself, gave me his own chilling assessment of the point now reached. DARK TANGENT: The road we’re walking down is to develop technology that could be vastly misappropriated and misused. The thing that sucks about this is there’s no knobs I can turn to really help my privacy besides I try to pay for everything I can in cash, I try not to send any e-mails I don’t care about the world knowing. And there’s really not much I can do. It’s almost like you have to come to terms that your identity is out of your hands. A’COURT: There were startling stories of what could be done. Adam Laurie is now famed for proving how it’s sometimes possible to learn almost everything about someone starting with very little. He’d been able to assemble complete identity details of a stranger just from using the frequent flyer number he found on a discarded boarding pass on an airport floor. LAURIE: We went and found a boarding pass at the airport that someone had discarded, used the information printed on the boarding pass to go through their system, and we did find that again we could get all the passport details - date of birth, country of residence, country of birth. Once we had that, actually the guy had a fairly unusual name so we were then able to start searching for him on the internet. There was a property finder website, so we were able to then look at how much his house was worth. We found his biography online, so we knew where he worked, what his business was and so on, so we found out an awful lot about the guy, everything. A’COURT: All of that from an initial picking up of just a discarded boarding pass from someone you didn’t know? LAURIE: Exactly, yeah, just a very small piece of paper with a few numbers on it and a name. A’COURT: British Airways has now closed that security loophole. But I wanted to try a new experiment. If private information really is so insecure, could we prove it in just a few minutes? Hacker Johnny Long doesn’t infiltrate computer networks to steal. He’s a professional who’s paid to hack in order to expose security flaws. What could he find using just an ordinary laptop? LONG: We have on the screen now an Equifax credit report. Now, as you know, a credit report contains everything about you financially. This is a full credit report, lists this individual’s information. A’COURT: Somebody in East Sussex, funnily enough, in the UK? LONG: Yes, ironically enough in the UK. All the information about their income, credit cards. Now this document I found on a peer-to-peer network, a file-sharing service. Folks go out there to download music or videos or movies. Well instead of looking for that sort of information, I decided to look for sensitive information, you know without giving away the technique you use. You can see that this credit report was on someone’s computer. They had peer-to-peer software installed and the peer-to-peer software was instructed to look in this directory that contained their credit report. A’COURT: That person has released – inadvertently probably – all of the details of their identity by putting that peer-to-peer software on their machine in the UK? LONG: Absolutely. A’COURT: Well far from Las Vegas, we’re back in the UK and we’ve done some of our own detective work to try and track down the person whose name appeared on the credit record and onscreen. We took a note of his name and address and we’ve tracked him down not to Sussex but to an address here in London. It seems he lives in two different places and he’s agreed to meet us. JACK: Hello. A’COURT: Hello. Is that Jack? JACK: Yes. A’COURT: Jack, it’s Chris from the BBC. Can I come in? Have you heard of peer-to-peer software before? JACK: No. A’COURT: Have you heard of a programme called Kazaa? JACK: Yes, my wife has Kazaa. My wife got it just for downloading music. A’COURT: That’s peer-to-peer software. JACK: Well it’s annoying and it shouldn’t be allowed. A’COURT: What’s your reaction to hearing that someone thousands of miles away could see your credit report as easily as that? JACK: It’s unbelievable! It’s shocking! I assumed that they’d got it from Equifax’s computers, not mine. They e-mailed it to me. Saved it on my desktop and then went through it, so I could buy this house. A’COURT: Have you been a victim in any way of identity thieves? JACK: Only in that money started disappearing off one of my credit cards, so I did have to change my account number, change my credit card details, etcetera. And it may have affected my credit rating because I should be a perfect credit and I’m told I’m not. A’COURT: We’d tracked the hack, confirming all Johnny’s suspicions on why Jack’s credit report was on worldwide display. He’s now removed it and the software from his hard drive. But thousands of people in the UK have installed Kazaa on their computers – further evidence, says Alvin Hall, of how we’re just not protecting our personal privacy and security. HALL: People in Britain are a bit too casual about identity theft still and I think the government hasn’t taken it very seriously. I think millions of pounds are being lost to identity theft. But the individual never really knows it until it’s happened to them. The public needs to be aware. Once they’re aware of the possibilities, they can then take actions to prevent it or at least curtail it. A’COURT: In America there is something you can do that stops identity thieves stealing money in your name. Here’s Ed Mierzwinski, a Director of the US Public Interest Research Group. MIERZWINSKI: Instant credit is why we have identity theft. Instant credit is something these companies, these car dealers and everyone else claim is a critical part of the American economic miracle. They claim, by the way, that in Europe people are living in caves and can’t buy a car or a house without many months of negotiations because you don’t have the sophisticated instant credit systems that we supposedly have. I don’t believe any of that, but I’ve heard industry lobbyists say that with a straight face. And so what we have argued is that the only way to stop identity theft is to give people the right to close off their credit report. A’COURT: Gail Hillebrand of the Consumers Union explains that this measure can scupper identity thieves and it’s called freezing your credit. HILLEBRAND: This is a self help tool that allows you to say to the credit reference agency don’t give out my information to anyone for a new account unless I provide the PIN, the password, I open the account. It’s a fundamentally new idea that you get to decide who sees your credit file instead of anybody being able to go in there. You have to place the freeze by making a request to the credit bureaux and then they put essentially a freeze or a lock on your account. If someone tries to open a new account in your name, the creditor will get a notice back saying ‘sorry, file frozen’. At that point the creditor contacts you, says please open your file for me. If it’s really you, you open the file, no problem, you get the credit. If it’s not you, if it’s the thief who they contact and say please open your file, at that point the thief is going to give up and go to the next victim on the list. A’COURT: But there’s opposition from some businesses and politicians. Here’s Ed Mierzwinski again. MIERZWINSKI: If you can freeze your credit, you can stop identity theft before it starts and congress is considering a bill that would only give freezing rights to previous victims. Now when congress only gives rights to previous victims and not to everyone, that’s like saying you can’t have a seat belt till you’ve already been in a car crash. A’COURT: Consumer groups sometimes come up with solutions, but don’t always consider the full consequences. If everyone froze their credit, it could be hugely damaging to commerce, according to Andrew Barbour who speaks for the banks and lenders that are members of the Financial Services Roundtable. BARBOUR: It seems like a simple solution, but I think from a technical standpoint it may not be as simple as it seems. We want to make sure that we don’t do anything that will cause unintended deleterious consequences, unintended harms, to the credit granting system that we have. A’COURT: Could it sometimes happen that industry is just so keen to sell more goods and more loans that it’s prepared to ride this situation of people suffering from identity theft, identity fraud, because it knows that a simple credit system is allowing it to make maximum profits? BARBOUR: I could never agree with the sentiment that the financial services industry or any other industry are complicit partners with thieves in perpetrating identity theft. I don’t think it’s in anybody’s best interest to have runaway fraud and ID theft. From a bare bones bottom line, the economics of identity theft don’t work for financial services companies. We’re losers on that. We make money when consumers take out loans and repay those loans at whatever the established interest rate is. There is nothing in it for us to allow fraud to occur. A’COURT: Much of American business would also like to see the California-style breach laws watered down, so it would only be mandatory to warn about security lapses when the firms themselves judge it to be of significant risk. The debate is expected to hot up in congress this autumn. In the UK most people still haven’t experienced identity crime. We’ve mostly come to automatically trust internet banking and shopping, but sometimes when we’ve passed over our personal information it may not be as secure as we think. Paul Simmons sits on the board of the Jericho Forum - a group of 100 of the biggest worldwide companies, including BP, Proctor and Gamble and ICI. And, while he won’t name names, he says the forum’s very concerned about how our data is stored. SIMMONS: If you’re doing business with a company and they’re holding your credit card information, so your personal credit card is stored on their system, do you want to rely on the protection of the system (and that means that anyone who has administrative rights can go and read your credit card) or should you actually be protecting the data itself? In other words, should you be encrypting the credit card number and information itself? A’COURT: But I think most people would think that that information should already be encrypted by most firms. Are you saying it’s not? SIMMONS: Correct, it’s not. Most companies don’t encrypt personal data at the storage level. A’COURT: So our details are there at major companies and perhaps a lot of employees could have access and visibility of that data. SIMMONS: I think most companies protect that data very well, but there will be people – what’s technically known as a database administrator – who by definition will be able to read that data if it’s not encrypted. A’COURT: That has to be a concern to most people who are worried about their privacy and about people stealing identities? SIMMONS: Yes. And it goes further than that. I mean it’s not only credit card information. It’s personal information about you that’s held. A’COURT: Security breaches are now announced almost daily in the States, yet not here. Sometimes declarations of stolen laptops, which include identity and account details, are reported, but Claire Whyley of the National Consumer Council suspects there may be many more incidents of our private information going astray that we simply don’t hear about. WHYLEY: At the moment there’s no duty on organisations to inform their consumers or anybody else of security breaches and, as far as we know, companies don’t take responsibility for informing consumers. A’COURT: So nothing would happen? WHYLEY: Nothing would happen. There’s a huge disincentive actually for companies to voluntarily provide information about security breaches because it’s not going to look good to consumers and they may lose custom as a result of it, so actually we really do need a duty in place to compel them to do that so that isn’t up to organisations to volunteer to do something which may not be in their interest. A’COURT: One of the problems is that when anyone asks firms or organisations to talk about how they protect people’s privacy – as we did – they refuse to talk about it. They claim that to say anything about security could damage it. That response can be frustrating. Here’s Claire Whyley again. WHYLEY: The NCC as part of its research did contact some firms to find out what they do to protect their customers against security breaches. What we’ve actually found was that companies weren’t terribly willing to share that information with us. At the moment, because disclosure of that kind of information is voluntary, there isn’t an incentive for companies to share it. A’COURT: In the UK, we believe we can sleep soundly knowing that our sensitive personal information is safe under the Data Protection Act, but Ed Mierzwinski thinks even that is not tough enough. MIERZWINSKI: You’ll need to upgrade even strong data protection acts to give consumers more control over their information, so England, France, Germany, all countries should give consumers greater protection, notice when companies lose their information and the right to freeze their credit reports to prevent bad guys from breaking in. A’COURT: The person in charge of enforcing the Data Protection Act is the Information Commissioner Richard Thomas. He told me that while he’s aware of the cause for stronger privacy protection, on the whole our Act is not doing a bad job. THOMAS: I’m not saying everything’s perfect, but we don’t so far seem to have had the same sort of problems as they’ve been experiencing in the United States where they don’t have the same level of legal protection requiring businesses to keep the information secure in the first place. A’COURT: How would people find out about breaches in this country? THOMAS: There is no legal obligation to notify an individual where there has been a breach. I’d be more than happy to encourage that as a matter of good practice. I think to make it a legal requirement is a much wider issue. That’s a debate which may well be started at the European level, at the British level over the next two or three years. A’COURT: But any firm or organisation is not going to go seeking reputational damage if it can avoid it. THOMAS: No, I wouldn’t agree with that. They will come to us and seek our advice if they’ve got a problem - what can they do to minimise it? In many situations, by being open, by explaining to the individuals what’s happened, they will actually enhance their reputation, they will be seen to be a responsible, caring organisation. Far worse for this to leak out and be splashed all over the press as an incident which has happened and they’ve done nothing about it. But I do have to stress that breaches of security are fairly exceptional in this country. A’COURT: In this programme, we’ve heard from a person representing 100 top companies, household names, who says quite clearly that our information is often being held in an easy to access and so easy to steal form. They’re not even security encrypting names and addresses and account numbers in their database store. What do you know about that? THOMAS: I don’t know who this is and I don’t know what area we’re talking about, but if hard evidence comes our way or if we even have suspicions, we’ve got very strong powers, I’ve got a team of investigators, these are ex-police officers who go in and we take a strong line. But I think you’re absolutely right to raise the threats to people’s privacy. As technology spreads, as people are more engaged with internet shopping, seeing more and more biometrics being used, there are more and more risks that we will have our daily lives intruded upon and that our personal information will go missing. A’COURT: Are we simply all too complacent in this country? THOMAS: Maybe yes in some areas. I have sounded warnings that we may be sleepwalking into a surveillance society where more and more information is collected on more and more people. One study recently suggested that the average working adult now has their personal details stored on some 700 databases. And I think it’s important that we as the enforcement body do our part, it’s important that the organisations which are collecting and using personal information do their part. It’s also important for members of the public to be aware of the risks and to safeguard their own information. A’COURT: The government has confirmed to this programme that it has no plans yet for a US style breach law, but Home Office minister Joan Ryan does have sympathy with identity theft victims. RYAN: People feel very invaded by it. It’s one of the few crimes where the victim doesn’t know it’s happened until well after the event. A’COURT: Well isn’t that exactly the point? If there was a breach law in the UK people would know that they’re going to become victims before it happens. RYAN: You’d be informing people that there’d been a breach in which they hadn’t necessarily in any way whatsoever become a victim. A’COURT: But by the time someone becomes a victim, it’s too late. RYAN: Well we publish a range of information to enable people to keep a check on whether they have or could have been a victim of identity theft and identity fraud, I would encourage people to access the Home Office website. But the breach laws themselves, we could be asking all private and public sector to be sending out these notices. It could become like confetti and would perhaps just increase levels of fear and feelings of vulnerability. I think it’s something we want to watch, but I think we have to look at it in the context of the different kinds of systems and the different legislation that exists between ourselves and the United States. A’COURT: This summer both Washington and London announced new top level groups to focus on identity theft, but it may be too late. People like Alvin Hall are convinced that the trust we once had in privacy and security is already ebbing away. HALL: I always use the mobile phone analogy. We all use mobile phones, we all have drop calls, you can’t use it, the phones freeze. What makes people think that a security system run by a corporation is going to be more reliable than your cell phone ultimately? A’COURT: And so it’s crucial to get this trust back in some way? HALL: Yes, but I don’t think it will ever be the way it was when you and I were growing up, when people were innocent and you could live in a small town and not worry. It’s never going to be that way again. You need to be vigilant. You just need to be vigilant.