03-05-2012, 03:13 PM
Internet-related identity theft
Internet_related_identity_theft_ Marco_Gercke.pdf (Size: 875.47 KB / Downloads: 220)
1 Introduction
In view of the media coverage,1 results of recent surveys,2 as well as numerous legal and
technical publications3 in this field, it seems appropriate to speak about identity theft as a
mass phenomenon.
1.1 What is identity theft?
The term identity theft – that is neither consistently defined nor consistently used –
describes criminal acts where the perpetrator fraudulently obtains and uses another person’s
identity.4 These acts can be carried out without the help of technical means5 as well as online
by using Internet technology.6 Internet-related identity theft cases in particular are to a
large extent based on highly sophisticated scams that demonstrate the capability of
automated attacks7 on the one hand, and show the difficulties that law enforcement agencies
are faced with when investigating such offences on the other.8 These attacks generally aim
for the weakest point of the target.9
Examples are:
• The perpetrator persuades the victim to disclose confidential information on a
website and uses it in criminal activities.10
1 See for example: Thorne/Segal, Identity Theft: The new way to rob a bank, CNN, 22.05.2006 – available at:
http://edition.cnn2006/US/05/18/identity.theft/ (last visited: Nov. 2007); Identity Fraud, NY Times Topics – available at:
http://topics.nytimestop/reference/times...index.html (last visited: Nov. 2007); Stone, U.S. Congress
looks at identity theft, International Herald Tribune, 22.03.2007 – available at:
http://www.ihtarticles/2007/03/21/business/identity.php (last visited: Nov. 2007).
2 See for example the 2007 Javelin Strategy and Research Identity Fraud Survey; 2006 Better Bureau Identity Fraud Survey; 2006 Federal
Trade Commission Consumer Fraud and Identity Theft Complaint Data; 2003 Federal Trade Commission Identity Theft Survey Report.
3 See for example: Chawki/Abdel Wahab, Identity Theft in Cyberspace: Issues and Solutions, Lex Electronica, Vol. 11, No. 1, 2006 –
available at: http://www.lex-electronicaarticles/v11-1/ chawki_abdel-wahab.pdf (last visited: Nov. 2007); Peeters, Identity Theft
Scandal in the U.S.: Opportunity to Improve Data Protection, MMR 2007, 415; Givens, Identity Theft: How It Happens, Its Impact on Victims,
and Legislative Solutions, 2000 – available at: http://www.privacyrightsar/id_theft.htm (last visited: Nov. 2007).
4 Peeters, Identity Theft Scandal in the U.S.: Opportunity to Improve Data Protection, MMR 2007, 415;
5 One of the classic examples is the search for personal or secret information in trash or garbage bins (“dumpster diving”). For more
information about the relation to Identity Theft see: Putting an End to Account-Hijacking identity Theft, page 10, Federal Deposit
insurance Corporation, 2004 – available at: http://www.fdic.gov/consumers/consumer/i..._theft.pdf (last visited Nov.
2007); Paget, Identity Theft – McAfee White Paper, page 6, 2007 – available at:
http://www.mcafeeus/threat_center/white_paper.html (last visited: Nov. 2007).
6 Javelin Strategy & Research 2006 Identity Fraud Survey points out that although there were concerns over electronic
methods of obtaining information, most thieves still obtain personal information through traditional rather than
electronic channels. In the cases where the methods were known, less than 15% obtained online by electronic means.
See Javelin Strategy & Research 2006 Identity Fraud Survey, Consumer Report – available at:
http://www.javelinstrategyproducts/99DEB...livery.pdf (last visited: Nov. 2007). For further information on
other surveys see Chawki/Abdel Wahab, Identity Theft in Cyberspace: Issues and Solutions, page 9, Lex Electronica,
Vol. 11, No. 1, 2006 – available at: http://www.lex-electronicaarticles/v11-1/ chawki_abdel-wahab.pdf (last
visited: Nov. 2007).
7 Regarding the Challenges related to the automation see below 3.4.
8 Regarding the Challenges for Law Enforcement Agencies see below 3.4.
9 In cybercrime-related cases this can either be the Internet user or the user computer system he/she is using.
10 A classic example for such scam is phishing. The term “phishing” is used to describe a type of crime that is characterized by attempts
to fraudulently acquire sensitive information, such as passwords by masquerading as a trustworthy person or business (e.g. financial
institution) in an apparently official electronic communication. For details see the information offered by anti-phishing working group –
available at: www.antiphishing.org (last visited: Nov. 2007); Jakobsson, The Human Factor in Phishing – available at:
5
• The perpetrator obtains credit-card information from the victim to use it for the
ordering of goods and services.11
• The perpetrator obtains the password of the victim’s email account and uses it to
send out emails with illegal content.
1.2 Economic importance of identity theft
Current surveys show that identity theft is a serious challenge for societies as well as law
enforcement agencies not only in terms of the number of offences, but also in terms of the
losses.12
With regard to the reliability of such data, one should keep in mind that most statistics focus
on single states and that it is uncertain if the results of the surveys are comparable to other
countries. Furthermore it is uncertain to what extent users are reporting identity theft
related offences.13 Nevertheless, statistics indicate trends and the scope of the problem.
Recent surveys and analysis assume for example that:
• In the United Kingdom, the cost of identity theft to the British economy was
calculated at £1.3 billion every year.14
• Estimates of losses caused by identity theft in Australia vary from less than
US$1 billion to more than US$3 billion per year.15
• The 2006 Identity Fraud Survey estimates the losses in the US at US$56.6 billion
in 2005.16
http://www.informatics.indiana.edu/marku...rs/aci.pdf (last visited: Nov. 2007); Gercke, Criminal Liability for Identity Theft and
Phishing, CR 2005, 606.
11 Identity Theft related to Credit Card Fraud remains the most common combination. See: Consumer Fraud and Identity Theft Complain
Data, January – December 2005, Federal Trade Commission, 2006, page 3 –available at:
www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf (last visited: Nov. 2007).
12 See for example the 2007 Javelin Strategy and Research Identity Fraud Survey; 2006 Better Bureau Identity Fraud Survey; 2006 Federal
Trade Commission Consumer Fraud and Identity Theft Complaint Data; 2003 Federal Trade Commission Identity Theft Survey Report.
13 This problem is not limited to surveys but also important for law enforcement agencies. Experts involved in the fight against
cybercrime do on a regular basis encourage victims of cybercrime to report to local authorities. “The US Federal Bureau of Investigation
has requested companies not to keep quiet about phishing attacks and attacks on company IT systems, but to inform the authorities, so
that they can be better informed about criminal activities on the internet. “It is a problem for us that some companies are clearly more
worried about bad publicity than they are about the consequences of a successful hacker attack," explained Mark Mershon, acting head
of the FBI's New York office.” See Heise News, 27.10.2007, - available at: http://www.heise-security.co.uk/news/80152 (last visited: Nov.
2007).
14 See Identity Theft: Do you know the signs?, The Fraud Advisory Panel, page 1, available at:
http://www.fraudadvisorypanelnewsite/PDF...1-7-03.pdf (last visited: Nov. 2007).
15 Paget, Identity Theft – McAfee White Paper, page 10, 2007 – available at: http://www.mcafeeus/threat_center/white_paper.html
(last visited: Nov. 2007).
16 See Javelin Strategy & Research 2006 Identity Fraud Survey, Consumer Report – available at:
http://www.javelinstrategyproducts/99DEB...livery.pdf (last visited: Nov. 2007).
6
1.3 Scope of the discussion paper
The objective of the discussion paper is to identify and review legal approaches to criminalise
internet-related identity theft. In order to evaluate the need for a harmonisation of identity
theft legislation as well as possible legislative solutions, the present paper takes two
approaches:
• It first of all analyses the most common internet-related offences with the aim to
identify common principles of all offences. The identification of common principles is
necessary to describe the elements of a provision (e.g. acts and results covered by the
provision) designed to criminalise identity theft.
• In addition the paper analyses existing criminal law provisions to evaluate how far
they already cover identity theft related offences. The discussion paper will in this
context focus on the US approach in 18 U.S.C. § 1028 / 18 U.S.C. § 1028 and the
Convention on Cybercrime – that is currently the only existing international
Convention that provides a comprehensive legal framework in the fight against
Cybercrime.17
This question is moving higher on the political agenda in Europe. For example, the European
Commission stated in a recent communication that identity theft is not yet criminalised in all
EU member states.18 In this context the Commission proposed “that EU law enforcement
cooperation would be better served were identity theft criminalised in all Member States” and
announced that it would shortly commence consultations to assess if legislation was
appropriate.19
17 For more information related to the Convention on Cybercrime see: Gercke, The slow Wake of a global approach against cybercrime,
CRi 2006, page 150 et seqq.
18 Communication from the Commission to the European Parliament, the Council and the Committee of the Regions
towards a general policy on the fight against cyber crime, COM (2007) 267.
19 Communication from the Commission to the European Parliament, the Council and the Committee of the Regions towards a general
policy on the fight against cyber crime, COM (2007) 267.
7
2 Difficulties in the fight against identity theft
2.1 Impact of the identity architecture
The fact that identity theft has become one of the most widespread cybercrimes is related to
the vulnerability of the identification architecture. These vulnerabilities are not created by
the perpetrators that commit the crime, but exploited by them.20 Criticism regarding this
vulnerability particularly concerns single identification data that are not protected by
sufficiently secure systems. One example is the Social Security Number (SSN) in the United
States.21 The SSN was created to keep an accurate record of earnings.22 Due to this aim, no
security regime was developed to ensure that the use of the SSN in identification processes
would not involve security risks. Contrary to its original intentions, the SSN is today widely
used for identification purposes.23 And as it is insufficiently protected, perpetrators are able
to cause great harm (e.g. by gaining access to a person’s existing accounts, applying for
credit in the victim’s name and obtaining even more information about the victim for further
use) solely based on the SSN.24
2.2 Availability of information
Two developments are responsible for the increasing amount of publicly available identityrelated
information. Currently a number of highly successful Internet services like
“facebook”25, “MySpace”26 and “Second Life”27 are based on the principle of developing a
culture of digital identities. Users assigned to such services transfer a part of their social
activities to the Internet. This process often involves the disclosure of private information
which can be abused by perpetrators. Due to the fact that the majority of Internet users use
a limited number of very popular services, as well as the availability of search engines that
are specialised in the detection of private information about a person,28 it is rather easy for a
perpetrator to collect that information and use it for criminal purposes.29
The second development is closely related to the transfer process. As highlighted previously,
the information that is often made publicly available cannot in general be used on its own,
but only in combination with other data in order to take over the identity of another person.
The perpetrators are therefore highly interested in linking different identity-related
information. In this they are – indirectly – supported by the current global trend trends in
20 Solove, The legal construction of Identity Theft, page 4, Symposium: Digital Cops in a virtual environment Yale Law
School (March 26-28, 2004).
21 Givens, Identity Theft: How It Happens, Its Impact on Victims, and Legislative Solutions, 2000 – available at:
http://www.privacyrightsar/id_theft.htm (last visited: Nov. 2007).
22 Sobel, The Demeaning of Identity and personhood in National Identification Systems, Harvard Journal of Law & Technology, Vol. 15, Nr.
2, 2002, page 350.
23 Garfinkel, Database nation: The Death of privacy in the 21st Century, 2000, page 33-34.
24 Regarding the risks related to the SSN see: Solove, The legal construction of Identity Theft, page 3, Symposium:
Digital Cops in a virtual environment Yale Law School (March 26-28, 2004).
25 www.facebook.com
26 www.myspace.com
27 www.secondlife.com
28 See for example www.spock.com.
29 Having access to true identity-related information can be from great interest of the offender even if these information do not enable
him to act by using this identity. The offender can especially use the information to improve synthetic identities by mixing generated data
with existing data. Regarding the importance of synthetic identities in identity theft scams see: ID Analytics,
http://www.idanalyticsassets/pdf/Nationa...erview.pdf (last visited: Nov. 2007).
8
the e-business to link digital identities.30 Data mining systems are used for example to
analyse the behaviour of customers; they even try to predict their future behaviour based on
an analysis of consumer-related data collected in various databases. A recently published
study highlights the threats of this process for society as well as for the individual.31 If the
perpetrators manage to improve their skills in linking digital identities, they can commit
offences by using the identity of another person without referring to illegal means, while
obtaining the identity-related information.
2.3 Missing identity verification procedures
The popularity of digital identities and the related process of transferring parts of one’s social
life to the Internet are combined with the problem that the instruments that were developed
to identify and prevent perpetrators from abusing other people’s identity do not in general
apply in the digital world.32 Many of these instruments are based on the personal contact of
the people acting. Checking tangible identifying documents or physical recognitions
(especially between individuals who previously established a relationship) is easy in the real
world but difficult in the digital world.33 The development of effective identification
instruments that can be used on the Internet has just started.34
2.4 Investigation-related challenges for law enforcement agencies
When investigating internet-related identity theft, law enforcement agencies are faced with a
number of challenges comparable to those regarding other cybercrimes, but not necessarily
comparable to more traditional investigations. Some of the most important challenges are:
• Potential number of victims
There seem to be more than 1 billion Internet users worldwide.35 This number is
expected to increase continuously in the coming years.36 With this the number of
potential victims of identity theft increases.
• Availability of instructions on how to carry out an offence
It is not just identity-related information that perpetrators can find on the Internet.
Reports highlight the risks that go along with the legal use of search engines for illegal
30 See: Hansen/Meissner (ed.), Linking digital identities, page 8 – An executive summary is available in English (page 8-9). The report is
available online at: https://www.datenschutzzentrum.de/projek...n-bmbf.pdf
(last visited: Nov. 2007).
31 Hansen/Meissner (ed.), Linking digital identities, page 8 – An executive summary is available in English (page 8-9). The report is
available online at: https://www.datenschutzzentrum.de/projek...n-bmbf.pdf
(last visited: Nov. 2007).
32 Similar difficulties with regard to the switch to virtual currencies as classic AML approaches are difficult to implement with regard to
virtual currencies. Regarding virtual currencies see: Woda, Money Laundering Techniques with Electronic Payment Systems in
Information and Security 2006, page 39.
33 Paget, Identity Theft – McAfee White Paper, page 4, 2007 – available at: http://www.mcafeeus/threat_center/white_paper.html
(last visited: Nov. 2007).
34 Technology that enables the verification of the user is not only relevant in order to avoid or detect identity theft but also with regard to
the protection of minors from having access to potentially harmful content. Regarding technical approaches for age verification systems
see: See Siebert, Protecting Minors on the Internet: An Example from Germany, in Governing the Internet Freedom and Regulation in the
OSCE Region, page 150 - available at: http://www.oscepublications/rfm/2007/07/...918_en.pdf.
35 According to “Internet World Stats“ more than1,15 Billion people are using the Internet by 2007 (the statistic are available at:
http://www.internetworldstatsstats.htm) (last visited: Nov. 2007).
36 The greatest potential for further growth have developing countries. In 2005 the number of Internet users in developing countries
surpassed the number of users in developed countries. See: Development Gateway’s Special Report, Information Society – Next Steps?,
2005 – available at: http://topics.developmentgatewayspecial/...ionsociety (last visited: Nov. 2007).
9
purposes.37 A perpetrator who plans an attack can find detailed information on the
Internet that explains how to build a bomb by using chemicals that are available in
regular supermarkets.38 With regard to identity theft, instructions, including
information on how to obtain and create an identity, are available on various
websites.39
• International dimension
Similarly to other cybercrimes, identity theft offences often have an international
dimension. If the perpetrator and the victim are not based in the same country then
the investigation requires the co-operation of law enforcement agencies in all countries
that are involved.40 The principle of national sovereignty does not in general allow one
country to carry out investigations within the territory of another country without
permission from the local authorities.41 The related formal requirements and especially
the average time that is necessary to respond to requests from foreign law
enforcement agencies often hinder the investigations.42
• Automation
One of the greatest advantages of information technologies is the possibility to
automate certain processes, and perpetrators make use of this potential. One of the
most notorious examples is spam.43 The abuse of email services to send out
unsolicited bulk messages is based on the automation of the sending process.44
Without that it would not be possible to deliver millions of emails within a rather short
period of time.45 The same technology is used in email-based “phishing” scams.
37 See Nogguchi, Search engines lift cover of privacy, The Washington Post, 09.02.2004 – available at:
http://www.msnbc.msnid/4217665/print/1/d...mode/1098/.
38 An example is the “Terrorist Handbook” – a pdf-document that contains detailed information how to build explosives, rockets and
other weapons.
39 Chawki/Abdel Wahab, Identity Theft in Cyberspace: Issues and Solutions, page 10, Lex Electronica, Vol. 11, No. 1, 2006 – available at:
http://www.lex-electronicaarticles/v11-1/ chawki_abdel-wahab.pdf (last visited: Nov. 2007).
40 Regarding the need for international cooperation in the fight against cybercrime see: Putnam/Elliott, International Responses to Cyber
Crime, in Sofaer/Goodman, The Transnational Dimension of Cyber Crime and Terrorism, 2001, page 35 et seqq. – available at:
http://media.hooverdocuments/0817999825_35.pdf; (last visited: Nov. 2007). Sofaer/Goodman, Cyber Crime and Security – The
Transnational Dimension in Sofaer/Goodman, The Transnational Dimension of Cyber Crime and Terrorism, 2001, page 1 et seqq. –
available at: http://media.hooverdocuments/0817999825_1.pdf (last visited: Nov. 2007).
41 National Sovereignty is a fundamental principle in International Law. See Roth, State Sovereignty, International Legality, and Moral
Disagreement, 2005, page 1 – available at: http://www.law.uga.edu/intl/roth.pdf. (last visited: Nov. 2007).
42 See Gercke, The Slow Wake of A Global Approach Against Cybercrime, CRi 2006, 142. For examples see Sofaer/Goodman, Cyber Crime
and Security – The Transnational Dimension - in Sofaer/Goodman, The Transnational Dimension of Cyber Crime and Terrorism, 2001,
page 16 – available at: http://media.hooverdocuments/0817999825_1.pdf (last visited: Nov. 2007).
43 The term “Spam” describes the process of sending out unsolicited bulk messages. For a more precise definition see: ITU Survey on
Anti-Spam legislation worldwide 2005 -, page 5 – available at:
http://www.itu.int/osg/spu/spam/legislat...Survey.pdf (last visited: Nov. 2007).
44 For more details on the automation process regarding spam mails and the related challenges for law enforcement agencies see: Berg,
The Changing Face of Cybercrime – New Internet Threats create Challenges to law enforcement agencies, Michigan Law Journal 2007,
page 21 – available at: http://www.michbarjournal/pdf/pdf4article1163.pdf. (last visited: Nov. 2007).
45 Today e-mail provider and organizations report that up to 85% of all e-mails are spam. See for example: The Messaging Anti-Abuse
Working Group reported in 2005 that up to 85 percent of all e-mails are spam. See
http://www.maawgabout/FINAL_4Q2005_Metrics_Report.pdf (last visited: Nov. 2007). The provider postini published a report in 2007
that identifies up to 75 percent spam e-mail – see http://www.postinistats/. The Spam-Filter-Review identifies up to 40% spam emails
– see http://spam-filter-review.toptenreviewss...stics.html. (last visited: Nov. 2007).
10
3 Common principles - a prerequisite for drafting identity
theft legislation
As pointed out previously, drafting legislation to criminalise identity theft requires the
description of covered acts. The identification of common principles is therefore a necessary
preparation for the definition of the elements of a criminal law provision (e.g. acts and
results covered by the provision) designed to criminalise identity theft. Summarising the
huge variety of offences related to identity theft in a single provision requires the
identification of constitutive elements of all relevant scams.
3.1 Defining “identity theft”
The first question is therefore whether common principles can be extracted from the
standard definitions used to describe the underlying offence. A clear definition of the
phenomenon could therefore be the basis for the development of legal solutions. Such a
clear definition of the term “identity theft” is currently missing.46 One of the many general
approaches is the following:
“Identity theft” may be used to describe the theft or assumption of a pre-existing identity (or
significant part of it), with or without consent, and regardless of whether the person is dead or
alive.47
While this definition focuses on the act of obtaining the identity, other definitions and
descriptions of the phenomenon identity theft include the purpose of obtaining the data or
even clear requirements regarding the subsequent acts.48
The main difficulty related to the definition is the inconsistent use of the term. Its use varies
in different countries. While most US publications use the term “identity theft”, the term
“identity fraud” is very popular in the UK.49 Other terms used are for example “phishing”,
“account takeover” or “account hijacking”.50 Some use the term to describe any act of
obtaining elements of an identity, while others only use it to describe the use of another
person’s identity in relation with other offences.
3.1.1 Use of the term “identity theft” in surveys and publications
The different ways the term identity theft is used can be demonstrated by referring to
three publications in this area:
• The ‘Consumer Fraud and Identity Theft Complaint Data’ survey published by the
US Federal Trade Commissions points out that: “Credit card fraud (26%) was the
most common form of reported identity theft”.51
46 Mitchison/Wilikens/Breitenbach/Urry/Portesi – Identity Theft – A discussion paper, page 22 – available at: https://www.primeproject.
eu/community/furtherreading/studies/IDTheftFIN.pdf; (last visited: Nov. 2007).
47 Paget, Identity Theft – McAfee White Paper, page 5, 2007 – available at: http://www.mcafeeus/threat_center/white_paper.html
(last visited: Nov. 2007).
48 See below 2.1.
49 Regarding the different country specific approaches in the definition see Paget, Identity Theft – McAfee White Paper, page 15, 2007 –
available at: http://www.mcafeeus/threat_center/white_paper.html (last visited: Nov. 2007);
Mitchison/Wilikens/Breitenbach/Urry/Portesi – Identity Theft – A discussion paper, page 22. – available at: https://www.primeproject.
eu/community/furtherreading/studies/IDTheftFIN.pdf; (last visited: Nov. 2007).
50 As pointed out previously even those publications that use the term “Identity Theft” do not use it consistently.
51 Consumer Fraud and Identity Theft Complaint Data, January – December 2005, Federal Trade Commission, 2006, page 3 –available at:
www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf (last visited: Nov. 2007).
11
The report links the act of obtaining identity-related information (“theft”) to the
criminal offence that is committed by using this information (in this case fraud
committed by using credit card information).
• The report ‘Identity Theft: Do You Know the Signs?’ of the Fraud Advisory Panel
lists certain forms of identity theft. One example given in the report is the
following:
The fraudster will obtain a certified copy of the victim’s birth certificate (which is both
straightforward and lawful) and apply for identification documents on the basis of that
birth certificate. Identification documents could include passports, driving licences and
national insurance.52
In this example of identity theft there is again a link between the act of obtaining
the information and further action – but unlike in the previous example the
second act is not related to fraud but to the use of traditional identification
documents.
• The report ‘Combating Identity Theft – A Strategic Plan’, published by the US
President’s identity theft Task Force,53 lists, among other issues, statutes
criminalising identity theft. Among the “Computer-related identity theft Statutes”
the report mentions 18 U.S.C. § 1030(a)(5) – a provision that criminalises certain
acts aiming at the integrity and availability of computer systems and data.54
Hindering a computer system from functioning or deleting files is not directly
related to obtaining confidential information but to related offences that might be
committed if the perpetrator is using malicious software that affects the integrity
of the victim’s computer system.55
52 See Identity Theft: Do you know the signs?, The Fraud Advisory Panel, page 1, available at:
http://www.fraudadvisorypanelnewsite/PDF...1-7-03.pdf (last visited: Nov. 2007).
53 Combating Identity Theft – A Strategic Plan, US President’s Identity Theft Task Force, page 66, 2007 – available at:
http://www.idtheft.gov/ (last visited: Nov. 2007).
54 § 1030. Fraud and related activity in connection with computers
Whoever—
[...]
(5) (A)
(i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct,
intentionally causes damage without authorization, to a protected computer;
(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly
causes damage; or
(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes
damage; and
(B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted
offense, would, if completed, have caused)—
(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis,
treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of
justice, national defense, or national security;
[...]
55 See below 5.3.
12
3.1.2 Use of the term “identity theft” in existing legislation
Only a few states have criminal law provisions in place that explicitly aim at a
criminalisation of identity theft and define or precisely describe the term.56 The most
well-known approaches of defining identity theft were undertaken in the USA.
• One example is 18 U.S.C. § 1028(a)(7), that defines identity theft as:
knowingly transfers, possesses, or uses, without lawful authority, a means of
identification of another person with the intent to commit, or to aid or abet, or in
connection with, any unlawful activity that constitutes a violation of Federal law, or that
constitutes a felony under any applicable State or local law.
The provision covers a wider range of acts related to means of identification.
Unlike the way the term identity theft is used in the Consumer Fraud and Identity
Theft Complaint Data survey, it is especially not mandatory with regard to §
1028(a)(7) that the act is related to fraud.
• Another description is provided by the US Federal Trade Commission. 15 U.S.C.
1681a(q)(3) contains a brief description of the term “identity theft”:
Identity theft - the term “identity theft” means a fraud committed using the identifying
information of another person, subject to such further definition as the Commission
may prescribe, by regulation.
The main difference to the description provided by 18 U.S.C. § 1028(a)(7) is the
fact that 15 U.S.C. 1681a(q)(3) links the term identity theft to fraud. This limits
the application of the provision in other cases where the offender is using the
identity-related information for other offences. In addition, the provision covers
the use of the information but not the act of obtaining it.
• Based on 15 U.S.C. 1681a(q)(3), the Federal Trade Commission provided a more
detailed description of identity theft: 57
(a) The term ‘identity theft’ means a fraud committed or attempted using the
identifying information of another person without lawful authority.
(b) The term ‘identifying information’ means any name or number that may be used,
alone or in conjunction with any other information, to identify a specific individual,
including any
(1) Name, Social Security number, date of birth, official state- or government-issued
driver’s license or identification number, alien registration number, government
passport number, employer or taxpayer identification number.
(2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or
other unique physical representation.
(3) Unique electronic identification number, address, or routing code.
(4) Telecommunication identifying information or access device.
Like 15 U.S.C. 1681a(q)(3), the description links the term identity theft to fraud
and only covers the act of using the identity-related information.
3.1.3 Provisional result
56 For an overview about identity theft legislation in Europe see: Mitchison/Wilikens/Breitenbach/Urry/Portesi – Identity Theft – A
discussion paper, page 23 et. seqq. – available at: https://www.prime-project.eu/community/f...eftFIN.pdf (last
visited: Nov. 2007); Legislative Approaches To Identity Theft: An Overview, CIPPIC Working Paper No.3, 2007.
57 Related Identity Theft Definitions, Duration of Active Duty Alerts, and Appropriate Proof of Identity Under the Fair
Credit Reporting Act, Federal Register 69, no. 82.
13
The overview shows that no standard definition for identity theft exists. Some
definitions focus on the act of obtaining the information.58 Drafting criminal law
provisions on the basis of such a definition would make Internet-related identity theft
a particular case of data espionage.59 Based on the assumption that adequate
cybercrime legislation is in place, implementing a specific provision criminalising the
act of identity theft would not be necessary for prosecuting Internet-related identity
theft offences. The function of an additional provision would therefore be limited to a
clarification or aggravation of the sentence.
A similar inconsistency can be identified with regard to the offences that the act is
related to. While some definitions make a mandatory link between identity theft and
fraud,60 others cover any use of the information for criminal purposes. What all these
subsequent offences that follow the identity theft have in common is that they are
already criminalised. Depending on what kind of offence is committed, identity theft is
therefore again only a particular case of this offence and – if adequate cybercrime
legislation is already in place – the implementation of a specific provision is not
mandatory to allow prosecution.
While focusing on the above-mentioned examples of the inconsistency of definitions,
with regard to the acts covered (that is, obtaining information or using information),
the offences appear to be only a particular case of well known offences that are
already criminalised in many countries. This is at least the case with regard to
Internet-related offences that are the focus of this discussion paper. One of the few
fundamentally different approaches is 18 U.S.C. § 1028(a)(7). Based on this provision,
law enforcement agencies are able to prosecute an offender even if he neither
obtained the identity-related information nor used them for criminal purposes. The
criminalisation only requires some sort of interaction (“transfer, possession, use”) with
such information with the intention to commit, aid or abet an offence. As a result, the
pure possession of data intended to be used later on for criminal offences is already
criminalised. This approach goes beyond the cybercrime legislation of most
countries.61
The only consistent element of the identity theft definitions is therefore the fact that
the conduct is related to one or more of the following phases:
• Act of obtaining identity-related information;
• Act of possessing or transferring the identity-related information;
• Act of using the identity-related information for criminal purposes.
This conclusion has a significant impact on the development of legislative approaches
against identity theft. Identifying a structure of the underlying acts is an essential
58 See above 4.1.
59 If the offender is obtaining non-identity-related information by using means of electronic communication provisions criminalising data
espionage or illegal access do in general cover the act. There are two different approaches in criminalising data espionage. Some
countries follow a narrow approach and criminalise data espionage only if specific secret information are obtained. An example is § 1831
USC that criminalised economic espionage. The provision does not only cover data espionage but other forms of obtaining secret
information as well. Other countries followed a broader approach and criminalise the act of obtaining stored computer data even if they
do not contain economic secrets. An example is the previous version of § 202a German Penal Code.
60 See for example 15 U.S.C. 1681a(q)(3).
61 Regarding the identity theft legislation in the US, The Netherlands, Great Britain, France and Belgium see: Vries/Tgchelaar/Linden/Hol,
Identiteitsfraude: End Afbakening, 2007.
14
requirement for a single-provision based approach criminalising a certain conduct. The
fact that the majority of identity theft offences have nothing more in common than
their relation to one or more of the three phases makes it difficult to address the
offence by a single provision.
With regard to the inconsistency in use, it is necessary to change the focus from
analysing existing provisions and definitions to analysing fundamental principles of the
most important identity theft scams.
3.2 Methods, targets and motivation
The following chapter analyses three elements of the most popular identity theft scams: the
methods used, the targets of the attacks and the motivation of the perpetrator.
3.2.1 Overview of the methods used to obtain identity-related data
The following overview gives a summary of the most important techniques used to
obtain identity-related information. This is important for the development of a
systematic approach for defining essential elements related to the act of obtaining the
identity-related information.
• Physical methods
Examples of physical methods are stealing computer storage devices with
identity-related data, searching trash (“dumpster diving”62) or mail theft.63 The
2007 CSI Computer Crime and Security Survey64 shows that nearly 15% of the
losses of respondents with regard to computer-related offences were related to
the theft of confidential data and mobile hardware.65 Although it is questionable if
the theft of computer hardware is considered to be a computer-related offence,
the statistic underlines the importance of physical methods to obtain identityrelated
data.66
• Search engines
Examples of search approaches are the use of search engines or file-sharing
systems to identify and obtain identity-related data. Search engines enable users
to search millions of web pages within seconds. This technology is not only used
for legitimate purposes. “Googlehacking” or “Googledorks” are terms that
describe the use of complex search engine queries to filter through large
amounts of search results for information related to computer security issues, as
well as personal information that can be used in identity theft scams. One aim of
the perpetrator can be for example to search for insecure password protection
62 Putting an End to Account-Hijacking identity Theft, page 10, Federal Deposit insurance Corporation, 2004 – available at:
http://www.fdic.gov/consumers/consumer/i..._theft.pdf (last visited Nov. 2007); Paget, Identity Theft – McAfee White
Paper, page 6, 2007 – available at: http://www.mcafeeus/threat_center/white_paper.html (last visited: Nov. 2007).
63 This method is not cosidered as an Internet-related approach.
64 The CSI Computer Crime and Security Survey 2007 analysed among other issues the economic impact of Cybercrime
businesses. It is based on the responses of 494 computer security practitioners from in U.S corporations, government
agencies and financial institutions. The Survey is available at: available at: http://www.gocsi (last visited: Nov.
2007).
65 CSI Computer Crime and Security Survey 2007, page 15 – available at: http://www.gocsi (last visited: Nov. 2007).
66 Regarding the definition of computer crimes and cybercrime see: Hayden, Cybercrime’s impact on Information security, Cybercrime
and Security, IA-3, page 3; Hale, Cybercrime: Facts & Figures Concerning this Global Dilemma, CJI 2002, Vol. 18 – available at:
http://www.cjcentercjcenter/publications....php?id=37
15
systems in order to obtain data from this system.67 Reports highlight the risks
that can go along with the legal use of search engines for illegal purposes.68
Further risks related to the availability of identity-related information are filesharing
systems. The legal discussion about file-sharing systems is dominated by
copyright issues. Nevertheless, the US Congress recently discussed the
possibilities of file-sharing systems to obtain personal information that can be
abused for identity theft.69 It was highlighted that the file-sharing software can
not only be used to search for music and video files stored on the computer of
other users of the file-sharing network, but also for private information.
• Insider attacks
Insiders, who have access to stored identity-related information, can use their
access to obtain that information. The 2007 CSI Computer Crime and Security
Survey70 shows that more than 35% of the respondents attribute more than 20%
of their organisation’s losses to insiders. The results of the survey correspond
with reports about employees obtaining thousands of credit reports and credit
card information.71
• Attacks from the outside
Apart from attacks from the inside, perpetrators can hack into computer systems
to obtain data. The offence that is often described by the term “hacking”
criminalises the unlawful access to a computer system.72 It can involve malicious
software like sypware or keylogger.73 Some of the most well-known victims of
hacking attacks are NASA, U.S. Air Force, the Pentagon, Yahoo, Google, Ebay,
the Estonian Government and the German Government.74 Reports about hackers
that successfully broke into computer systems to obtain millions of credit card
information illustrate the scope of the risk.
• Social engineering regarding the disclosure of identity-related
information
Perpetrators can use social engineering techniques to persuade the victim to
disclose personal information. In recent years perpetrators developed effective
67 For more information see: Long/Skoudis/van Eijkelenborg, Google Hacking for Penetration Testers, 2005; Dornfest/Bausch/Calishain,
Google Hacks: Tips & Tools for Finding and Using the World’s Information, 2006.
68 See: Nogguchi, Search engines lift cover of privacy, The Washington Post, 09.02.2004 – available at:
http://www.msnbc.msnid/4217665/print/1/d...mode/1098/.
69 See: Congress of the United States, Committee on Oversight and Government Reform, 17.10.2007 – available at:
http://oversight.house.gov/documents/20071017134802.pdf (last visited: Nov. 2007).
70 The CSI Computer Crime and Security Survey 2007 analysed among other issues the economic impact of Cybercrime
businesses. It is based on the responses of 494 computer security practitioners from in U.S corporations, government
agencies and financial institutions. The Survey is available at: available at: http://www.gocsi (last visited: Nov.
2007).
71 The 2005 Identity Theft: Managing the Risk report is taking regard to an incident where an employee of a US
company that supplied banks with credit reports used confidential computer passwords to access and download the
credit reports of over 30,000 consumers during a three year period. See: 2005 Identity Theft: Managing the Risk,
Insight Consulting, page 2 – available at:
http://www.insight.co.uk/files/whitepape...paper).pdf (last visited: Nov. 2007).
72 In the early years of the development of computers the term hacking was used in a different way. It described the attempt to get more
out of a system (software or hardware) than it was designed for. Within this context the term described a constructive activity.
73 For an overview about the tools used see Ealy, A New Evolution in Hack Attacks: A General Overview of Types, Methods, Tools, and
Prevention – available at: http://www.212cafedownload/e-book/A.pdf.
74 For an overview of victims of hacking attacks see: http://en.wikipediawiki/Timeline_of_comp...er_history;
Joyner/Lotrionte, Information Warfare as International Coercion: Elements of a Legal Framework, EJIL 2002, No5 – page 825 et sqq.
16
scams to obtain secret information (e.g. bank account information and credit card
data) by manipulating users through social engineering techniques.75 “Phishing”
has recently become one of the most important crimes related to cyberspace.76
The term “phishing” is used to describe a type of crime that is characterized by
attempts to fraudulently acquire sensitive information, such as passwords by
impersonating a trustworthy person or business (e.g. financial institution) in an
apparently official electronic communication.77
3.2.2 Overview of the data that perpetrators attempt to obtain
As highlighted previously, it is in general not the identity as a whole but selected
identity-related data that the perpetrators are attempting to obtain in cybercrimerelated
identity theft cases. The type of data that the perpetrators target varies, but
unlike in individually designed attacks, the approaches to obtain data by automated
attacks (like for example in phishing or spyware attacks) are targeting common data.
Examples are:
• Social Security Number (SSN) and passport numbers
The SSN that is used in the USA is a classical example of a single identity-related
data that perpetrators are aiming for. Although the SSN was created to keep an
accurate record of earnings, it is currently widely used for identification
purposes.78 The perpetrators can use the SSN as well as obtained passport
information to open financial accounts, take over existing financial accounts,
establish credit or run up debt.79 If the perpetrator succeeds in infecting a
computer system with malicious software he can use the software to search all
available files on the hard disk for documents containing numbers that show
characteristics of a SSN and transfer them from the victim’s computer.
• Date of birth, address and phone numbers
The above mentioned identity-related information is classic data that can in
general only be used to commit identity theft if they are combined with other
pieces of information (e.g. the SSN).80 Having access to that additional
information can help the perpetrator to circumvent verification processes. One of
the greatest dangers related to that information is the fact that it is currently
available on a large scale on the Internet – either published voluntarily in one of
the various identity-related fora,81 or based on legal requirements as imprint on
75 See Granger, Social Engineering Fundamentals, Part I: Hacker Tactics, Security Focus, 2001 – available at:
http://www.securityfocusinfocus/1527.
76 See the information offered by anti-phishing working group – available at: www.antiphishing.org (last visited: Nov. 2007).
77 Jakobsson, The Human Factor in Phishing – available at: http://www.informatics.indiana.edu/marku...rs/aci.pdf (last visited: Nov.
2007); Gercke, Criminal Liability for Identity Theft and Phishing, CR 2005, 606; Paget, Identity Theft – McAfee White Paper, page 4, 2007 –
available at: http://www.mcafeeus/threat_center/white_paper.html (last visited: Nov. 2007).
78 Garfinkel, Database nation: The Death of privacy in the 21st Century, 2000, page 33-34; Sobel, The Demeaning of
Identity and personhood in National Identification Systems, Harvard Journal of Law & Technology, Vol. 15, Nr. 2, 2002,
page 350.
79 See Givens, Identity Theft: How It Happens, Its Impact on Victims, and Legislative Solutions, 2000 – available at:
http://www.privacyrightsar/id_theft.htm (last visited: Nov. 2007).
80 Emigh, Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures, 2005, page 6; Givens,
Identity Theft: How It Happens, Its Impact on Victims, and Legislative Solutions, 2000 – available at:
http://www.privacyrightsar/id_theft.htm (last visited: Nov. 2007).
81 Examples is the online community Facebook (www.facebook.com).
17
websites.82
• Passwords for non-financial accounts
Having access to passwords for accounts enables perpetrators to change the
settings of the account and use it for their own purposes.83 They can for example
take over an email account and use it to send out mails with illegal content or
take over the account of a user of an auction platform and use the account to sell
stolen goods. User names and passwords can for example be obtained by
intercepting unencrypted wireless communication.
• Financial account information
Like the SSN, information regarding financial accounts is a popular target for
identity theft. This includes checking and saving accounts, credit cards, debit
cards, and financial planning information. Such information is an important source
for an identity thief to commit financial cybercrimes. Similar to the SSN, credit
card numbers in particular can be rather easily identified by performing search
procedures on the victim’s computer.
3.2.3 Overview of the motivation of the perpetrator
The motivation of the perpetrators varies as much as the methods they use, as
pointed out previously. Given that obtaining the information is in general the only
necessary “preparation” of the act carried out by using the information, the motivation
is very much determined by this second phase.
• Requirement of further acts (economic crimes)
In most cases the access to identity-related data enables the perpetrator to
commit further crimes.84 The perpetrators are therefore not focusing on the set
of data itself but the ability to use them in criminal activities. An example is
computer-related fraud.85
• Sell the information
Another approach is to sell the data86 which can then be used by other
perpetrators. Credit card records are for example sold for up to US$60.87 In this
context the motivation of the perpetrator is to generate direct profit without
carrying out the offence for which the obtained data are required.
• Hiding the identity
82 See for example Art. 5 of the Directive 2000/31/Ec Of The European Parliament And Of The Council of 8 June 2000
on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market
(Directive on electronic commerce):
83 Putting an End to Account-Hijacking identity Theft, page 10, Federal Deposit insurance Corporation, 2004 – available at:
http://www.fdic.gov/consumers/consumer/i..._theft.pdf (last visited Nov. 2007);
84 Consumer Fraud and Identity Theft Complain Data, January – December 2005, Federal Trade Commission, 2006, page 3 –available at:
www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf (last visited: Nov. 2007).
85 Consumer Fraud and Identity Theft Complain Data, January – December 2005, Federal Trade Commission, 2006, page 3 –available at:
www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf (last visited: Nov. 2007).
86 Chawki/Abdel Wahab, Identity Theft in Cyberspace: Issues and Solutions, page 17, Lex Electronica, Vol. 11, No. 1,
2006 – available at: http://www.lex-electronicaarticles/v11-1/ chawki_abdel-wahab.pdf (last visited: Nov. 2007).
87 See: 2005 Identity Theft: Managing the Risk, Insight Consulting, page 2 – available at:
http://www.insight.co.uk/files/whitepape...paper).pdf (last visited: Nov. 2007).
18
Perpetrators can use the data they obtained to hide their real identity. An
example is the use of hijacked email accounts to send out messages with illegal
content. In this context it is important to point out that despite the fact that such
use of data in phase 2 might not be a criminal offence, it can involve serious
harm for the victim.88
3.2.4 Provisional result
The overview shows that in none of the three analysed areas do common principles
exist. The ways in which identity-related information is obtained varies. Email phishing
scams show that it is not even necessary for perpetrators to circumvent protection
mechanisms and then search for the information. Many highly successful phishing
scams are based on the disclosure of information by the victim. The types of data that
perpetrators aim for show a similar diversity. They range from information like the
Social Security Number, to the address of the victim that – without connection to other
data – has very little potential for causing great losses. Not even the motivation of the
perpetrators is consistent. While some perpetrators intend to use the data for their
own criminal activities, others are planning to sell the information or use it for acts
that are not covered by the traditional criminal law.
The only consistent element of the offences is again89 the fact that the condemned
behaviour is related to one or more of the following phases:
• Act of obtaining identity-related information;
• Act of possessing or transferring the identity-related information;
• Act of using the identity-related information for criminal purposes.
As pointed out before, this conclusion has a significant impact on the development of
legislative approaches in the fight against identity theft. Identifying a structure of the
underlying acts is an essential requirement for a single-provision based approach to
criminalise certain conduct. The fact that the majority of identity theft offences have
nothing more in common than the fact that they can be split in two phases makes it
difficult to address the offence with a single provision.