[PASSED] Prevention of Identity Theft

[Comfed]

So law enforcement officers in Chipoli can see identity data in Comfed that is irrelevant to any case they have? If this is a voluntary database and my identity has been stolen I think I would think twice before submitting highly personal information about myself with every police officer in the World Assembly.

Good catch, that clause has been amended.

While it is better that the scope has been restricted it still does not allow for issues of international identity theft, and more importantly it is still an issue that law enforcement can query the database for their entire nation at any time for basically any reason.

[Desmosthenes and Burke]

“Identity Theft” as the fraudulent acquisition of another person's identifying or financial information in order to use their identity for financial gain without their consent.

OOC: Your definition is rather narrow, don't you think? Let us posit a call centre agent for random corporate entity. This agent receives and records customer's credit card numbers, names, addresses, and/or bank account information as a legitimate part of their job to process payments for customers. This agent has committed no fraud in obtaining this information. If they then used a customer's information to go on a shopping spree, should not that still count as identity theft?

[Chipoli]

Clause 4 doesn't make sense - much of US personal financial data is not just held by retailers (I'd generously interpret that to mean all businesses doing C2B such as retail banks) but also by C2C companies (financial services consolidation and processing companies for example).

Clause 2a is probably redundant.

Clause 2e towards the end about abuse of the system would probably cause problems.

Elaborate on clause 2e.

Clause 4 amended.

[Chipoli]

“Identity Theft” as the fraudulent acquisition of another person's identifying or financial information in order to use their identity for financial gain without their consent.

OOC: Your definition is rather narrow, don't you think? Let us posit a call centre agent for random corporate entity. This agent receives and records customer's credit card numbers, names, addresses, and/or bank account information as a legitimate part of their job to process payments for customers. This agent has committed no fraud in obtaining this information. If they then used a customer's information to go on a shopping spree, should not that still count as identity theft?

It would be.
Regardless of whether or not the information was gathered as part of the agent's job, using a customer's personal information without their consent for personal gain is identity theft. It's also a breach of the customer's trust that they put in the agent.

I also see the point you are trying to make, so I have edited the definition.

[Chipoli]

Upon further consideration, this has been taken off last call as it appears I will need more drafting time.

[Simone Republic]

Clause 2 on W AID, I think has been pointed out is dangerous in creating a central hacking point when we seem to move towards decentralization of data.

Clause 2a is either redundant (unless you say it's all AI staffed) and I don't know if it comes close to the rule over WA not being able to specify the staffing of a WA committee.

Clause 2b as per Comfed likely to get stomped on on sovereignty grounds. Also the WA has plenty of states with extremely wide powers for the Police.

Clause 2b also what happens if states are at war?

Clause 2c training doesn't mean "qualified". You give me a patriot, someone gets a spy. Also I didn't think the Americans particularly trust their police to start with?

Clause 2d is too vague. Is someone's credit card number important? Social security number? National ID number? Age? Mother's maiden name?
(In many countries that's public due to birth records being public).

Clause 2e again is toothless. Find a traitor like Bob Hanssen or Kim Philby, leak the entire database, then flee.

Clause 2f creates its own privacy issues, but that's another matter.

Clause 3 is redundant since you basically pretty much allow access to the WAID carte blanche.

Clause 4 - urges? It's not even compulsory? And what about schools hospitals charities etc. "Institutions" maybe but then you'd need to define it.

Clause 5 - "combat" can be a very weak action. I can put up a poster that says "combat identity threat" and that probably counts.

Just some random thoughts.

[Chipoli]

1. This resolution uses encryption and strict security protocols (clause 2b) so hacking is made virtually impossible.

2. It will be removed.

3. The way this proposal works, it is necessary for law enforcement officers to access the identity data, apprehend the perpetrator, and if applicable, compensate the victim. I might consider tightening that clause to only the most trusted individuals. Then again, this resolution only intends to place the identity data in the hands of only those most trusted (per clauses 2c and 2e). I'll get more input on this as this is crucial to the proposal.

4. It will be difficult, as many nations would not want to collaborate with nations they are at war with to track identity theft. Collaborating with one another is not compulsory, so states can choose to not cooperate with each other. I assume people have better things to do than steal identities in wartime. However, that could be just me.

5. The training is intended to make them qualified, but I amended it slightly just in case.

6. I intend to let member states determine what qualifies as important.

7. I'd like to hear more feedback on this.

8. How else do states track ID cases?

9. 2b: "b. Law enforcement organizations in member states and member state governments are given full access to all of WAID's id
entity data within their nation" Nothing besides clause 3 states that foreign law enforcement can share data in cases of international identity theft.

10. I've changed it to "businesses and institutions." I will wait for opinions on whether it should be compulsory or not.

11. The meaning of combat is to: "take action to reduce or prevent ______ (i.e Identity Theft)" I'm not sure putting a poster is reducing/preventing something.

[Chipoli]

I intend to submit this in 1-3 weeks. I will determine the exact date based on the feedback I receive.

[Chipoli]

The submission date is currently set at February 23rd.

[Chipoli]

This is the last call before I submit.

[Chipoli]

This has been submitted.

[Imperium Anglorum]

OOC. I agree that having a centralised data base is a terrible idea and that it will almost certainly get hacked at some point. Writing into the proposal that the database is cannot be hacked is, in my opinion, actually fiating that the database does not exist. Handwaving "encryption and strict security protocols" is not sufficient.

[Simone Republic]

OOC. I agree that having a centralised data base is a terrible idea and that it will almost certainly get hacked at some point. Writing into the proposal that the database is cannot be hacked is, in my opinion, actually fiating that the database does not exist. Handwaving "encryption and strict security protocols" is not sufficient.

I am keeping my For vote at the moment given I already commented quite extensively on the drafting above, but looking at Comfed's comments on the TNP forum and the torrent of, erm, discussions on WALL, I really want to know: are we absolutely sure we are OK on this from a technical standpoint?

Can someone look at this? Internet security is not really a strong suit for me. Although I know some programming, I am more of a luser user in terms of Internet security.

[Kenmoria]

(OOC: On a matter of GA policy, I feel as though concerns about the security of databases should go on the same level as concerns about oversight and staffing of committees. Although this would certainly be a factor to consider in real policy-making, there are considerations of space and legislative effort which mean that it is not reasonable to expect authors to address these sort of functional concerns. Resolutions shouldn’t directly mention the incorruptibility of committees, databases, WA programmes, et cetera, since it is a conceit to enable easier legislating, but I feel as though it is too restrictive on authors to not have the conceit in place.)

[Chipoli]

Bump, as this will go to vote in the next few days.

[La Xinga]

Member states must combat identity theft as much as they possibly can within the scope of their jurisdictions by investigating identity theft reports, responding to them, and cooperating with identity theft victims.

How much is "as they possibly can"?

[Kenmoria]

Member states must combat identity theft as much as they possibly can within the scope of their jurisdictions by investigating identity theft reports, responding to them, and cooperating with identity theft victims.

How much is "as they possibly can"?

(OOC: It is the maximal extent possible for a given member-nation.)

[Otaku Stratus]

Seems kind of a silly solution but okay sure.
Better would be to simply make banks liable for all identity theft. then they'll find a way to solve it if they want to still have clients

[North Cadenza]

Only illegal if the theft is for monetary gain? That leaves many other reasons for identity theft still legal.
A worldwide organization that gathers data on everyone?
This will become the number one target of any criminal who wants an identity to steal.
Even forcing privately owned corporations and businesses to hand over such data?
This entire thing is a hard no from North Cadenza.
While the issue of identity theft needs dealt with. Taking away the privacy of our citizens should not be on the table.

[Office of WA Legislation]

The South Pacific recommends that you vote $FOR$ Prevention Of Identity Theft", by Chipoli.

Please find the Office of WA Legislation's analysis of this repeal below, and make sure to upvote the OWL's recommendation dispatch.

Refinement and improvement, of concepts just as much as of proposals, has always been at the heart of the General Assembly. The fight against identity theft is no exception: Prevention of Identity Theft builds upon its predecessor resolutions' ideally solid, although practically flawed, countermeasures to produce a resolution that will likely resist far more challenges than either of those ever did.

The proposal has two crucial functions. First is the establishment of WAID, a World Assembly Identity Database, which allows carefully- and continually-vetted members of law enforcement to securely track the identities of those confirmed to be victims of identity theft, thereby enabling the capture of thieves. Second is a core requirement for members to take every step within their power to prosecute and prevent identity theft (including an encouragement for organisations to join in preventative actions).

It is unfortunate that a more explicit link between the WAID's functions and the obligations of member states are not drawn - beyond a simple, rather confusing assumption that WAID-hosted identities can be of use by themselves in chasing down identity thieves - but the resolution otherwise has little to incriminate itself. Identity theft, a potentially international crime in many cases, should be forbidden by the World Assembly anyway; Articles 4 and 5 are straightforward, and highly effective in accomplishing this. And while WAID is far from a silver bullet, its inbuilt security measures and clearly-defined mandate nonetheless make it useful in helping ensure true international co-ordination in challenging identity theft.

Thus, OWL recommends a vote FOR the at-vote resolution, "Prevention of Identity Theft."

This resolution will be at vote between midnight EDT on April 1st 2023 and midnight EDT on April 5th 2023.

[Alameda]

The section permitting law enforcement organizations to access this data is highly problematic. What stops an authoritarian member state from using this data to spy on citizens and use it to suppress opposition movements, and further oppress already marginalized social groups? I encourage everyone to vote NO on this resolution.

[Kenmoria]

The section permitting law enforcement organizations to access this data is highly problematic. What stops an authoritarian member state from using this data to spy on citizens and use it to suppress opposition movements, and further oppress already marginalized social groups? I encourage everyone to vote NO on this resolution.

(OOC: Suppressing oppositional movements and oppressing marginalised groups are both already prohibited by extant resolutions of the General Assembly. That leaves only spying as something that, to my knowledge, could be possible. However, given that an authoritarian government could simply harvest the information anyway, I do not think that this concern is too major.)

[La Xinga]

How much is "as they possibly can"?

(OOC: It is the maximal extent possible for a given member-nation.)

OOC: Would this mean that a nation would have to go to every possible method in order to attain info on this? Including, perhaps, violating others' privacy with they believe should not be infringed on?

[Kenmoria]

(OOC: It is the maximal extent possible for a given member-nation.)

OOC: Would this mean that a nation would have to go to every possible method in order to attain info on this? Including, perhaps, violating others' privacy with they believe should not be infringed on?

(OOC: So far as that does not involve technical infeasibility or contradiction of extant law of the General Assembly, yes, it would involve infringement of others’ privacy if this were the only way to achieve maximal prevention of identity-theft.)

[Macadia]

Ambassador Gretchen Harlemane: “At first read, I was leaning towards support of this proposal, but after hearing what other members had to say, and listening to the flaws they pointed out on this well-intentioned piece of legislation, I must oppose this, and I hope most other nations of the World Assembly follow suit.”