March 08, 2019 — We do not just suspect it, we now know it: Digital identity data, account or credit card information as well as e-mail addresses and passwords are collected in large quantities by (cyber) criminals. It was only at the beginning of this year that private data from politicians and artists were illegally published on the internet on a large scale. However, in most cases we do not even notice that we are victims of a crime. In the joint project EIDI “Effektive Information nach digitalem Identitätsdiebstahl“ (efficient information after digital identity theft) researchers of FIZ Karlsruhe and their partners develop a method to appropriately and proactively notify and efficiently warn victims of such crimes, i.e., a kind of early alert system.
This is done by researching technical procedures that can analyze and process data sets for identity information. In the investigation of cybercrime, law enforcement agencies and IT security researchers often obtain extensive data that are publicly accessible. In the course of their research they found out that this problem truly exists. Therefore, adequate protective measures are urgently needed.
But how can the government efficiently protect digital identity? Do IT security laws have to be extended and tightened? Can and may the collection and recognition of publicly available digital identities be automated in compliance with data protection and fundamental rights? Is there the possibility to hold someone liable in the event of impairment and misuse of digital identities?
Interdisciplinary research for IT security
These and other research issues are dealt with by the EIDI project. The project spans various disciplines, as these issues concern various legal areas such as constitutional, data protection, criminal, and liability law. Oliver Vettermann, who works in the research area Intellectual Property Rights in Distributed Information Infrastructures (IGR) at FIZ Karlsruhe, says: “For digital identities to be effectively protected, data protection and technical progress have to be interlinked. The project plays an important part in this process.”
In addition to identifying abuse, the core task of EIDI is to notify and warn those affected. Here, great importance is attached to comprehensibility so that victims can understand the nature of the misuse of their data and take the necessary steps. At the same time, such warnings must not occur too often; otherwise the necessary attention will be lost. A third important point is the legal certainty of such warning and verification systems.
Fabian Rack, who also works in the IGR research area which is closely connected to Karlsruhe Institute of Technology (KIT) by a professorship bearing the same name, explains: “Banks, shops or social networks are obliged to notify their users of any loss of data. EIDI helps to ensure that this notification can take place at all - for example, if the platforms themselves do not notice the loss.” Therefore, XING AG as a large provider of identities acts as an important partner of FIZ Karlsruhe in the EIDI project. Other project partners are the University of Bonn (the leader of the consortium), the University of Duisburg-Essen and Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein.