[PASSED] Prevention of Identity Theft

by **Chipoli** » Sat Jan 28, 2023 7:01 pm

OOC: This is a replacement for GA#576. Feedback and constructive criticism are greatly appreciated.

Prevention of Identity Theft

Category: International Security | Strength: Mild

The World Assembly,

Believing identity theft to be a global problem that if not addressed, can lead to serious consequences for all those who fall victim to this shameless act,

Recognizing that identity theft can occur through a variety of means, including the theft of personal information, the use of stolen personal information to commit fraud, and the use of altered or counterfeit identity documents,

Noting that while past resolutions were passed in this august assembly with good intentions (GA Resolution 110, “Identity Theft Prevention Act” and GA Resolution 576, "Preventing Identity Theft"), their flaws rendered them ineffective at combating this problem, and thus replacement legislation is required,

Determined to prevent identity theft and protect the victims from its consequences,

Hereby enacts the following into World Assembly Law:

1. Defines “Identity Theft” as the acquisition of another person's identifying or financial information to use their identity for financial gain without their consent.

2. Establishes the World Assembly Identity Database (WAID) to log and track stolen identities.

a. Law enforcement organizations in member states and member state governments are given full access to all of WAID's identity data within their nation. All data must be kept confidential and encrypted from any person or organization that isn't explicitly allowed access to the data.

b. Those entrusted with using WAID must undergo training to gain knowledge and understanding about using the database. Staff must be ensured to have passed the training before receiving access to the database.

c. Any individual that believes themselves to be a victim of identity theft and other agencies may submit their information to the database. All submitted information must be reviewed by administrators at WAID to verify their legitimacy and importance.

d. Depending on the severity, WAID itself may impose sanctions on any organization or person who abuses the database. In serious instances, the offender can be forbidden from using the database.
i. The WAID commission shall not leak or sell any identity data from the WAID.

3. Member states may share WAID data to apprehend the suspect(s).

4. All businesses and institutions that save personal data are urged to implement updated anti-identity-theft technology to counter any possible identity theft.

5. The act of identity theft or aiding someone in committing identity theft, shall be outlawed in all member states effective immediately.

a. Member states must combat identity theft as much as they possibly can within the scope of their jurisdictions by investigating identity theft reports, responding to them, and cooperating with identity theft victims.

I paraphrased the following sources, so I'd appreciate any input on whether I completely avoided any potential plagiarism allegations in this draft:

(I intend to maintain a similar format and tone to the original while adding on details and making corrections)

Identity Theft in the US: https://en.wikipedia.org/wiki/Identity_theft

GA#576 and GA#110: https://www.nationstates.net/page=WA_past_resolution/id=576/council=1 https://www.nationstates.net/page=WA_past_resolution/id=110/council=1

by **Chipoli** » Sat Jan 28, 2023 7:01 pm

Reserved for future drafts.

by **The Ice States** » Sun Jan 29, 2023 12:22 am

Support in principle.

Chipoli wrote:Believing identity theft to be a global problem that if not addressed, that can lead to serious consequences for all those who fall victim to this shameless act,

Second "that" after the first comma should be removed.

“Identity Thief” as someone who committed the crime of Identity Theft.

Is this not self-evident?

2. Establishes the World Assembly Identity Database (WAID) for the purpose of logging and tracking stolen identities.

To be clear, "WAID" refers to both the database itself and the committee responsible for administering it? I believe this should be made more clear in the text.

a. Law enforcement organizations and member state governments are given full access to all WAID's identity information.

What part of member state governments? Is an economics or environmental department of a member nation government automatically granted access to the WAID? I also think it should be clarified that this refers to law enforcement organisations in member nations.

c. Allows for collaboration between foreign member states to track down the identity thief in cases of international identity theft.

What kind of collaboration? In addition, all this seems to do is prohibit the World Assembly from prohibiting collaboration between member nations, as this draft does not appear to otherwise prohibit it such that this would be an exception; why would the World Assembly ever do that?

e. Any individual that believes themselves to be a victim of identity theft and other agencies may submit information to the database. All submitted information must be reviewed by administrators at WAID to verify their legitimacy and importance.

What other agencies? This also seems to conflict in its approach with Section 2d; law enforcement organisations can edit the database directly, but can also send the information to the WAID to be reviewed by its administrators? I'd strongly advise you to scrap d, and use only this clause.

f. Depending on the severity, WAID itself may impose sanctions on any organization or person who abuses the database. In serious instances, the offender can be forbidden from using the database.

What counts as "abuse" of the database?

g. WAID is permitted to monitor all marketplace transactions to identify any stolen identities and the member state in which the identity theft took place.

This seems like a major flaw. Why should the faceless gnomish personnel at the WAID be allowed to view names, credit card numbers, and so on in "all marketplace transactions"? (NB: if the WAID is only allowed to view minimal information, like just the ostensible identity of the entities involved, the amount of money transferred, and the product being sold, then it would not be able to meaningfully discover where identity theft took place).

3. Member states must combat identity theft as much as they possibly can within the scope of their jurisdictions by investigating identity theft reports, responding to them, cooperating with identity theft victims, and apprehending and punishing the identity thief.

Cooperating with victims how? Also, does this mean that member nations are prohibited from enacting pardons or other such measures upon identity theft charges?

4. All global retail industries are obligated to implement updated anti-identity-theft technology to counter any possible identity theft in order to protect their customers.

What kind of technology?

5. Member states are permitted to create any organization to assist their citizens in avoiding and recovering from identity theft.

This also seems unnecessary. The World Assembly would never prohibit member nations from establishing organisations to assist in dealing with identity theft; nor does this act as an exception, as the rest of your mandates do not restrict this ability.

by **Chipoli** » Sun Jan 29, 2023 8:17 am

1. Fixed.

2. Removed.

3. Correct, that has been clarified

4. What I meant by "Law enforcement" was the police or FBI/SWAT etc. of member nations. That has been clarified. I would say that Federal law enforcement agencies (such as the FBI) and crime-stopping organizations such as the Department of Homeland Security can access WAID, and most likely the leader of the nation, depending on its laws. The rest has been reworded and clarified.

5. Law enforcement agencies use their identity data to track down identity thieves the rest has been reworded.

6. Scrapped for now, if anyone has any objections to that please bring them up.

7. For higher-ups, it means leaking any personal info of anyone that has submitted information or selling that information (or using it for identity theft itself!). Spamming reports that are confirmed to be false can lead to restrictions on submitting but not complete loss of access, but that's basically the only way anyone abuses it since a regular person cannot see the identity data seen by governments and law enforcement agencies.

8. So WAID should be able to view more than minimal information but it also shouldn't see everything in "all marketplace transactions"? Is that what you are saying?

9. The victim can provide info such as the location of the identity thief, the amount of money stolen, and what was used to buy with their money (since people can see their own transaction history).

10. Encryption, Chip Technology, Multi-factor Authentication, Touch-to-pay Technology (such as Apple Pay), and probably more than I didn't mention.

by **Tinhampton** » Sun Jan 29, 2023 9:00 am

A: You didn't address TIS's argument about Article 5.

B: Why do we need a committee-centred, rather than a police-centred, approach to identity theft ("IDT") - never mind for the third resolution on this matter in a row? I don't know of any real-world international agency designed to prevent, or host reports of, IDT. However, national-scale and below anti-IDT efforts exist. For instance, in England and Wales, you can report IDT via Action Fraud (although it is redirected to the National Fraud Intelligence Bureau) or the police in general. All major banks and building societies - including those in Scotland and NI - are members of the Take Five campaign. Banks also often operate their own fraud-reporting mechanisms; here's Barclays as an example.

C: How do you expect WAID - or anyone else - to monitor all transactions, everywhere, made through all means in all WA locations?

Chipoli wrote:10. Encryption, Chip Technology, Multi-factor Authentication, Touch-to-pay Technology (such as Apple Pay), and probably more than I didn't mention.

D: Please explain how these technologies prevent IDT.

by **Mesogiria** » Sun Jan 29, 2023 9:26 am

Chipoli wrote:So WAID should be able to view more than minimal information but it also shouldn't see everything in "all marketplace transactions"? Is that what you are saying?

I would go the other way, personally, and say that creating a WA committee allowed to monitor all economic activity by all persons and entities in all member states down to the level of individual purchase and sale transactions automatically linked to personal identities is a terrifying obliteration of privacy that also creates the biggest, most enticing target possible for identity thieves to attempt to compromise.

by **Chipoli** » Sun Jan 29, 2023 10:07 am

The Ice States wrote:

5. Member states are permitted to create any organization to assist their citizens in avoiding and recovering from identity theft.

This also seems unnecessary. The World Assembly would never prohibit member nations from establishing organisations to assist in dealing with identity theft; nor does this act as an exception, as the rest of your mandates do not restrict this ability.

I've removed it for now but should future concerns about this arise I might go a different path.

by **Chipoli** » Sun Jan 29, 2023 10:43 am

Tinhampton wrote:A: You didn't address TIS's argument about Article 5.

B: Why do we need a committee-centred, rather than a police-centred, approach to identity theft ("IDT") - never mind for the third resolution on this matter in a row? I don't know of any real-world international agency designed to prevent, or host reports of, IDT. However, national-scale and below anti-IDT efforts exist. For instance, in England and Wales, you can report IDT via Action Fraud (although it is redirected to the National Fraud Intelligence Bureau) or the police in general. All major banks and building societies - including those in Scotland and NI - are members of the Take Five campaign. Banks also often operate their own fraud-reporting mechanisms; here's Barclays as an example.

C: How do you expect WAID - or anyone else - to monitor all transactions, everywhere, made through all means in all WA locations?

Chipoli wrote:10. Encryption, Chip Technology, Multi-factor Authentication, Touch-to-pay Technology (such as Apple Pay), and probably more than I didn't mention.

D: Please explain how these technologies prevent IDT.

A. I have removed it just now.

B. Just because it doesn't exist in real life doesn't mean it can't exist in the WA.

C. I will change that clause for privacy reasons per Mesogiria

D. Gladly:

1. Customers' private information, such as Social Security numbers, account or routing numbers, or credit or debit card PINs, cannot be accessed by identity thieves because of encryption. Encryption is used during a transaction at the point-of-sale as well as when the information from the sale is sent to the bank for payment. If a scammer attempts to steal a person's personal information at any point during this process, the encryption will render that information inaccessible and prevent identity theft.

2. The chip in the card requires the customer to sign or enter a PIN to verify his or her ownership of the account. If the customer’s signature or PIN does not match, the chip alerts the merchant to the theft and misuse of the card.

3. Companies also are using multi-factor authentication to verify the identities of customers. Multi-factor authentication requires the customer to enter information or features that only he or she would possess.

4. Customers are given the option to save their debit or credit card information on their mobile phones or other personal devices. They can then use their devices to complete payments without actually giving the retailer they are making a purchase from their account information.

by **Chipoli** » Sun Jan 29, 2023 11:03 am

Mesogiria wrote:
Chipoli wrote:So WAID should be able to view more than minimal information but it also shouldn't see everything in "all marketplace transactions"? Is that what you are saying?

I would go the other way, personally, and say that creating a WA committee allowed to monitor all economic activity by all persons and entities in all member states down to the level of individual purchase and sale transactions automatically linked to personal identities is a terrifying obliteration of privacy that also creates the biggest, most enticing target possible for identity thieves to attempt to compromise.

Clause removed as it causes more problems than it fixes.

by **Imperium Anglorum** » Sun Jan 29, 2023 11:04 am

I'm sure that a better title could be found than "On X".

by **Chipoli** » Sun Jan 29, 2023 5:56 pm

Imperium Anglorum wrote:I'm sure that a better title could be found than "On X".

The title has been changed from "On Identity Theft" to "Prevention of Identity Theft".

by **Chipoli** » Tue Jan 31, 2023 1:56 pm

Bump.

by **Chipoli** » Thu Feb 02, 2023 8:18 pm

2/2 notes:

1. Slight Wording Changes
2. Revamped Clause 2f
3. Moved Draft 2's Clause 3 to 4a and amended it to fix a loophole that would ban pardoning acts of Identity Theft.
4. Removed the banning of selling of data due to it making Google, Microsoft, etc. non-compliant with the resolution.

Special Thanks to The Ice States/ Magecastle Embassy Building A5 who helped me with drafting off-site.

by **Tinhampton** » Thu Feb 02, 2023 8:28 pm

Chipoli wrote:4. Removed the banning of selling of data due to it making Google, Microsoft, etc. non-compliant with the resolution.

Isn't "Do Not Sell My Personal Information" just California/CCPA sleight of hand for "modify my cookie preferences"?

by **Chipoli** » Thu Feb 02, 2023 8:45 pm

"We have decided to let member states regulate their own law on the selling of personal information, or else anyone is welcome to write a broader resolution on privacy."

by **Kenmoria** » Fri Feb 03, 2023 3:31 am

Chipoli wrote:"We have decided to let member states regulate their own law on the selling of personal information, or else anyone is welcome to write a broader resolution on privacy."

(OOC: Is this you abandoning draft? I do agree that the approach that this proposal takes isn’t ideal; it should have focused more on international cooperation. In any case, if you are abandoning the draft, change the tag to [ABANDONED].)

by **Chipoli** » Fri Feb 03, 2023 4:18 am

Kenmoria wrote:
Chipoli wrote:"We have decided to let member states regulate their own law on the selling of personal information, or else anyone is welcome to write a broader resolution on privacy."

(OOC: Is this you abandoning draft? I do agree that the approach that this proposal takes isn’t ideal; it should have focused more on international cooperation. In any case, if you are abandoning the draft, change the tag to [ABANDONED].)

(OOC: No. I was talking about addressing the about of outlawing the selling of personal information, I decided to remove that part from the proposal. This is about ID. I'll try to incorporate your feedback and try to improve the international cooperation clause.)

by **Chipoli** » Fri Feb 03, 2023 7:53 pm

2d became clause 3, and I have expanded on cooperation between member states.

by **Chipoli** » Mon Feb 06, 2023 7:35 am

Bump.

by **Comfed** » Mon Feb 06, 2023 4:16 pm

Who is allowed to access this database and under what circumstances may they access what would be a giant dump of personal information?

by **Chipoli** » Mon Feb 06, 2023 4:20 pm

Comfed wrote:Who is allowed to access this database and under what circumstances may they access what would be a giant dump of personal information?

Clause 2b: "Law enforcement organizations in member states and member state governments are given full access to all WAID's identity data."

by **Chipoli** » Thu Feb 09, 2023 2:23 pm

Another Bump. I intend to submit this in the next few days if no further issues are pointed out.

by **Simone Republic** » Thu Feb 09, 2023 4:47 pm

Clause 4 doesn't make sense - much of US personal financial data is not just held by retailers (I'd generously interpret that to mean all businesses doing C2B such as retail banks) but also by C2C companies (financial services consolidation and processing companies for example).

Clause 2a is probably redundant.

Clause 2e towards the end about abuse of the system would probably cause problems.

by **Comfed** » Thu Feb 09, 2023 4:47 pm

Chipoli wrote:
Comfed wrote:Who is allowed to access this database and under what circumstances may they access what would be a giant dump of personal information?

Clause 2b: "Law enforcement organizations in member states and member state governments are given full access to all WAID's identity data."

So law enforcement officers in Chipoli can see identity data in Comfed that is irrelevant to any case they have? If this is a voluntary database and my identity has been stolen I think I would think twice before submitting highly personal information about myself with every police officer in the World Assembly.

by **Chipoli** » Thu Feb 09, 2023 4:54 pm

Comfed wrote:
Chipoli wrote:Clause 2b: "Law enforcement organizations in member states and member state governments are given full access to all WAID's identity data."

So law enforcement officers in Chipoli can see identity data in Comfed that is irrelevant to any case they have? If this is a voluntary database and my identity has been stolen I think I would think twice before submitting highly personal information about myself with every police officer in the World Assembly.

Good catch, that clause has been amended.

[PASSED] Prevention of Identity Theft

[PASSED] Prevention of Identity Theft

Who is online