Ars Technica has reported that a German court has found a victim of a phishing attack liable for successfully being phished. The finding is, at least in part, based on the bank’s position that they had previously warned customers about phishing attacks.
The court’s placement of liability is significant for a variety of reasons. Of course it’s important that the individual was victimized. The liability placement also defers expenses (likely through insurance) that the bank would have to assume were they at least partially liable for the customers’ actions. This said, we can understand (and perhaps disagree…) that, from a liberal position, individual citizens are responsible for their actions.
What is most significant are the consequences of placing liability on the individual. Specifically, it reduces the incentive that banks have to exercise their influence to address phishing. I’m not suggesting that the banks could hope to eliminate phishing by waving a gold-plated wand, but they are financially in a position to influence change and act on a global scale. Individuals - save for the ultra-rich - lack this degree of influence and power. While banks will be motivated to protect customers - and, more importantly, their customers’ money - if banks were found even partially liable for successful phishing attacks they would be significantly more motivated to remedy these attacks.
Surveillance technologies are a double-edged sword, one that often lack a hilt guard.
According to the report, a top German security official installed a trojan on his own daughter’s computer to monitor her Internet usage. What could possibly go wrong?
Nothing—well, at least until one of the daughter’s friends found the installed spyware. The friend then went after the dad’s personal computer as a payback and managed to get in, where he found a cache of security-related e-mails from work. The e-mails, in turn, provided the information necessary for hackers to infiltrate Germany’s federal police.
That was bad, but it got worse. The hackers got into the servers for the “Patras” program, which logs location data on suspected criminals through cell phone and car GPS systems. Concerned about security breaches, the government eventually had to take the entire set of Patras servers offline.